Parse and validate the apps input

action.yml

@@ -1,6 +1,14 @@
 name: Provision GitHub Tokens
 description: Declare GitHub tokens in your repos, and rotate them automatically
 author: Ghalactic
+inputs:
+  apps:
+    description: >-
+      Apps to use for provisioning tokens, encoded as a YAML (or JSON) array.
+      The schema at
+      https://ghalactic.github.io/provision-github-tokens/schema/apps.v1.schema.json
+      can be used to validate the input.
+    required: true
 branding:
   icon: key
   color: blue

package.json

@@ -7,10 +7,14 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
+    "ajv": "^8.17.1",
+    "js-yaml": "^4.1.0",
     "regexp.escape": "^2.0.1"
   },
   "devDependencies": {
     "@octokit/types": "^13.5.0",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^22.5.0",
     "@vitest/coverage-v8": "^2.0.5",
     "esbuild": "^0.23.1",
     "prettier": "^3.3.3",

src/config/apps-input.ts

@@ -0,0 +1,26 @@
+import { getInput } from "@actions/core";
+import { load } from "js-yaml";
+import { errorMessage } from "../error.js";
+import type { AppInput } from "../type/input.js";
+import { validateApps } from "./validation.js";
+
+export function readAppsInput(): AppInput[] {
+  const yaml = getInput("apps");
+  let parsed;
+
+  try {
+    parsed = load(yaml);
+  } catch (error) {
+    throw new Error(
+      `Parsing of apps action input failed: ${errorMessage(error)}`,
+    );
+  }
+
+  try {
+    return validateApps(parsed);
+  } catch (error) {
+    throw new Error(
+      `Validation of apps action input failed: ${errorMessage(error)}`,
+    );
+  }
+}

src/config/validation.ts

@@ -0,0 +1,66 @@
+import ajvModule, { ErrorObject } from "ajv";
+import appsSchema from "../schema/apps.v1.schema.json";
+import type { AppInput } from "../type/input.js";
+
+// see https://github.com/ajv-validator/ajv/issues/2132
+const Ajv = ajvModule.default;
+
+const ajv = new Ajv({
+  schemas: [appsSchema],
+  allErrors: true,
+  useDefaults: true,
+});
+
+export const validateApps = createValidate<AppInput[]>(
+  appsSchema.$id,
+  "apps input",
+);
+
+class ValidateError extends Error {
+  public errors: ErrorObject[];
+
+  constructor(message: string, errors: ErrorObject[]) {
+    super(message);
+
+    this.errors = errors;
+  }
+}
+
+function createValidate<T>(
+  schemaId: string,
+  label: string,
+): (value: unknown) => T {
+  return function validate(value) {
+    const validator = ajv.getSchema(schemaId);
+
+    /* v8 ignore start */
+    if (!validator) {
+      throw new Error(`Invariant violation: Undefined schema ${schemaId}`);
+    }
+    /* v8 ignore stop */
+
+    if (validator(value)) return value as T;
+
+    /* v8 ignore start - never seen errors be nullish */
+    const errors = validator.errors ?? [];
+    /* v8 ignore stop */
+
+    const error = new ValidateError(
+      `Invalid ${label}:\n${renderErrors(errors)}`,
+      errors,
+    );
+
+    throw error;
+  };
+}
+
+function renderErrors(errors: ErrorObject[]): string {
+  return `  - ${errors.map(renderError).join("\n  - ")}\n`;
+}
+
+function renderError(error: ErrorObject): string {
+  const { instancePath, message } = error;
+  const subject = instancePath && ` (${instancePath})`;
+
+  return `${message}${subject}`;
+}

src/error.ts

@@ -0,0 +1,11 @@
+export function errorMessage(error: unknown): string {
+  /* v8 ignore start - never seen non-error */
+  return error instanceof Error ? error.message : "unknown cause";
+  /* v8 ignore stop */
+}
+
+export function errorStack(error: unknown): string {
+  /* v8 ignore start - never seen non-error */
+  return (error instanceof Error ? error.stack : undefined) ?? "unknown cause";
+  /* v8 ignore stop */
+}

src/main.ts

@@ -1,9 +1,8 @@
 import { info, setFailed } from "@actions/core";
-import { isError } from "./guard.js";
+import { errorStack } from "./error.js";
 
 main().catch((error) => {
-  const stack = isError(error) ? error.stack : undefined;
-  setFailed(stack ?? "unknown cause");
+  setFailed(errorStack(error) ?? "unknown cause");
 });
 
 async function main(): Promise<void> {

src/schema/apps.v1.schema.json

@@ -0,0 +1,35 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://ghalactic.github.io/provision-github-tokens/schema/apps.v1.schema.json",
+  "title": "Provision GitHub Tokens (apps)",
+  "description": "Apps to use for provisioning tokens.",
+  "type": "array",
+  "items": {
+    "description": "An app to use for provisioning tokens.",
+    "type": "object",
+    "additionalProperties": false,
+    "required": ["appId", "privateKey"],
+    "properties": {
+      "appId": {
+        "description": "The GitHub app ID.",
+        "type": "integer"
+      },
+      "privateKey": {
+        "description": "The GitHub app private key in PEM format.",
+        "type": "string",
+        "minLength": 1
+      },
+      "roles": {
+        "description": "The roles of the app.",
+        "type": "array",
+        "uniqueItems": true,
+        "default": [],
+        "items": {
+          "description": "An app role.",
+          "type": "string",
+          "minLength": 1
+        }
+      }
+    }
+  }
+}

src/type/input.ts

@@ -0,0 +1,5 @@
+export type AppInput = {
+  appId: number;
+  privateKey: string;
+  roles: string[];
+};