Skip to content

Move all github-app token minting to activation job#24251

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/move-token-mint-steps-activation-job
Draft

Move all github-app token minting to activation job#24251
Copilot wants to merge 3 commits intomainfrom
copilot/move-token-mint-steps-activation-job

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 3, 2026
edited
Loading

The app-id and private-key secrets for all github-app configurations were being consumed in downstream jobs (agent, safe_outputs, conclusion) to mint tokens. Moving all minting to the activation job ensures these secrets never reach downstream jobs; only the short-lived tokens are passed through as job outputs.

Changes

tools.github.github-app

  • compiler_activation_job.go — calls generateGitHubMCPAppTokenMintingSteps when ParsedTools.GitHub.GitHubApp is set; exposes the result as outputs["github_mcp_app_token"]
  • compiler_github_mcp_steps.gogenerateGitHubMCPAppTokenMintingStep (builder sink) replaced by generateGitHubMCPAppTokenMintingSteps (returns []string); invalidation step now references needs.activation.outputs.github_mcp_app_token
  • compiler_yaml_main_job.go — removes the minting call from the agent job steps
  • mcp_environment.go, copilot_engine_execution.goGITHUB_MCP_SERVER_TOKEN set to ${{ needs.activation.outputs.github_mcp_app_token }} when app is configured

safe-outputs.github-app (and top-level github-app fallback)

  • compiler_activation_job.go — mints safe-outputs-app-token step when SafeOutputs.GitHubApp is set; exposes as outputs["safe_outputs_app_token"] and outputs["safe_outputs_app_token_minting_failed"]
  • compiler_safe_outputs_job.go — removes minting; adds activation to needs when github-app is configured; invalidation now references needs.activation.outputs.safe_outputs_app_token
  • notify_comment.go — removes minting from conclusion job; invalidation and failure tracking reference activation outputs
  • All steps.safe-outputs-app-token.outputs.token references updated to needs.activation.outputs.safe_outputs_app_token across safe_outputs_config_helpers.go, safe_outputs_env.go, compiler_safe_outputs_steps.go, create_code_scanning_alert.go, safe_outputs_jobs.go
  • safe_outputs_app_config.gobuildGitHubAppTokenInvalidationStep now accepts a tokenExpr string parameter so each job (safe_outputs, conclusion, checkout) uses its own token reference

on.github-app

Already exclusively minted in the activation and pre-activation jobs — no change needed.

Result

jobs:
  activation:
    outputs:
      github_mcp_app_token: ${{ steps.github-mcp-app-token.outputs.token }}
      safe_outputs_app_token: ${{ steps.safe-outputs-app-token.outputs.token }}
      safe_outputs_app_token_minting_failed: ${{ steps.safe-outputs-app-token.outcome == 'failure' }}
    steps:
      - id: github-mcp-app-token       # secrets stay here
        uses: actions/create-github-app-token@...
      - id: safe-outputs-app-token     # secrets stay here
        uses: actions/create-github-app-token@...

  agent:
    needs: [activation]
    env:
      GITHUB_MCP_SERVER_TOKEN: ${{ needs.activation.outputs.github_mcp_app_token }}
    steps:
      - name: Invalidate GitHub App token   # token revocation stays in agent job
        if: always() && needs.activation.outputs.github_mcp_app_token != ''

  safe_outputs:
    needs: [agent, activation]
    steps:
      - name: Invalidate GitHub App token   # token revocation stays here
        if: always() && needs.activation.outputs.safe_outputs_app_token != ''

@pelikhan
move github-mcp app token minting to activation job
9bfc46e 
- generateGitHubMCPAppTokenMintingSteps now returns []string for use in
  buildActivationJob instead of writing to a strings.Builder
- activation job mints github-mcp-app-token and exposes it via output
  github_mcp_app_token so app-id/private-key never reach the agent job
- remove generateGitHubMCPAppTokenMintingStep call from compiler_yaml_main_job.go
- update generateGitHubMCPAppTokenInvalidationStep to reference
  needs.activation.outputs.github_mcp_app_token instead of step output
- update mcp_environment.go and copilot_engine_execution.go to consume
  GITHUB_MCP_SERVER_TOKEN from needs.activation.outputs.github_mcp_app_token
- update tests to assert new activation-output pattern

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/60528c57-92cc-4bc2-a14d-48ec635b7922

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot also migrate top level github-app, safe-outputs.github-app and on.github-app

@pelikhan
migrate safe-outputs.github-app and on.github-app token minting to ac…
70cfcbc 
…tivation job

- Move safe-outputs.github-app token minting from safe_outputs + conclusion jobs
  to the activation job; expose as safe_outputs_app_token +
  safe_outputs_app_token_minting_failed outputs
- Update buildGitHubAppTokenInvalidationStep to accept a tokenExpr parameter
  so callers (safe_outputs, conclusion, checkout) can each use their own token
  reference
- Update all steps.safe-outputs-app-token.outputs.token references to
  needs.activation.outputs.safe_outputs_app_token across:
  safe_outputs_config_helpers.go, safe_outputs_env.go,
  compiler_safe_outputs_steps.go, create_code_scanning_alert.go,
  safe_outputs_jobs.go
- Add activation to safe_outputs job needs when safe-outputs.github-app
  is configured (required to access needs.activation.outputs.*)
- Remove minting from compiler_safe_outputs_job.go and notify_comment.go;
  keep invalidation in both jobs pointing to activation output
- Update GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED to reference activation
  output rather than the now-gone step outcome
- Remove redundant inline invalidation logic from
  generateGitHubMCPAppTokenInvalidationStep (now uses shared helper)
- Update all test assertions to reflect the new token flow

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0c514f57-c2f0-4257-85f5-ef3a2cb2e579

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 3, 2026
edited
Loading

@copilot also migrate top level github-app, safe-outputs.github-app and on.github-app

Done in 70cfcbc. All three remaining github-app configurations have been migrated:

  • safe-outputs.github-app: Token minting moved from the safe_outputs and conclusion jobs to the activation job. Exposed as needs.activation.outputs.safe_outputs_app_token. Token invalidation stays in both downstream jobs referencing the activation output.
  • on.github-app (ActivationGitHubApp): Already exclusively in the activation and pre-activation jobs — no change needed.
  • Top-level github-app: Covered automatically since it's a fallback applied to the above sections.

buildGitHubAppTokenInvalidationStep now takes a tokenExpr parameter so safe_outputs, conclusion, and checkout jobs each invalidate via their respective token expressions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --local 86_64/bash git rev-�� --show-toplevel git /usr/bin/git .egg --local x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /usr/lib/git-cor--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build3608035131/b135/vet.cfg 8035131/b342/vet.cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha bin/bash git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel head /usr/bin/git node js/f�� 64/pkg/tool/linu--show-toplevel git /home/REDACTED/work/_temp/ghcca-node/node/bin/bash --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --noprofile git /home/REDACTED/work/_temp/ghcca-node/node/bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /opt/pipx_bin/bash --show-toplevel git /usr/bin/git bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git n-dir/bash --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git git _out�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha get --local 64/bin/bash credential.helpe/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g/workflow/actiogit g/workflow/actiorev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g/workflow/activgit g/workflow/activrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g/workflow/compigit g/workflow/compirev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g/workflow/compigit g/workflow/compirev-parse x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /ref/tags/v8 x_amd64/vet /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --local gpg.program x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git HEAD (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 0/x64/bin/node git /opt/pipx_bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /opt/hostedtoolcache/node/24.14.0/x64/bin/bash --show-toplevel infocmp /usr/bin/git bash (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 0/x64/bin/node git /snap/bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /home/REDACTED/go/bin/bash --show-toplevel git /usr/bin/git bash (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha se 8035131/b316/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha 0/x64/bin/node git /usr/local/sbin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /home/REDACTED/.config/composer/vendor/bin/bash --show-toplevel git ache/go/1.25.0/x--show-toplevel bash (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha e\|activation\b .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git _cod�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git _cod�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git ch 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xshow-ref /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git cal/bin/bash git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--noprofile git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/.github/workflows go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/go/1.25.0/x--noprofile git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--noprofile git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Move tools.github.github-app token minting to activation job Move all github-app token minting to activation job Apr 3, 2026
Copilot AI requested a review from pelikhan April 3, 2026 05:54
@github-actions github-actions bot mentioned this pull request Apr 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan