feat(DEV-1582): New fetch-github-token-js action

.github/workflows/run-unit-tests.yml

@@ -0,0 +1,20 @@
+name: Run Unit Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      - name: Install dependencies
+        run: npm install
+      - name: Run tests
+        run: npm test

.github/workflows/test-fetch_token.yaml

@@ -12,7 +12,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       id-token: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

fetch-github-token-js/README.md

@@ -0,0 +1,38 @@
+# <!--name-->Get Ephemeral GitHub Token from CI Vault<!--/name-->
+
+[![usages](https://img.shields.io/badge/usages-white?logo=githubactions&logoColor=blue)](https://github.com/search?q=elastic%2Foblt-actions%2Ffetch-github-token-js+%28path%3A.github%2Fworkflows+OR+path%3A**%2Faction.yml+OR+path%3A**%2Faction.yaml%29&type=code)
+[![test-fetch-github-token-js](https://github.com/elastic/ci-gh-actions/actions/workflows/test-fetch-github-token-js.yml/badge.svg?branch=main)](https://github.com/elastic/ci-gh-actions/actions/workflows/fetch-github-token-js.yml)
+
+<!--description-->
+Fetch an ephemeral GitHub token from Vault using OIDC authentication
+<!--/description-->
+## Inputs
+<!--inputs-->
+| Name                | Description                                                                                                                        | Required | Default |
+|---------------------|------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
+| `vault-instance`    | Vault instance to connect to (ci-prod or ci-dev)                                                                                   | `true`   | ` `     |
+| `vault-role`        | Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action. | `false`  | ` `     |
+| `skip-token-revoke` | If true, skip revoking the GitHub token on exit                                                                                    | `false`  | `true`  |
+<!--/inputs-->
+## Outputs
+<!--outputs-->
+| Name    | Description                           |
+|---------|---------------------------------------|
+| `token` | GitHub App installation access token. |
+<!--/outputs-->
+## Usage
+<!--usage action="elastic/ci-gh-actions**" version="env:VERSION"-->
+```yaml
+permissions:
+  id-token: write
+steps:
+  - uses: elastic/ci-gh-actions/fetch-github-token-js@v1
+    id: fetch-token
+    with:
+      vault-instance: "ci-prod"
+
+  - uses: ..
+    with:
+      github-token: ${{ steps.fetch-token.outputs.token }}
+```
+<!--/usage-->

fetch-github-token-js/action.yml

@@ -0,0 +1,21 @@
+name: Get Ephemeral GitHub Token from CI Vault
+description: 'Fetch an ephemeral GitHub token from Vault using OIDC authentication'
+inputs:
+  vault-instance:
+    description: 'Vault instance to connect to (ci-prod or ci-dev)'
+    required: true
+  vault-role:
+    description: 'Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action.'
+    required: false
+    default: ''
+  skip-token-revoke:
+    description: 'If true, skip revoking the GitHub token on exit'
+    required: false
+    default: 'true'
+outputs:
+  token:
+    description: GitHub App installation access token.
+runs:
+  using: 'node24'
+  main: 'dist/main.js'
+  post: 'dist/revoke.js'