Move github-app token minting to activation job by Copilot · Pull Request #24251 · github/gh-aw

Copilot · 2026-04-03T05:26:34Z

The app-id and private-key secrets for tools.github.github-app and checkout github-app configurations were being consumed in the agent job to mint tokens. Moving all minting to the activation job ensures these secrets never reach the agent job; only the short-lived tokens are passed through as job outputs.

Changes

`tools.github.github-app`

compiler_activation_job.go — calls generateGitHubMCPAppTokenMintingSteps when ParsedTools.GitHub.GitHubApp is set; exposes the result as outputs["github_mcp_app_token"]
compiler_github_mcp_steps.go — generateGitHubMCPAppTokenMintingStep (builder sink) replaced by generateGitHubMCPAppTokenMintingSteps (returns []string); invalidation step now references needs.activation.outputs.github_mcp_app_token instead of steps.github-mcp-app-token.outputs.token
compiler_yaml_main_job.go — removes the minting call from the agent job steps
mcp_environment.go, copilot_engine_execution.go — GITHUB_MCP_SERVER_TOKEN set to ${{ needs.activation.outputs.github_mcp_app_token }} when app is configured

Checkout `github-app`

compiler_activation_job.go — creates a CheckoutManager for the activation job; calls GenerateCheckoutAppTokenSteps when any checkout uses app auth; exposes each token as outputs["checkout_app_token_{index}"] via CheckoutAppTokenOutputs()
checkout_manager.go — adds CheckoutAppTokenOutputs() returning a map of output names to step token expressions
checkout_step_generator.go — all token references updated from steps.checkout-app-token-{n}.outputs.token to needs.activation.outputs.checkout_app_token_{n} in checkout steps, fetch steps, and invalidation steps
compiler_yaml_main_job.go — removes the checkout app token minting block from the agent job steps

Compiler invariant

compiler_main_job.go — after generating the agent job steps, asserts the resulting YAML does not contain create-github-app-token; returns an error immediately if the invariant is violated to catch regressions at compile time
github_mcp_app_token_test.go — adds TestAgentJobDoesNotMintGitHubAppTokens covering tools.github.github-app, checkout.github-app, and the top-level github-app fallback for checkout

`safe-outputs.github-app` and `on.github-app`

No change — token minting for these configurations remains in the safe_outputs and conclusion jobs where it was.

Result

jobs:
  activation:
    outputs:
      github_mcp_app_token: ${{ steps.github-mcp-app-token.outputs.token }}
      checkout_app_token_0: ${{ steps.checkout-app-token-0.outputs.token }}
    steps:
      - id: github-mcp-app-token          # MCP server app secrets stay here
        uses: actions/create-github-app-token@...
      - id: checkout-app-token-0          # checkout app secrets stay here
        uses: actions/create-github-app-token@...

  agent:
    needs: [activation]
    env:
      GITHUB_MCP_SERVER_TOKEN: ${{ needs.activation.outputs.github_mcp_app_token }}
    steps:
      - name: Checkout repository
        with:
          token: ${{ needs.activation.outputs.checkout_app_token_0 }}
      - name: Invalidate GitHub App token
        if: always() && needs.activation.outputs.github_mcp_app_token != ''
      - name: Invalidate checkout app token (0)
        if: always() && needs.activation.outputs.checkout_app_token_0 != ''

- generateGitHubMCPAppTokenMintingSteps now returns []string for use in buildActivationJob instead of writing to a strings.Builder - activation job mints github-mcp-app-token and exposes it via output github_mcp_app_token so app-id/private-key never reach the agent job - remove generateGitHubMCPAppTokenMintingStep call from compiler_yaml_main_job.go - update generateGitHubMCPAppTokenInvalidationStep to reference needs.activation.outputs.github_mcp_app_token instead of step output - update mcp_environment.go and copilot_engine_execution.go to consume GITHUB_MCP_SERVER_TOKEN from needs.activation.outputs.github_mcp_app_token - update tests to assert new activation-output pattern Agent-Logs-Url: https://github.com/github/gh-aw/sessions/60528c57-92cc-4bc2-a14d-48ec635b7922 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-04-03T05:27:42Z

@copilot also migrate top level github-app, safe-outputs.github-app and on.github-app

…tivation job - Move safe-outputs.github-app token minting from safe_outputs + conclusion jobs to the activation job; expose as safe_outputs_app_token + safe_outputs_app_token_minting_failed outputs - Update buildGitHubAppTokenInvalidationStep to accept a tokenExpr parameter so callers (safe_outputs, conclusion, checkout) can each use their own token reference - Update all steps.safe-outputs-app-token.outputs.token references to needs.activation.outputs.safe_outputs_app_token across: safe_outputs_config_helpers.go, safe_outputs_env.go, compiler_safe_outputs_steps.go, create_code_scanning_alert.go, safe_outputs_jobs.go - Add activation to safe_outputs job needs when safe-outputs.github-app is configured (required to access needs.activation.outputs.*) - Remove minting from compiler_safe_outputs_job.go and notify_comment.go; keep invalidation in both jobs pointing to activation output - Update GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED to reference activation output rather than the now-gone step outcome - Remove redundant inline invalidation logic from generateGitHubMCPAppTokenInvalidationStep (now uses shared helper) - Update all test assertions to reflect the new token flow Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0c514f57-c2f0-4257-85f5-ef3a2cb2e579 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-03T05:52:54Z

@copilot also migrate top level github-app, safe-outputs.github-app and on.github-app

Done in 70cfcbc. All three remaining github-app configurations have been migrated:

safe-outputs.github-app: Token minting moved from the safe_outputs and conclusion jobs to the activation job. Exposed as needs.activation.outputs.safe_outputs_app_token. Token invalidation stays in both downstream jobs referencing the activation output.
on.github-app (ActivationGitHubApp): Already exclusively in the activation and pre-activation jobs — no change needed.
Top-level github-app: Covered automatically since it's a fallback applied to the above sections.

buildGitHubAppTokenInvalidationStep now takes a tokenExpr parameter so safe_outputs, conclusion, and checkout jobs each invalidate via their respective token expressions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --local 86_64/bash git rev-�� --show-toplevel git /usr/bin/git .egg --local x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /usr/lib/git-cor--show-toplevel git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build3608035131/b135/vet.cfg 8035131/b342/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha bin/bash git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel head /usr/bin/git node js/f�� 64/pkg/tool/linu--show-toplevel git /home/REDACTED/work/_temp/ghcca-node/node/bin/bash --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git bash (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --noprofile git /home/REDACTED/work/_temp/ghcca-node/node/bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /opt/pipx_bin/bash --show-toplevel git /usr/bin/git bash (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git n-dir/bash --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git git _out�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha get --local 64/bin/bash credential.helpe/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g/workflow/actiogit g/workflow/actiorev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g/workflow/activgit g/workflow/activrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g/workflow/compigit g/workflow/compirev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g/workflow/compigit g/workflow/compirev-parse x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /ref/tags/v8 x_amd64/vet /usr/bin/git node (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --local gpg.program x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git HEAD (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 0/x64/bin/node git /opt/pipx_bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /opt/hostedtoolcache/node/24.14.0/x64/bin/bash --show-toplevel infocmp /usr/bin/git bash (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 0/x64/bin/node git /snap/bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /home/REDACTED/go/bin/bash --show-toplevel git /usr/bin/git bash (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha se 8035131/b316/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha 0/x64/bin/node git /usr/local/sbin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /home/REDACTED/.config/composer/vendor/bin/bash --show-toplevel git ache/go/1.25.0/x--show-toplevel bash (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha e\|activation\b .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git _cod�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git _cod�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git ch 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xshow-ref /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git cal/bin/bash git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--noprofile git (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/.github/workflows go (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/go/1.25.0/x--noprofile git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--noprofile git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-04-03T14:02:52Z

@copilot safe-outputs.github-app steps should stay in the safe_output job

pelikhan · 2026-04-03T14:04:10Z

@copilot migrate all github-app steps to activation job due the MCP-server configuration

Review remaining github-app steps in agent job and move to activation.

…outputs job Reverts the safe-outputs.github-app token minting migration from the activation job back to the safe_outputs/conclusion jobs. The safe-outputs app-id/private-key steps should remain in the safe_outputs job per feedback. The tools.github.github-app token minting (moved to activation in 9bfc46e) is kept as-is. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6962f747-7aeb-41bc-9ae2-cb8917df7dfc Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-03T14:09:18Z

@copilot safe-outputs.github-app steps should stay in the safe_output job

Reverted in 467a9c2. The safe-outputs.github-app token minting steps are back in the safe_outputs and conclusion jobs. Only tools.github.github-app remains migrated to the activation job.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 258464/b213/vet.-c ache/go/1.25.0/x"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git actions/setup-clnode (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 258464/b216/vet.-c ache/go/1.25.0/x"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/find echo "�� Actionnode (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build248258464/b124/vet.cfg 258464/b357/vet.cfg (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha en-mint-steps-activation-job cfg 64/pkg/tool/linux_amd64/vet copilot.originalgit (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha mmit} (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 258464/b315/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha diff 9900918 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet pkg/workflow/safgit (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha diff 9900918 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet pkg/workflow/comgit (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha install --package-lock-o.prettierignore /usr/bin/git (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility json' --ignore-path ../../../.pr**/*.json /opt/hostedtoolcache/go/1.25.0/x--ignore-path r: $owner, name: $name) { hasDiscussionsEnabled } } -bool -buildtags /usr/bin/git git rev-�� th .prettierignore --log-level=error git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel -tests /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha install --package-lock-only $name) { hasDiscussionsEnabled } } /tmp/go-build248prettier -trimpath 258464/b268/vet.../../../**/*.json git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/lib/git-core/git -unreachable=falgit /tmp/go-build248-C /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows /usr/lib/git-corconfig (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --noprofile (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha get cfg 64/pkg/tool/linux_amd64/vet credential.helpegit (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --local cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha re --log-level=error --jq $name) { hasDiscussionsEnabled } } -unreachable=falgit /tmp/go-build248-C 258464/b357/vet./home/REDACTED/work/gh-aw/gh-aw/.github/workflows git /pre�� new-feature.txt /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl/home/REDACTED/work/gh-aw/gh-aw/.github/workflows -unreachable=falgit /tmp/go-build248-C /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Checkout github-app token minting steps (id: checkout-app-token-{n}) are moved from the agent job to the activation job. Each minted token is exposed as an activation output (checkout_app_token_{n}) so the agent job references it via needs.activation.outputs.checkout_app_token_{n}. - checkout_manager.go: add CheckoutAppTokenOutputs() returning output-name→step-expr map - checkout_step_generator.go: update all steps.checkout-app-token-{n}.outputs.token references (checkout step token, fetch step token, invalidation step) to needs.activation.outputs.checkout_app_token_{n} - compiler_activation_job.go: call GenerateCheckoutAppTokenSteps and expose outputs via maps.Copy - compiler_yaml_main_job.go: remove checkout app token minting block - checkout_manager_test.go: update assertions to new token expression form Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b6eaaeca-639c-4eae-8717-8990944195bc Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-03T14:31:41Z

@copilot migrate all github-app steps to activation job due the MCP-server configuration

Review remaining github-app steps in agent job and move to activation.

Done in 0ea5e77. Checkout github-app token minting (id: checkout-app-token-{n}) is now moved to the activation job. Each token is exposed as checkout_app_token_{n} output, and the agent job references it via needs.activation.outputs.checkout_app_token_{n}. Token invalidation stays in the agent job referencing the same activation output.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw pull.rebase x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git --abbrev-ref HEAD x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -trimpath /opt/hostedtoolc"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falnode /tmp/go-build257/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 5314567/b355/vetprettier git (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path wasm.s go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build2575314567/b185/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/asm /usr/bin/git -json t/format.go x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check /usr/bin/git **/*.ts **/*.json --ignore-path git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/pkg/semverutil/semverutil.go k/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go 0/x64/bin/node -p main -lang=go1.25 0/x64/bin/node -o e: ${{ secrets.TOKEN }} -trimpath /usr/bin/git -p main -lang=go1.25 git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --local credential.helpe-ifaceassert x_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -stringintconv -tests /usr/bin/git --local --get 0/x64/bin/bash git rev-�� --show-toplevel hveYGxNqAcF5 /usr/bin/git linuxagent-logcogit --local cal/bin/bash git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --noprofile (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -bool -buildtags 5314567/b311/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build2575314567/b175/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -bool -buildtags 5314567/b326/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build2575314567/b195/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --noprofile (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build2575314567/b052/vet.cfg 5314567/b289/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -bool -buildtags 5314567/b320/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build2575314567/b194/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -bool -buildtags 5314567/b330/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build2575314567/b198/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build2575314567/b226/vet.cfg 5314567/b317/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel -tests /usr/bin/git -dirty" -o gh-awgit GO111MODULE x_amd64/asm git rev-�� --show-toplevel 9sCi_ju/2tp1Fp4gl5r8XXDvZd7h /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/node/24.14.0/x64/bin/node GOINSECURE GOMOD s,MFiles,HFiles,--show-toplevel node (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build2575314567/b197/vet.cfg 5314567/b305/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-build164592882/b456/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git rev-�� --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /home/REDACTED/go/bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel /opt/hostedtoolc.prettierignore /usr/bin/git -unreachable=falsh /tmp/go-build257-c /opt/hostedtoolc"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git er --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/basename -bool -buildtags /usr/sbin/bash basename (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git heck '**/*.cjs' /usr/bin/gh GO111MODULE k/_temp/uv-pythographql git (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility json' --ignore-path ../../../.pr**/*.json bash r: $owner, name: $name) { hasDiscussionsEnabled } } --noprofile git /usr/bin/git git rev-�� th .prettierignore --log-level=error git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel go r: $owner, name: $name) { hasDiscussionsEnabled } } -json GO111MODULE /home/node_modul/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel sh r: $owner, name: $name) { hasDiscussionsEnabled } } npx prettier --cdocker GOPROXY /home/REDACTED/.loinspect sh (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha install --package-lock-only $name) { hasDiscussionsEnabled } } -unreachable=falsh /tmp/go-build257-c /opt/hostedtoolc"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel go $name) { hasDiscussionsEnabled } } -json GO111MODULE es/.bin/node git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -unreachable=false /tmp/go-build2575314567/b107/vet.cfg 5314567/b307/vet.cfg create-github-apgit (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2465595395/001/stability-test.md go /usr/bin/git -json GO111MODULE x_amd64/compile git chec�� .github/workflows/test.md 5PMstAY/Tpa1yqzTrev-parse /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyBlockedUsersApprovalLabelsCompiledOutput4257786305/001 -trimpath 0/x64/bin/node l github.com/goccyrev-parse -lang=go1.21 592882/b428/repoutil.test t-ha�� ithub/workflows/agent-persona-explorer.md -dwarf=false 0/x64/bin/node m0s -c=4 (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha GenerateCheckoutAppTokenInvalidationSteps\|checkout.*invalid\|InvalidateCheckout pkg/workflow/compiler_yaml_main_job.go 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /tmp/go-build2439900901/b126/_pkg_.a -trimpath (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 fa2f9a96:go.mod 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2679228010/.github/workflows 0/internal/language/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json @v1.1.3/cpu/arm64/arm64.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 irent.go 64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-extld=gcc env g_.a @v1.1.3/cpu/arm/arm.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 at.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2604304906/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD fa2f9a96 64/pkg/tool/linux_amd64/compile env 2604304906/.github/workflows oding@v0.5.4/json/codec.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE fa2f9a96 GOMODCACHE ks/uHvMf0NAnOjab896TNzs/AXMwmaH9GRVKhQH5Jbwx env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/compile sm); \ wasm-optgit GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2679228010/.github/workflows 0/internal/tag/tag.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path 790226728/001' 790226728/001' 64/bin/go GOINSECURE GOMOD run-script/lib/n/tmp/go-build2439900901/b208/_pkg_.a node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-test.paniconexit0 go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 git 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linustatus env mLsRemoteWithRea.github/workflows/test.md mLsRemoteWithRealGitbranch_with_hyphen44917560/001' 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel /systemd-executo-buildtags /usr/bin/git get _job.go ache/uv/0.11.3/x--show-toplevel git rev-�� --show-toplevel hveYGxNqAcF5 /usr/bin/git --local credential.usernshow-ref 92f9c6e7358ff171--verify git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/asm /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--verify git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel node /usr/bin/git --write scripts/**/*.js 64/bin/go git rev-�� --show-toplevel node /usr/bin/git --write ../../../**/*.jsshow-ref 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha get --local sh committer.name (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env b/workflows aCCuGrWJu 64/pkg/tool/linux_amd64/vet GOINSECURE obyte GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha "prettier" --wriGOINSECURE git 64/bin/go tierignore /opt/hostedtoolcenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore **/*.cjs 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore **/*.cjs 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha log.showsignatur-errorsas log 64/bin/go -n1 --format=format:clone 467a9c2a71947b16/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch3506692299/001 go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -x c 64/bin/go - **/*.cjs 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -mod=readonly -f 64/bin/go -- unsafe 64/bin/go go env cp .github/aw/actions-lock.json -p GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha re --log-level=error /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet $name) { hasDiscussionsEnabled } } -unreachable=falgit /tmp/go-build257-C /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git /pre�� initial.txt /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /opt/pipx_bin/ba/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel go $name) { hasDiscussionsEnabled } } -json GO111MODULE ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows gh api /repos/actions/setup-go/git/ref/tags/v4 --jq /usr/bin/git ck 'scripts/**/*git GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha get --local 0/x64/bin/bash committer.name (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/pkg/tool/linu-importcfg GOINSECURE id GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha scripts/**/*.js --ignore-path 64/bin/go --log-level=errogo ache/go/1.25.0/xenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env y_only_defaults_repo3702766286/001 _DuzRAXsS 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build164592882/b414/_pkg_.a go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build164592882/b396/cli.test /tmp/go-build164592882/b396/cli.test -test.testlogfile=/tmp/go-build164592882/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build2439900901/b200/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build164592882/b407/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil_test.go /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build164592882/b408/_pkg_.a go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-04-03T14:35:56Z

@copilot add compiler assertion that no token is minted in the agent job

In compiler_main_job.go, after generating the agent job step content, assert that the YAML does not contain "create-github-app-token". Any minting step in the agent job violates the invariant that app-id / private-key secrets must not reach the agent's environment. Added TestAgentJobDoesNotMintGitHubAppTokens to verify the invariant holds for tools.github.github-app, checkout.github-app, and top-level github-app fallback for checkout configurations. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/70226ef9-d1ce-4dea-aba9-330019bc0a0b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-03T14:46:42Z

@copilot add compiler assertion that no token is minted in the agent job

Done in 4f22805. buildMainJob in compiler_main_job.go now checks the generated steps YAML for create-github-app-token and returns an error if found, making it impossible for a future regression to accidentally reintroduce minting in the agent job. TestAgentJobDoesNotMintGitHubAppTokens covers all three configurations: tools.github.github-app, checkout.github-app, and the top-level github-app fallback for checkout.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /home/REDACTED/work/_temp/ghcca-node/node/bin/bash GOINSECURE GOMOD GOMODCACHE bash (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE n-dir/bash GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ck '**/*.cjs' '*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env e=false GO111MODULE 64/bin/go GOINSECURE %H %ct %D GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git rev-�� --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel node /usr/bin/git --check **/*.cjs 64/bin/go git rev-�� .*/\1/p go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel node /usr/bin/git run lint:cjs 64/bin/go git rev-�� --show-toplevel sh /usr/bin/git "prettier" --chegit sh 64/bin/go git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel node /usr/bin/git run lint:cjs 64/bin/go git rev-�� --show-toplevel sh /usr/bin/git "prettier" --chegit sh 64/bin/go git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Copilot

Pull request overview

This PR moves GitHub App token minting (for tools.github.github-app and checkout.github-app) from the agent job into the activation job so that GitHub App secrets never reach the agent job; only short-lived tokens are passed via activation job outputs.

Changes:

Mint GitHub MCP server and checkout GitHub App tokens in the activation job and expose them as needs.activation.outputs.*.
Update agent job consumption paths (env vars, checkout token wiring, invalidation steps) to reference activation outputs instead of step outputs.
Add a compiler invariant (and tests) to prevent create-github-app-token from appearing in the agent job.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/mcp_environment.go	Switch MCP server token env var to `needs.activation.outputs.github_mcp_app_token`.
pkg/workflow/copilot_engine_execution.go	Set `GITHUB_MCP_SERVER_TOKEN` from activation job outputs when app auth is configured.
pkg/workflow/compiler_yaml_main_job.go	Remove GitHub App token minting from agent job step generation.
pkg/workflow/compiler_main_job.go	Add compile-time invariant to fail if agent job contains `create-github-app-token`.
pkg/workflow/compiler_github_mcp_steps.go	Refactor MCP app minting to return steps for activation job; update invalidation to use activation outputs.
pkg/workflow/compiler_activation_job.go	Add MCP + checkout app token minting steps to activation job and expose tokens as job outputs.
pkg/workflow/checkout_step_generator.go	Update checkout token references/invalidation to use `needs.activation.outputs.checkout_app_token_{n}`.
pkg/workflow/checkout_manager.go	Add helper to produce activation job output map for checkout app tokens.
pkg/workflow/github_mcp_app_token_test.go	Update assertions for activation outputs; add invariant coverage test.
pkg/workflow/checkout_manager_test.go	Update expectations to match activation-output token references.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-03T14:56:26Z

pkg/workflow/github_mcp_app_token_test.go

+			// Locate the agent job section (after "  agent:" and before the next top-level job)
+			agentJobStart := strings.Index(lockContent, "\n  agent:\n")
+			require.NotEqual(t, -1, agentJobStart, "Agent job should be present")
+
+			// Find the next top-level job after agent (or end of file)
+			nextJobStart := strings.Index(lockContent[agentJobStart+len("\n  agent:\n"):], "\n  ")
+			var agentJobContent string
+			if nextJobStart == -1 {
+				agentJobContent = lockContent[agentJobStart:]
+			} else {
+				agentJobContent = lockContent[agentJobStart : agentJobStart+len("\n  agent:\n")+nextJobStart]
+			}


The agent job section extraction in this test is incorrect: strings.Index(..., "\n ") will match many indented lines within the agent job itself (e.g., \n runs-on: starts with \n ), so agentJobContent can end up containing only the first line(s) of the job and miss later steps. This can make the assertion a false negative even if create-github-app-token appears later in the agent job. Consider locating the next job header by matching \n <job_id>:\n at exactly 2-space indentation (e.g., via a regexp like \n [^\s][^:]*:\n) starting after the agent header, or parse the YAML and inspect jobs.agent.steps directly.

Copilot AI assigned Copilot and pelikhan Apr 3, 2026

Copilot created this pull request from a session on behalf of pelikhan April 3, 2026 05:26 View session

Merge branch 'main' into copilot/move-token-mint-steps-activation-job

9900918

Copilot started work on behalf of pelikhan April 3, 2026 05:27 View session

Copilot AI changed the title ~~Move tools.github.github-app token minting to activation job~~ Move all github-app token minting to activation job Apr 3, 2026

Copilot AI requested a review from pelikhan April 3, 2026 05:54

Copilot finished work on behalf of pelikhan April 3, 2026 05:54

github-actions bot mentioned this pull request Apr 3, 2026

[aw] No-Op Runs #24257

Open

Copilot started work on behalf of pelikhan April 3, 2026 14:03 View session

Copilot AI changed the title ~~Move all github-app token minting to activation job~~ Move tools.github.github-app token minting to activation job Apr 3, 2026

Copilot finished work on behalf of pelikhan April 3, 2026 14:10

Copilot started work on behalf of pelikhan April 3, 2026 14:10 View session

Copilot AI changed the title ~~Move tools.github.github-app token minting to activation job~~ Move github-app token minting to activation job Apr 3, 2026

Copilot finished work on behalf of pelikhan April 3, 2026 14:32

Copilot started work on behalf of pelikhan April 3, 2026 14:36 View session

Copilot finished work on behalf of pelikhan April 3, 2026 14:47

pelikhan marked this pull request as ready for review April 3, 2026 14:52

Copilot AI review requested due to automatic review settings April 3, 2026 14:52

Copilot started reviewing on behalf of pelikhan April 3, 2026 14:53 View session

pelikhan merged commit 9b9bc12 into main Apr 3, 2026
118 of 152 checks passed

pelikhan deleted the copilot/move-token-mint-steps-activation-job branch April 3, 2026 14:56

Copilot AI reviewed Apr 3, 2026

View reviewed changes

github-actions bot mentioned this pull request Apr 3, 2026

[PR Triage Report] PR Triage Report - 2026-04-03 #24351

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move github-app token minting to activation job#24251

Move github-app token minting to activation job#24251
pelikhan merged 6 commits intomainfrom
copilot/move-token-mint-steps-activation-job

Copilot AI commented Apr 3, 2026 •

edited

Loading

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented Apr 3, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

tools.github.github-app

Checkout github-app

Compiler invariant

safe-outputs.github-app and on.github-app

Result

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Apr 3, 2026

Uh oh!

Copilot AI commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 3, 2026 •

edited

Loading

`tools.github.github-app`

Checkout `github-app`

`safe-outputs.github-app` and `on.github-app`

Copilot AI commented Apr 3, 2026 •

edited

Loading

Copilot AI commented Apr 3, 2026 •

edited

Loading

Copilot AI commented Apr 3, 2026 •

edited

Loading

Copilot AI commented Apr 3, 2026 •

edited

Loading