Skip to content

Fix GitHub token chaining for safe outputs #8159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 5 commits into from
Dec 30, 2025
Merged

Fix GitHub token chaining for safe outputs #8159

pelikhan merged 5 commits into from
Dec 30, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 30, 2025
edited
Loading

Safe outputs were incorrectly using the MCP server token fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) instead of the correct simplified chain.

Changes

  • New function getEffectiveSafeOutputGitHubToken() - Returns simplified fallback chain ending with GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
  • Updated addSafeOutputGitHubTokenForConfig() - Uses new function instead of getEffectiveGitHubToken()
  • Updated addCustomActionGitHubToken() - Uses new function for standard safe output operations
  • Preserved MCP/tools behavior - getEffectiveGitHubToken() unchanged for MCP servers and GitHub tools
  • Recompiled workflows - Regenerated 118 workflow lock files to reflect the updated token chain

Token Precedence

Before:

per-output > global > workflow > GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

After:

per-output > global > workflow > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

The MCP token chain remains appropriate for MCP servers and GitHub tools, but safe outputs should use a simpler chain that removes only the GH_AW_GITHUB_MCP_SERVER_TOKEN while keeping GH_AW_GITHUB_TOKEN as a fallback before GITHUB_TOKEN.

All workflow lock files have been recompiled to use the corrected token chain.

Original prompt

Review the github token chaining used to process safe output entries.

It should be safe outputs token -> workflow token -> GitHub action token

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits December 30, 2025 06:32
@pelikhan
Fix GitHub token chaining for safe outputs
89e56dd 
Create new getEffectiveSafeOutputGitHubToken function that uses simpler
token chain: per-output > global > workflow > GITHUB_TOKEN (removing
GH_AW_GITHUB_MCP_SERVER_TOKEN and GH_AW_GITHUB_TOKEN from the fallback).

This ensures safe outputs follow the correct token precedence:
safe outputs token -> workflow token -> GitHub Actions token

Co-authored-by: pelikhan <[email protected]>
@pelikhan
Remove integration test that doesn't align with current architecture
c200932 
The integration test was trying to test workflow-level tokens, but WorkflowData.GitHubToken
is only populated from tools.github config, not from top-level frontmatter. The unit tests
for getEffectiveSafeOutputGitHubToken properly verify the correct behavior.

Co-authored-by: pelikhan <[email protected]>
Copilot AI changed the title [WIP] Review GitHub token chaining for safe output entries Fix GitHub token chaining for safe outputs Dec 30, 2025
Copilot AI requested a review from pelikhan December 30, 2025 06:41
@pelikhan
Copy link
Contributor

pelikhan commented Dec 30, 2025

@copilot It should be secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

@pelikhan
Update safe outputs token chain to include GH_AW_GITHUB_TOKEN
f0b8f77 
Change the fallback chain from just GITHUB_TOKEN to
GH_AW_GITHUB_TOKEN || GITHUB_TOKEN as requested.

The correct chain is now:
per-output > global > workflow > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

Co-authored-by: pelikhan <[email protected]>
Copy link
Contributor Author

Copilot AI commented Dec 30, 2025

@copilot It should be secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN

Updated in f0b8f77. The safe outputs token chain now uses GH_AW_GITHUB_TOKEN || GITHUB_TOKEN as the fallback instead of just GITHUB_TOKEN.

@pelikhan
Copy link
Contributor

pelikhan commented Dec 30, 2025

@copilot recompile

@pelikhan pelikhan marked this pull request as ready for review December 30, 2025 14:45
@pelikhan
Recompile workflows with updated token chain
db801a9 
Regenerated all workflow lock files to use the corrected safe outputs
token chain: GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

Updated 118 workflow lock files.

Co-authored-by: pelikhan <[email protected]>
Copy link
Contributor Author

Copilot AI commented Dec 30, 2025

@copilot recompile

Recompiled in db801a9. All 118 workflow lock files have been regenerated with the updated token chain GH_AW_GITHUB_TOKEN || GITHUB_TOKEN.

@pelikhan pelikhan merged commit f7caecf into main Dec 30, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/review-github-token-chaining branch December 30, 2025 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan