Fix gh-aw error#1173
Merged
Merged
Conversation
github-actions
Bot
added
github_actions
…n up token generation
Contributor
Coverage Report
File CoverageNo changed files found. |
Contributor
Rust Backend Coverage ReportCoverage Details |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates gh-aw agentic workflows to stop relying on a GitHub App token configuration (APP_ID/APP_PRIVATE_KEY) and instead use existing repository secrets/tokens, addressing workflow runtime errors and improving compatibility with environments where the App secrets aren’t available.
Changes:
- Comment out GitHub App configuration in gh-aw workflow source
.mdfiles. - Regenerate corresponding
.lock.ymlworkflows to remove the GitHub App token generation/invalidation steps and use fallback tokens + automatic lockdown mode for the GitHub MCP Server. - Fix invalid references to a non-existent
safe-outputs-app-tokenstep by sourcingGH_AW_CI_TRIGGER_TOKENdirectly from secrets.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/instructions-janitor.md | Comments out GitHub App configuration in gh-aw frontmatter. |
| .github/workflows/instructions-janitor.lock.yml | Regenerated workflow removing App token flow; uses lockdown + secret-based tokens and updates CI trigger token source. |
| .github/workflows/daily-test-improver.md | Comments out GitHub App configuration in gh-aw frontmatter. |
| .github/workflows/daily-test-improver.lock.yml | Regenerated workflow removing App token flow; uses lockdown + secret-based tokens and updates CI trigger token source. |
| .github/workflows/daily-doc-updater.md | Comments out GitHub App configuration in gh-aw frontmatter. |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated workflow removing App token flow; uses lockdown + secret-based tokens and updates CI trigger token source. |
| GH_AW_SECRET_NAMES: 'APP_ID,APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' | ||
| SECRET_APP_ID: ${{ secrets.APP_ID }} | ||
| SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} | ||
| GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' |
There was a problem hiding this comment.
GH_AW_CI_TRIGGER_TOKEN is now sourced from secrets later in the workflow, but it isn't included in the GH_AW_SECRET_NAMES/SECRET_* inputs for the secret redaction step. Add it there so this token gets reliably redacted from logs/artifacts if it appears in output.
| GH_AW_SECRET_NAMES: 'APP_ID,APP_PRIVATE_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' | ||
| SECRET_APP_ID: ${{ secrets.APP_ID }} | ||
| SECRET_APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} | ||
| GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' |
There was a problem hiding this comment.
GH_AW_CI_TRIGGER_TOKEN is now provided via secrets to the Safe Outputs handler, but the redact-secrets step no longer includes it in GH_AW_SECRET_NAMES. Add GH_AW_CI_TRIGGER_TOKEN (and corresponding SECRET_GH_AW_CI_TRIGGER_TOKEN) so the value is redacted in logs/artifacts if it’s ever printed.
| await main(); | ||
| env: | ||
| GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,APP_ID,APP_PRIVATE_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' | ||
| GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' |
There was a problem hiding this comment.
The workflow now relies on secrets.GH_AW_CI_TRIGGER_TOKEN, but the redact-secrets configuration doesn’t include it. Please add GH_AW_CI_TRIGGER_TOKEN to GH_AW_SECRET_NAMES and pass SECRET_GH_AW_CI_TRIGGER_TOKEN so the token is scrubbed from artifacts/logs if it appears.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Close #1170
Close #1171
Close #1172