🚀[Feature]: Control if GitHub credentials are persisted (#50)

Copilot · MariusStorhaug · web-flow · commit b5ebe752d33e · 2025-05-31T21:14:15.000+02:00
You now have the option to decide if your GitHub credentials should be
kept or automatically disconnected after the script finishes. This gives
you more flexibility and helps improve security when needed.

### How It Works

* **By default**, your GitHub credentials will be preserved, just like
before—no changes needed on your part.
* **If you want your credentials to be automatically disconnected after
the script runs**, set the new `PreserveCredentials` option to `false`.

### Example

Here’s how to disconnect your credentials after running a script:

```yaml
- name: Run script with credential cleanup
  uses: PSModule/GitHub-Script@v1
  with:
    PreserveCredentials: false
    Script: |
      Get-GitHubUser
      # Your credentials will be disconnected after this step
```

That’s it! Use this new option if you want to make sure your GitHub
connection is cleaned up automatically after your workflow.

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: MariusStorhaug &lt;17722253+MariusStorhaug@users.noreply.github.com&gt;
Co-authored-by: Marius Storhaug &lt;marstor@hotmail.com&gt;
diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml
@@ -498,3 +498,52 @@ jobs:
                 Get-GitHubGitConfig | Format-Table -AutoSize | Out-String
               }
             }
+
+  ActionTestPreserveCredentialsFalse:
+    name: PreserveCredentials False
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+      # Need to check out as part of the test, as its a local action
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Action-Test with PreserveCredentials false
+        uses: ./
+        with:
+          Token: ${{ secrets.TEST_USER_PAT }}
+          PreserveCredentials: false
+          Prerelease: ${{ inputs.Prerelease }}
+          Script: |
+            LogGroup 'Get-GitHubUser with credentials that will be cleaned up' {
+              Get-GitHubUser | Format-Table -AutoSize | Out-String
+            }
+
+      - name: Verify credentials are cleaned up
+        shell: pwsh
+        run: |
+          try {
+            # Import GitHub module to check contexts
+            Import-Module -Name GitHub -ErrorAction SilentlyContinue
+            
+            # Check if Get-GitHubContext command is available
+            if (Get-Command Get-GitHubContext -ErrorAction SilentlyContinue) {
+              # Get available contexts
+              $contexts = Get-GitHubContext -ListAvailable
+              
+              Write-Host "Available GitHub contexts: $($contexts | ConvertTo-Json -Depth 3)"
+              
+              # Verify that no contexts are available (should be null or empty)
+              if ($null -eq $contexts -or $contexts.Count -eq 0) {
+                Write-Host "✅ SUCCESS: No GitHub contexts found after cleanup"
+              } else {
+                Write-Host "❌ FAILURE: Found $($contexts.Count) GitHub context(s) after cleanup"
+                $contexts | Format-Table -AutoSize | Out-String | Write-Host
+                exit 1
+              }
+            } else {
+              Write-Host "⚠️  WARNING: Get-GitHubContext command not available"
+            }
+          } catch {
+            Write-Host "❌ FAILURE: Error checking GitHub contexts: $($_.Exception.Message)"
+            exit 1
+          }
diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ To get started with your own GitHub PowerShell based action, [create a new repos
 | `ShowInit`         | Show information about the initialization.                                | false    | `'false'`             |
 | `ShowOutput`       | Show the script's output.                                                 | false    | `'false'`             |
 | `WorkingDirectory` | The working directory where the script runs.                              | false    | `'.'`                 |
+| `PreserveCredentials` | Preserve credentials after script execution. If false, disconnects GitHub contexts and CLI using Disconnect-GitHubAccount. | false    | `'true'`              |
 
 ### Outputs
 
@@ -199,3 +200,17 @@ Runs a script that uses the GitHub PowerShell module and outputs the result.
     Set-GitHubStepSummary -Summary $result.WISECAT
     Write-GitHubNotice -Message $result.Zen -Title 'GitHub Zen'
 ```
+
+#### Example 6: Run a script with credential cleanup
+
+Runs a script with `PreserveCredentials` set to `false` to automatically disconnect GitHub credentials after execution.
+
+```yaml
+- name: Run script with credential cleanup
+  uses: PSModule/GitHub-Script@v1
+  with:
+    PreserveCredentials: false
+    Script: |
+      Get-GitHubUser
+      # Credentials will be disconnected after this step
+```
diff --git a/action.yml b/action.yml
@@ -58,6 +58,10 @@ inputs:
     description: The working directory where the script will run from.
     required: false
     default: '.'
+  PreserveCredentials:
+    description: Preserve credentials after script execution. If false, disconnects GitHub contexts and CLI using Disconnect-GitHubAccount.
+    required: false
+    default: 'true'
 
 outputs:
   result:
@@ -84,6 +88,7 @@ runs:
         PSMODULE_GITHUB_SCRIPT_INPUT_ShowOutput: ${{ inputs.ShowOutput }}
         PSMODULE_GITHUB_SCRIPT_INPUT_Prerelease: ${{ inputs.Prerelease }}
         PSMODULE_GITHUB_SCRIPT_INPUT_ErrorView: ${{ inputs.ErrorView }}
+        PSMODULE_GITHUB_SCRIPT_INPUT_PreserveCredentials: ${{ inputs.PreserveCredentials }}
       run: |
         # ${{ inputs.Name }}
         try {
diff --git a/scripts/clean.ps1 b/scripts/clean.ps1
@@ -1,5 +1,30 @@
 ﻿Write-Debug "Cleaning up..."
 Write-Debug "LASTEXITCODE: $LASTEXITCODE"
 Write-Debug "PSMODULE_GITHUB_SCRIPT: $env:PSMODULE_GITHUB_SCRIPT"
+
+# Check if credentials should be preserved
+$preserveCredentials = $env:PSMODULE_GITHUB_SCRIPT_INPUT_PreserveCredentials -eq 'true'
+Write-Debug "PreserveCredentials: $preserveCredentials"
+
+if (-not $preserveCredentials) {
+    Write-Debug "Disconnecting GitHub contexts and CLI..."
+    try {
+        # Import GitHub module if not already imported
+        if (-not (Get-Module -Name GitHub -ErrorAction SilentlyContinue)) {
+            Import-Module -Name GitHub -ErrorAction SilentlyContinue
+        }
+
+        # Disconnect GitHub account if the module and function are available
+        if (Get-Command Disconnect-GitHubAccount -ErrorAction SilentlyContinue) {
+            Disconnect-GitHubAccount
+            Write-Debug "Successfully disconnected GitHub account"
+        } else {
+            Write-Debug "Disconnect-GitHubAccount command not available"
+        }
+    } catch {
+        Write-Warning "Failed to disconnect GitHub account: $($_.Exception.Message)"
+    }
+}
+
 $env:PSMODULE_GITHUB_SCRIPT = $false
 Write-Debug "PSMODULE_GITHUB_SCRIPT: $env:PSMODULE_GITHUB_SCRIPT"
