Skip to content

feat: auto-forward github-token as GITHUB_APM_PAT + document private repo auth #18

Closed
#19
Closed
feat: auto-forward github-token as GITHUB_APM_PAT + document private repo auth#18
#19
Assignees
danielmeppielcopilot-swe-agent
Labels
enhancementNew feature or request
@danielmeppiel

Description

@danielmeppiel
danielmeppiel
opened on Mar 21, 2026

Problem

GitHub Actions forbids creating secrets with the GITHUB_ prefix. APM's primary auth env var is GITHUB_APM_PAT. Users must create differently-named secrets and manually map them in env: blocks — an unnecessary friction point.

Proposed Changes

1. Auto-forward github-token input to GITHUB_APM_PAT (one line)

The github-token input already exists (defaults to ${{ github.token }}) and is used for downloading APM from GitHub Releases. It should also be forwarded as GITHUB_APM_PAT to the APM runtime so same-org private repos work with zero config.

In runner.ts, when building the env for runApm():

const env = { ...process.env as Record<string, string> };
const token = core.getInput('github-token');
  • Zero config: default ${{ github.token }} automatically authenticates same-org private repos
  • Backward compatible: explicit env: GITHUB_APM_PAT overrides still win
  • Cross-org: users pass a broader-scoped PAT via github-token input

2. Document private repo authentication in README

The README currently has zero documentation on private repo auth. Add a section covering the three tiers:

# Same-org private repos: zero config (github-token auto-maps to GITHUB_APM_PAT)
- uses: microsoft/apm-action@v1

# Cross-org private repos: pass a PAT with broader scope
- uses: microsoft/apm-action@v1
  with:
    github-token: ${{ secrets.APM_PAT }}

# Multi-org / multi-platform: use env block for full control
- uses: microsoft/apm-action@v1
  env:
    GITHUB_APM_PAT: ${{ secrets.APM_PAT }}
    GITHUB_APM_PAT_CONTOSO: ${{ secrets.APM_PAT_CONTOSO }}
    ADO_APM_PAT: ${{ secrets.ADO_PAT }}
    ARTIFACTORY_APM_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}

Design Rationale

We considered adding explicit action inputs for every APM token type (ado-token, artifactory-token, org-tokens, etc.) but concluded that the env: block pattern is already the GitHub Actions standard for CLI-wrapping actions. It is simple, flexible, and well-understood. Adding explicit inputs would:

  • Create a mapping layer to maintain in sync with APM's auth system
  • Not handle dynamic per-org tokens (GITHUB_APM_PAT_{ORG})
  • Add complexity for no real UX gain

The one enhancement (github-token auto-forward) covers the 90% use case (same-org private repos) with zero config.

APM Token Reference

For context, these are all auth env vars APM supports:

Env Var Purpose
GITHUB_APM_PAT Primary GitHub PAT for module access
GITHUB_APM_PAT_{ORG} Per-org PAT (highest priority, dynamic suffix)
GITHUB_TOKEN GitHub Actions automatic token / user PAT
GH_TOKEN gh CLI fallback
ADO_APM_PAT Azure DevOps PAT
ARTIFACTORY_APM_TOKEN JFrog Artifactory bearer token
GITHUB_HOST GHES hostname override

Priority chain: GITHUB_APM_PAT_{ORG} > GITHUB_APM_PAT > GITHUB_TOKEN > GH_TOKEN > git credential fill > unauthenticated

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions