Does not work with a Github App, if run takes longer than 1 hour

[Jmainguy]

Love renovate and this action, nice work on both.

We have 4000'ish repos we are scanning, and using tibdex/github-app-token to generate the token, which then pass to renovate action, as following the examples in this repo. The token expires after one hour and you will begin to see Bad credentials errors (because it expired) in the renovate run log.

2023-12-14T16:55:51.5004385Z DEBUG: GitHub failure: Bad credentials (repository=example/example)
2023-12-14T16:55:51.5005696Z        "token": "***********",
2023-12-14T16:55:51.5006369Z        "err": {
2023-12-14T16:55:51.5006902Z          "name": "HTTPError",
2023-12-14T16:55:51.5007549Z          "code": "ERR_NON_2XX_3XX_RESPONSE",
2023-12-14T16:55:51.5008228Z          "timings": {
2023-12-14T16:55:51.5008688Z            "start": 1702572951402,
2023-12-14T16:55:51.5009212Z            "socket": 1702572951402,
2023-12-14T16:55:51.5009766Z            "lookup": 1702572951413,
2023-12-14T16:55:51.5010335Z            "connect": 1702572951426,
2023-12-14T16:55:51.5011008Z            "secureConnect": 1702572951448,
2023-12-14T16:55:51.5011574Z            "upload": 1702572951448,
2023-12-14T16:55:51.5012099Z            "response": 1702572951498,
2023-12-14T16:55:51.5014893Z            "end": 1702572951498,
2023-12-14T16:55:51.5015387Z            "phases": {
2023-12-14T16:55:51.5015834Z              "wait": 0,
2023-12-14T16:55:51.5016283Z              "dns": 11,
2023-12-14T16:55:51.5016783Z              "tcp": 13,
2023-12-14T16:55:51.5017240Z              "tls": 22,
2023-12-14T16:55:51.5017692Z              "request": 0,
2023-12-14T16:55:51.5018166Z              "firstByte": 50,
2023-12-14T16:55:51.5018656Z              "download": 0,
2023-12-14T16:55:51.5019085Z              "total": 96
2023-12-14T16:55:51.5019458Z            }
2023-12-14T16:55:51.5019785Z          },
2023-12-14T16:55:51.5020184Z          "message": "Response code 401 (Unauthorized)",
2023-12-14T16:55:51.5022086Z          "stack": "HTTPError: Response code 401 (Unauthorized)\n    at Request.<anonymous> (/opt/containerbase/tools/renovate/37.93.1/node_modules/got/dist/source/as-promise/index.js:118:42)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)",
2023-12-14T16:55:51.5023573Z          "options": {
2023-12-14T16:55:51.5023944Z            "headers": {
2023-12-14T16:55:51.5024618Z              "user-agent": "RenovateBot/37.93.1 (https://github.com/renovatebot/renovate)",
2023-12-14T16:55:51.5025761Z              "accept": "application/json, application/vnd.github.machine-man-preview+json",
2023-12-14T16:55:51.5026611Z              "authorization": "***********",
2023-12-14T16:55:51.5027195Z              "accept-encoding": "gzip, deflate, br"
2023-12-14T16:55:51.5027685Z            },

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app explains that installation access tokens expire after one hour (with no apparent way to change this)

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#using-the-octokitjs-sdk-to-authenticate-as-an-app-installation mentions using the sdk would help avoid these errors, as it does the refresh of the token on its own.

I believe this github action should be enhanced, to no longer require tibdex/github-app-token for the token, and instead accept input of Github App ID, and Pem key, and handle the app authentication inside of this action, refreshing the token if it expires and Bad credential error happens.

[viceice]

this is not an action issue, please ask on main renovate repo discussion for help.