actions · parkerbxyz · Mar 13, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - beta
   pull_request:
   workflow_dispatch:
 
@@ -33,7 +34,7 @@ jobs:
     name: End-to-End
     runs-on: ubuntu-latest
     # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
@@ -54,3 +55,28 @@ jobs:
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'
+
+  end-to-end-proxy:
+    name: End-to-End with unreachable proxy
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - uses: ./ # Uses the action in the root directory
+        continue-on-error: true
+        id: test
+        env:
+          NODE_USE_ENV_PROXY: "1"
+          https_proxy: http://127.0.0.1:9
+        with:
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - name: Assert action failed through unreachable proxy
+        run: test "${{ steps.test.outcome }}" = "failure"
diff --git a/README.md b/README.md
@@ -15,6 +15,24 @@ In order to use this action, you need to:
 > [!IMPORTANT]  
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
 
+### Proxy support
+
+This action relies on Node.js native proxy support.
+
+If you set `HTTP_PROXY`, `HTTPS_PROXY`, or `NO_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables.
+
+```yaml
+- uses: actions/create-github-app-token@v3
+  id: app-token
+  env:
+    HTTPS_PROXY: http://proxy.example.com:8080
+    NO_PROXY: github.example.com
+    NODE_USE_ENV_PROXY: "1"
+  with:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.PRIVATE_KEY }}
+```
+
 ### Create a token for the current repository
 
 ```yaml

diff --git a/dist/main.cjs b/dist/main.cjs
@@ -22233,6 +22233,26 @@ async function getTokenFromRepository(request2, auth5, parsedOwner, parsedReposi
 // lib/request.js
 var import_core = __toESM(require_core(), 1);
 var baseUrl = import_core.default.getInput("github-api-url").replace(/\/$/, "");
+var proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY"
+];
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
+  }
+  throw new Error(
+    "HTTP_PROXY or HTTPS_PROXY is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step."
+  );
+}
 var request_default = request.defaults({
   headers: { "user-agent": "actions/create-github-app-token" },
   baseUrl
@@ -22245,6 +22265,7 @@ if (!process.env.GITHUB_REPOSITORY) {
 if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
+ensureNativeProxySupport();
 var appId = import_core2.default.getInput("app-id");
 var privateKey = import_core2.default.getInput("private-key");
 var owner = import_core2.default.getInput("owner");

diff --git a/dist/post.cjs b/dist/post.cjs
@@ -20485,12 +20485,33 @@ var request = withDefaults2(endpoint, defaults_default);
 
 // lib/request.js
 var baseUrl = import_core.default.getInput("github-api-url").replace(/\/$/, "");
+var proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY"
+];
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
+  }
+  throw new Error(
+    "HTTP_PROXY or HTTPS_PROXY is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step."
+  );
+}
 var request_default = request.defaults({
   headers: { "user-agent": "actions/create-github-app-token" },
   baseUrl
 });
 
 // post.js
+ensureNativeProxySupport();
 post(import_core2.default, request_default).catch((error) => {
   console.error(error);
   import_core2.default.setFailed(error.message);

diff --git a/lib/request.js b/lib/request.js
@@ -4,6 +4,31 @@ import { request } from "@octokit/request";
 // Get the GitHub API URL from the action input and remove any trailing slash
 const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
 
+const proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY",
+];
+
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
+
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+
+export function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
+  }
+
+  throw new Error(
+    "HTTP_PROXY or HTTPS_PROXY is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
+  );
+}
+
 // Configure the default settings for GitHub API requests
 export default request.defaults({
   headers: { "user-agent": "actions/create-github-app-token" },

diff --git a/main.js b/main.js
@@ -5,7 +5,7 @@ import { createAppAuth } from "@octokit/auth-app";
 
 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,6 +15,8 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
+ensureNativeProxySupport();
+
 const appId = core.getInput("app-id");
 const privateKey = core.getInput("private-key");
 const owner = core.getInput("owner");

diff --git a/post.js b/post.js
@@ -3,7 +3,9 @@
 import core from "@actions/core";
 
 import { post } from "./lib/post.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
+
+ensureNativeProxySupport();
 
 post(core, request).catch((error) => {
   /* c8 ignore next 3 */

diff --git a/tests/index.js b/tests/index.js
@@ -21,6 +21,14 @@ for (const file of testFiles) {
     const env = {
       GITHUB_OUTPUT: undefined,
       GITHUB_STATE: undefined,
+      HTTP_PROXY: undefined,
+      HTTPS_PROXY: undefined,
+      http_proxy: undefined,
+      https_proxy: undefined,
+      NO_PROXY: undefined,
+      no_proxy: undefined,
+      NODE_OPTIONS: undefined,
+      NODE_USE_ENV_PROXY: undefined,
     };
     const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
     t.snapshot(stderr, "stderr");

diff --git a/tests/main-proxy-requires-native-support.test.js b/tests/main-proxy-requires-native-support.test.js
@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}
diff --git a/tests/post-proxy-requires-native-support.test.js b/tests/post-proxy-requires-native-support.test.js
@@ -0,0 +1,8 @@
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+try {
+  await import("../post.js");
+} catch (error) {
+  console.error(error.message);
+}
diff --git a/tests/snapshots/index.js.md b/tests/snapshots/index.js.md
@@ -82,6 +82,16 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"]}`
 
+## main-proxy-requires-native-support.test.js
+
+> stderr
+
+    'HTTP_PROXY or HTTPS_PROXY is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
+> stdout
+
+    ''
+
 ## main-repo-skew.test.js
 
 > stderr
@@ -333,6 +343,16 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
 
+## post-proxy-requires-native-support.test.js
+
+> stderr
+
+    'HTTP_PROXY or HTTPS_PROXY is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
+> stdout
+
+    ''
+
 ## post-revoke-token-fail-response.test.js
 
 > stderr

diff --git a/tests/snapshots/index.js.snap b/tests/snapshots/index.js.snap