refactor: migrate to zod v4

Author: qoomon

action/dist/main/index.js

@@ -18,7 +18,7 @@
     "@smithy/signature-v4": "^5.1.1",
     "ts-node": "^10.9.2",
     "yaml": "^2.8.0",
-    "zod": "^3.25.75"
+    "zod": "^4.0.5"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.3.1",

action/package-lock.json

@@ -16,7 +16,7 @@ runAction(async () => {
   const input = {
     scope: z.enum(['repos', 'owner'])
         .parse(getInput('scope')),
-    permissions: z.record(z.string())
+    permissions: z.record(z.string(), z.string())
         .parse(getYamlInput('permissions', {required: true})),
     repository: getInput('repository'),
     repositories: z.array(z.string()).default([])

action/package.json

@@ -22,7 +22,7 @@
     "hono": "^4.8.5",
     "pino": "^9.7.0",
     "yaml": "^2.8.0",
-    "zod": "^3.25.75"
+    "zod": "^4.0.5"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20250712.0",

action/src/action-main.ts

@@ -116,11 +116,6 @@ export async function accessTokenManager(options: {
       }
     }
 
-    const appInstallationClient = await createOctokit(GITHUB_APP_CLIENT, appInstallation, {
-      // single_file to read access policy files
-      permissions: {single_file: 'read'},
-    });
-
     // === verify requested token permissions against app installation permissions =====================================
     {
       const requestedAppInstallationPermissions = verifyPermissions({
@@ -144,6 +139,11 @@ export async function accessTokenManager(options: {
       }
     }
 
+    const appInstallationClient = await createOctokit(GITHUB_APP_CLIENT, appInstallation, {
+      // single_file to read access policy files
+      permissions: {single_file: 'read'},
+    });
+
     // --- load owner access policy ----------------------------------------------------------------------------------
     const ownerAccessPolicy = await getOwnerAccessPolicy(appInstallationClient, {
       owner: tokenRequest.owner,
@@ -584,7 +584,7 @@ async function getAccessPolicy<T extends typeof GitHubAccessPolicySchema>(client
     const issues = policyParseResult.error.issues.map(formatZodIssue);
     throw new GithubAccessPolicyError(`Invalid access policy`, issues);
   }
-  const policy: GitHubAccessPolicy = policyParseResult.data;
+  const policy = policyParseResult.data;
 
   const expectedPolicyOrigin = `${owner}/${repo}`;
   if (policy.origin.toLowerCase() !== expectedPolicyOrigin.toLowerCase()) {
@@ -1035,31 +1035,35 @@ const GitHubBaseStatementSchema = z.strictObject({
   subjects: z.array(GitHubSubjectClaimSchema),
 });
 
-const GitHubAccessStatementSchema = GitHubBaseStatementSchema.merge(z.strictObject({
+const GitHubAccessStatementSchema = z.strictObject({
+  ...GitHubBaseStatementSchema.shape,
   permissions: GitHubAppPermissionsSchema,
-}));
+});
 type GitHubAccessStatement = z.infer<typeof GitHubAccessStatementSchema>;
 
-const GitHubRepositoryAccessStatementSchema = GitHubBaseStatementSchema.merge(z.strictObject({
+const GitHubRepositoryAccessStatementSchema = z.strictObject({
+  ...GitHubBaseStatementSchema.shape,
   permissions: GitHubAppRepositoryPermissionsSchema,
-}));
+});
 export type GitHubRepositoryAccessStatement = z.infer<typeof GitHubRepositoryAccessStatementSchema>;
 
 const GitHubAccessPolicySchema = z.strictObject({
   origin: GitHubRepositorySchema,
 });
 export type GitHubAccessPolicy = z.infer<typeof GitHubAccessPolicySchema>;
 
-const GitHubOwnerAccessPolicySchema = GitHubAccessPolicySchema.merge(z.strictObject({
+const GitHubOwnerAccessPolicySchema = z.strictObject({
+  ...GitHubAccessPolicySchema.shape,
   'allowed-subjects': z.array(GitHubSubjectClaimSchema).optional(),
   'statements': z.array(GitHubAccessStatementSchema).optional().default([]),
   'allowed-repository-permissions': GitHubAppRepositoryPermissionsSchema.optional().default({}),
-}));
+});
 export type GitHubOwnerAccessPolicy = z.infer<typeof GitHubOwnerAccessPolicySchema>;
 
-const GitHubRepositoryAccessPolicySchema = GitHubAccessPolicySchema.merge(z.strictObject({
+const GitHubRepositoryAccessPolicySchema = z.strictObject({
+  ...GitHubAccessPolicySchema.shape,
   statements: z.array(GitHubRepositoryAccessStatementSchema).optional().default([]),
-}));
+});
 export type GitHubRepositoryAccessPolicy = z.infer<typeof GitHubRepositoryAccessPolicySchema>;
 
 

server/package-lock.json

@@ -188,6 +188,10 @@ const AccessTokenRequestBodySchema = z.strictObject({
   owner: GitHubRepositoryOwnerSchema.optional(),
   scope: z.enum(['repos', 'owner']).default('repos'),
   permissions: GitHubAppPermissionsSchema,
-  repositories: z.array(z.union([GitHubRepositoryNameSchema, GitHubRepositorySchema])).default([]),
+  repositories: z.array(z.union([
+        GitHubRepositoryNameSchema,
+        GitHubRepositorySchema,
+      ], {error: `Invalid repository`}),
+  ).default([]),
 });
 type AccessTokenRequestBody = z.infer<typeof AccessTokenRequestBodySchema>;

server/package.json

@@ -1,7 +1,6 @@
 import {components} from '@octokit/openapi-types';
 import {z} from 'zod';
 import {mapObjectEntries, tuplesOf} from './common-utils.js';
-import {zStringRegex} from './zod-utils.js';
 
 // --- Functions -------------------------------------------------------------------------------------------------------
 
@@ -150,16 +149,16 @@ export function buildWorkflowRunUrl(token: GitHubActionsJwtPayload) {
 // --- Schemas ---------------------------------------------------------------------------------------------------------
 
 const GitHubRepositoryOwnerRegex = /^[a-z\d](-?[a-z\d])+$/i;
-export const GitHubRepositoryOwnerSchema = zStringRegex(GitHubRepositoryOwnerRegex);
+export const GitHubRepositoryOwnerSchema = z.string().regex(GitHubRepositoryOwnerRegex);
 const GitHubRepositoryNameRegex = /^[a-z\d-._]+$/i;
-export const GitHubRepositoryNameSchema = zStringRegex(GitHubRepositoryNameRegex);
+export const GitHubRepositoryNameSchema = z.string().regex(GitHubRepositoryNameRegex);
 
-export const GitHubRepositorySchema = zStringRegex(
+export const GitHubRepositorySchema = z.string().regex(
     new RegExp(`^${GitHubRepositoryOwnerRegex.source.replace(/^\^|\$$/g, '')}` +
         `/${GitHubRepositoryNameRegex.source.replace(/^\^|\$$/g, '')}$`, 'i'),
 );
 
-export const GitHubAppPermissionsSchema = z.strictObject({
+export const GitHubAppRepositoryPermissionsSchema = z.strictObject({
   // ---- Repository Permissions ----
   'actions': z.enum(['read', 'write']),
   'actions-variables': z.enum(['read', 'write']),
@@ -193,6 +192,10 @@ export const GitHubAppPermissionsSchema = z.strictObject({
   'team-discussions': z.enum(['read', 'write']),
   'vulnerability-alerts': z.enum(['read', 'write']),
   'workflows': z.enum(['write']),
+}).partial();
+export type GitHubAppRepositoryPermissions = z.infer<typeof GitHubAppRepositoryPermissionsSchema>;
+
+export const GitHubAppOrganizationPermissionsSchema = z.strictObject({
   // ---- Organization Permissions ----
   'members': z.enum(['read', 'write']),
   'organization-actions-variables': z.enum(['read', 'write']),
@@ -216,49 +219,13 @@ export const GitHubAppPermissionsSchema = z.strictObject({
   'organization-self-hosted-runners': z.enum(['read', 'write']),
   'organization-user-blocking': z.enum(['read', 'write']),
 }).partial();
-export type GitHubAppPermissions = z.infer<typeof GitHubAppPermissionsSchema>;
+export type GitHubAppOrganizationPermissions = z.infer<typeof GitHubAppOrganizationPermissionsSchema>;
 
-/**
- * === BE AWARE ===
- * - 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
- * - repository scopes do not start with 'organization-'
- * - 'member' scope is an organization scope
- */
-export const GitHubAppRepositoryPermissionsSchema = GitHubAppPermissionsSchema.pick({
-  'actions': true,
-  'actions-variables': true,
-  'administration': true,
-  'checks': true,
-  'codespaces': true,
-  'codespaces-lifecycle-admin': true,
-  'codespaces-metadata': true,
-  'codespaces-secrets': true,
-  'contents': true,
-  'custom-properties': true,
-  'dependabot-secrets': true,
-  'deployments': true,
-  'discussions': true,
-  'environments': true,
-  'issues': true,
-  'merge-queues': true,
-  'metadata': true,
-  'packages': true,
-  'pages': true,
-  'projects': true,
-  'pull-requests': true,
-  'repository-advisories': true,
-  'repository-hooks': true,
-  'repository-projects': true,
-  'secret-scanning-alerts': true,
-  'secrets': true,
-  'security-events': true,
-  'single-file': true,
-  'statuses': true,
-  'team-discussions': true,
-  'vulnerability-alerts': true,
-  'workflows': true,
-});
-export type GitHubAppRepositoryPermissions = z.infer<typeof GitHubAppRepositoryPermissionsSchema>;
+export const GitHubAppPermissionsSchema = z.strictObject({
+  ...GitHubAppRepositoryPermissionsSchema.shape,
+  ...GitHubAppOrganizationPermissionsSchema.shape,
+}).partial();
+export type GitHubAppPermissions = z.infer<typeof GitHubAppPermissionsSchema>;
 
 // --- Types -----------------------------------------------------------------------------------------------------------