App token seems to expire after 1h

[EnviousSwan]

When running Scala Steward using GitHub app in an org after exactly 1 hour of running the workflow, I get the following error for every single repository that's left on the list:

UnexpectedResponse

org.scalasteward.core.util.UnexpectedResponse: uri: https://api.github.com/repos/***/***
method: GET
status: 401 Unauthorized
headers:
  access-control-allow-origin: *
  access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
  content-length: 95
  content-security-policy: default-src 'none'
  content-type: application/json; charset=utf-8
  date: Thu, 08 Aug 2024 17:11:43 GMT
  referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
  server: github.com
  strict-transport-security: max-age=31536000; includeSubdomains; preload
  vary: Accept-Encoding, Accept, X-Requested-With
  x-content-type-options: nosniff
  x-frame-options: deny
  x-github-media-type: github.v3
  x-github-request-id: 2411:94E70:A86D196:13D67473:66B4FC4F
  x-ratelimit-limit: 60
  x-ratelimit-remaining: 56
  x-ratelimit-reset: 1723140703
  x-ratelimit-resource: core
  x-ratelimit-used: 4
  x-xss-protection: 0
body: {"message":"Bad credentials","documentation_url":"https://docs.github.com/rest","status":"401"}

I reached out to GitHub Support team, and they confirmed my suspicions about token expiry:

We apologize for the inconvenience this is causing. Indeed, when authenticating as an app installation via an installation access token (using that installation access token in the Authorization header of a REST API or GraphQL API request), the installation access token will expire after 1 hour. Unfortunately, dynamically altering the expiration time of GitHub app tokens is currently not possible. We see there is an internal feature request open for this, although we would set expectations that it's currently not under active development.

After some googling around I also found a similar issue for create-github-app-token

• Token seems to expire after 1h actions/create-github-app-token#121

So maybe we can try some of the suggested solutions from here

For long-running processes, I usually write my actions to accept the app ID and private key. If you build your action in JS/TS, you can use the App constructor which provides lots of helpful APIs: https://github.com/octokit/octokit.js?tab=readme-ov-file#app-client. If you use the app.getInstallationOctokit(installationId) API, the returned octokit instance will auto-renew the installation access token.

If you want something lower-level, you can use @octokit/auth-app: https://github.com/octokit/auth-app.js?tab=readme-ov-file#authenticate-as-installation. When you use the authentication strategy with an Octokit constructor, it will auto-renew the installation access token as well.

[alejandrohdezma]

Hey @EnviousSwan. Thanks for that, it is indeed an issue. I'll try to take a look at it when I have some bandwidth. In the meantime I'll be happy to review any PR with such an improvement 😊

[EnviousSwan]

Another possible workaround in the meantime could be saving cache for repos that were updated successfully and putting that saveWorkspaceCache in a finally statement. That way cache can build up gradually, so scala-steward doesn't need to go through them during the next run 🤔

scala-steward-action/src/action/main.ts

Lines 86 to 89 in efadf84

	await workspace.saveWorkspaceCache()
	} catch (error: unknown) {
	core.setFailed(` ✕ ${(error as Error).message}`)
	}

[EnviousSwan]

Hey @alejandrohdezma I've created PRs that should address both issues ✅

• Save workspace cache when run failed #631
• Refresh token every 50 minutes #633