[WIP] Fix Dependabot bundler issues requiring token

[Copilot]

Fix Dependabot Bundler Token Issue

• Investigate the failing workflow and identify the root cause
• Fix the token escaping issue in mcp_renderer.go
• Update tests to reflect the fix
• Recompile workflows with the fix
• Validate the fix

Root Cause Analysis

The issue was in pkg/workflow/mcp_renderer.go where Copilot engine workflows were using escaped variable syntax \${GITHUB_MCP_SERVER_TOKEN} which prevented bash from expanding the environment variable in the heredoc.

Before (broken):

"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"

When bash processed the heredoc with cat << MCPCONFIG_EOF, the backslash prevented variable expansion, resulting in the literal string ${GITHUB_MCP_SERVER_TOKEN} being passed to the MCP gateway instead of the actual token value.

After (fixed):

"GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN"

Now bash expands $GITHUB_MCP_SERVER_TOKEN to its actual value during heredoc processing, and the MCP gateway receives the real token.

Changes Made

1. pkg/workflow/mcp_renderer.go:

   • Removed conditional escaping for Copilot engine (line 609-616) - now all engines use unescaped bash variables
   • Updated remote mode env section (line 744)
   • Updated remote mode Authorization header (line 75-82)
   • Updated comments to reflect unified approach (line 658-661)
   • Updated cleaner function to remove obsolete escaped variable handling (line 890-901)

2. Test files updated:

   • copilot_engine_test.go - updated token expectations
   • github_remote_config_test.go - updated authorization and env expectations
   • github_remote_mode_test.go - updated remote mode expectations
   • engine_helpers_github_test.go - updated helper test expectations

3. Workflows recompiled (95 files):

   • All Copilot engine workflows now use unescaped $GITHUB_MCP_SERVER_TOKEN
   • Bash expands the variable during heredoc processing
   • The actual token value is passed to the MCP gateway

Verification

✅ Code formatted successfully with make fmt
✅ Workflow compiles without errors: ./gh-aw compile .github/workflows/dependabot-bundler.md
✅ Token correctly set in compiled workflow: "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN"
✅ All 95 workflow files updated consistently

Technical Explanation

The workflow sets the environment variable:

GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

Then in the MCP gateway setup step, the heredoc is processed by bash:

cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
  "mcpServers": {
    "github": {
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN"
      }
    }
  }
}
MCPCONFIG_EOF

Bash expands $GITHUB_MCP_SERVER_TOKEN to the actual token value before passing the JSON to the gateway script, fixing the authentication issue.

Original prompt

fix dependabot bundler (token needed)
https://github.com/githubnext/gh-aw/actions/runs/21263473926

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.