fix(github-actions): rework token revoke mechanism to not rely on post run

Currently Github actions acquire tokens from the secrets for an app
installation. The actions can operate on repositories using this token.

Later, as a Github action (separate step) we attempt to revoke the
token. This does not work at all, and never did, because the previously
used installation Github token is not known in the post step, so the
post step always failed.

We rework this to always revoke the token as part of the Node process
where we acquired the installation token.

Author: devversion

github-actions/commit-message-based-labels/BUILD.bazel

@@ -1,14 +1,5 @@
 load("//tools:defaults.bzl", "esbuild_checked_in")
 
-esbuild_checked_in(
-    name = "post",
-    entry_point = "//github-actions/commit-message-based-labels/lib:post.ts",
-    target = "node16",
-    deps = [
-        "//github-actions/commit-message-based-labels/lib",
-    ],
-)
-
 esbuild_checked_in(
     name = "main",
     entry_point = "//github-actions/commit-message-based-labels/lib:main.ts",

github-actions/commit-message-based-labels/action.yml

@@ -8,4 +8,3 @@ inputs:
 runs:
   using: 'node16'
   main: 'main.js'
-  post: 'post.js'

github-actions/commit-message-based-labels/lib/BUILD.bazel

@@ -4,7 +4,6 @@ package(default_visibility = ["//github-actions/commit-message-based-labels:__su
 
 exports_files([
     "main.ts",
-    "post.ts",
 ])
 
 ts_library(

github-actions/commit-message-based-labels/lib/main.ts

@@ -3,17 +3,30 @@ import {context} from '@actions/github';
 import {Octokit} from '@octokit/rest';
 import {parseCommitMessage} from '../../../ng-dev/commit-message/parse.js';
 import {breakingChangeLabel, deprecationLabel} from '../../../ng-dev/pr/config/index.js';
-import {ANGULAR_ROBOT, getAuthTokenFor} from '../../utils.js';
+import {ANGULAR_ROBOT, getAuthTokenFor, revokeActiveInstallationToken} from '../../utils.js';
 
 /** List of supported label and commit message attribute combinations. */
 const supportedLabels = [
   [breakingChangeLabel, 'breakingChanges'],
   [deprecationLabel, 'deprecations'],
 ] as const;
 
-async function run(): Promise<void> {
-  const token = await getAuthTokenFor(ANGULAR_ROBOT);
-  const client = new Octokit({auth: token});
+async function main() {
+  let installationClient: Octokit | null = null;
+
+  try {
+    const token = await getAuthTokenFor(ANGULAR_ROBOT);
+    installationClient = new Octokit({auth: token});
+
+    await runCommitMessageBasedLabelsAction(installationClient);
+  } finally {
+    if (installationClient !== null) {
+      await revokeActiveInstallationToken(installationClient);
+    }
+  }
+}
+
+async function runCommitMessageBasedLabelsAction(client: Octokit): Promise<void> {
   const {number, owner, repo} = context.issue;
   /** Labels currently applied to the PR. */
   const labels = await (
@@ -57,7 +70,10 @@ async function run(): Promise<void> {
 // Only run if the action is executed in a repository within the Angular org. This is in place
 // to prevent the action from actually running in a fork of a repository with this action set up.
 if (context.repo.owner === 'angular') {
-  run();
+  main().catch((e: Error) => {
+    core.error(e);
+    core.setFailed(e.message);
+  });
 } else {
   core.warning(
     'Automatic labeling was skipped as this action is only meant to run ' +