Add GitHub App authentication support for Copilot, Claude, and Codex engines

[Copilot]

Add GitHub App authentication support for Copilot, Claude, and Codex engines

Summary

This PR implements support for GitHub App authentication with the Copilot, Claude, and Codex engines through the engine.app configuration field. This provides enhanced security with short-lived tokens instead of long-lived personal access tokens.

Implementation Complete

• Phase 1: Add engine.app configuration support

  • Add App *GitHubAppConfig field to EngineConfig struct
  • Parse engine.app from frontmatter in engine config parsing
  • Update engine configuration validation (JSON schema)

• Phase 2: Modify engine secret validation

  • Update GetRequiredSecretNames() for Copilot, Claude, and Codex engines
  • Skip API key secrets when app is configured
  • Add app variable validation step generation

• Phase 3: Token minting and passing

  • Generate app token mint step for all three engines
  • Copilot: Request "copilot-requests: read" permission, pass via COPILOT_GITHUB_TOKEN
  • Claude: Use minted token as ANTHROPIC_API_KEY
  • Codex: Use minted token as CODEX_API_KEY and OPENAI_API_KEY
  • Add token invalidation for all engines

• Phase 4: Create shared workflow

  • Create .github/workflows/shared/copilot-app.md with app configuration
  • Make workflow portable and reusable
  • Wrap documentation in XML comments per shared workflow pattern
  • Update smoke-copilot to use shared workflow

• Phase 5: Testing and validation

  • Test all three engines with engine.app configuration
  • Verify app token steps in compiled workflows
  • Run make fmt successfully
  • Verify backwards compatibility maintained

Key Features

• Multi-engine support - Works with Copilot, Claude, and Codex engines
• Short-lived tokens (max 1 hour) instead of long-lived PATs
• Automatic token minting with appropriate permissions per engine
• Automatic token invalidation after workflow completion
• Shared workflow for easy reuse across workflows
• Backwards compatibility - existing workflows continue to work with secrets
• Production usage - smoke-copilot workflow now uses app authentication

Usage Example

Direct configuration (works for any engine):

---
engine:
  id: copilot  # or claude, or codex
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
---

Or import the shared workflow:

---
imports:
  - shared/copilot-app.md
---

Token Usage by Engine

• Copilot: Token passed as COPILOT_GITHUB_TOKEN (replaces PAT, requests copilot-requests:read)
• Claude: Token used as ANTHROPIC_API_KEY (replaces API key secret)
• Codex: Token used as CODEX_API_KEY and OPENAI_API_KEY (replaces API key secrets)

Files Changed

• pkg/workflow/engine.go - Added App field to EngineConfig
• pkg/workflow/copilot_engine.go - Updated secret requirements and token handling
• pkg/workflow/copilot_engine_installation.go - Added app token minting for Copilot
• pkg/workflow/copilot_engine_execution.go - Use app token in Copilot execution
• pkg/workflow/claude_engine.go - Added app support, token minting, and execution
• pkg/workflow/codex_engine.go - Added app support, token minting, and execution
• pkg/workflow/compiler_yaml_main_job.go - Unified token invalidation for all engines
• pkg/parser/schemas/main_workflow_schema.json - Updated schema
• actions/setup/sh/validate_app_support_engine_field.sh - App validation script
• .github/workflows/shared/copilot-app.md - Shared workflow
• .github/workflows/smoke-copilot.md - Updated to use shared workflow

Security Benefits

1. Token lifecycle management - Tokens are automatically invalidated after use
2. Minimal permissions - Each engine gets only the permissions it needs
3. Audit trail - App activity tracked separately in GitHub audit logs
4. No token rotation - No manual token rotation required
5. Least privilege - Each workflow gets its own scoped token

Testing

• ✅ Schema validation passes
• ✅ Code formatting passes
• ✅ Copilot with engine.app compiles successfully
• ✅ Claude with engine.app compiles successfully
• ✅ Codex with engine.app compiles successfully
• ✅ App token steps generated correctly for all engines
• ✅ Backwards compatibility maintained (secrets still work)
• ✅ Shared workflow documentation in XML comments

Original prompt

Add support for specifying an app under the "engine" front matter field (like tools.github.app, safe-outputs.app)

• requests the "copilot requests: read" permission
• generated token is passed as the token/api key using the engine default env var
• update the secret check step to check app variables instead
• add token invalidate as well like existing support
• create a shared agentic workflow that configures copilot with the app (must be portable)
• update smoke-copilot agentic workflow to use the shared workflow

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Changeset

• Type: patch
• Description: Document Copilot GitHub App authentication support, including the shared workflow and updated token handling steps.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

---

Changeset

• Type: patch
• Description: Document Copilot GitHub App authentication support, covering the shared workflow and updated token handling steps.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

The content of the body should be a xml comment @copilot

[Copilot]

Fixed in 7659c0f - wrapped body content in XML comment following shared workflow pattern

[Copilot]

@pelikhan Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: bab16115-738a-4af3-96f0-0be70b9b9494

Sorry for the inconvenience!

[pelikhan]

@copilot update smoke-copilot to use the new shared agentic workflow to use the app

[pelikhan]

@copilot delete file

[Copilot]

Done in ed18acb - deleted test-copilot-app-auth.md and its lock file

[Copilot]

@copilot update smoke-copilot to use the new shared agentic workflow to use the app

Done in ed18acb - updated smoke-copilot.md to import shared/copilot-app.md. The workflow now uses GitHub App authentication with automatic token minting and invalidation.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[pelikhan]

@copilot the verification shell script should receive the app configuration variable as input as the variable names may change.

[github-actions]

Refactor add_command.go into focused modules (1,218 → 610 lines) ✅
[WIP] Move app validation script to shell file in actions/setup/sh ✅
[WIP] Propagate app token failure to conclusion job ✅
Add create-agent-session to Security Alert Burndown campaign ✅
Serena activate workspace ✅
Playwright GitHub title contains "GitHub" ✅
Tavily search "GitHub Agentic Workflows" ✅
File write + bash cat verify ✅
Discussion query + oracle comment ✅
Overall status: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test: Claude - PASS ✅

Last 2 merged PRs:

• Refactor add_command.go into focused modules (1,218 → 610 lines) #12286: "Refactor add_command.go into focused modules"
• [WIP] Move app validation script to shell file in actions/setup/sh #12298: "Move app validation script to shell file"

Test	Status
GitHub MCP	✅
Safe Inputs GH CLI	✅
Serena MCP	✅
Make Build	✅
Playwright	✅
Tavily Search	✅
File Write	✅
Bash Tool	✅
Discussion Interaction	✅

Overall: PASS ✅

AI generated by Smoke Claude

[Copilot]

@copilot the verification shell script should receive the app configuration variable as input as the variable names may change.

Fixed in 0542649. The validation script now accepts variable names as parameters (APP_ID_VAR_NAME, APP_PRIVATE_KEY_VAR_NAME) and uses indirect expansion to check their values. The Go code extracts variable names from expressions like ${{ vars.MY_CUSTOM_APP_ID }} → MY_CUSTOM_APP_ID and passes them to the script. This supports any naming convention.

[pelikhan]

@copilot revert previous commit

[Copilot]

@copilot revert previous commit

Reverted in 102dadc. The validation script now uses the simpler signature (ENGINE_NAME, DOCS_URL) with hardcoded environment variable names (APP_ID, APP_PRIVATE_KEY).

[pelikhan]

@copilot make this feature work for claude and codex as well. the minted token should be used as the corresponding api key.

[Copilot]

@copilot make this feature work for claude and codex as well. the minted token should be used as the corresponding api key.

Implemented in e0063f2. The engine.app feature now works for all three engines:

• Copilot: Minted token used as COPILOT_GITHUB_TOKEN (with copilot-requests:read permission)
• Claude: Minted token used as ANTHROPIC_API_KEY
• Codex: Minted token used as both CODEX_API_KEY and OPENAI_API_KEY

All engines skip API key secret requirements when engine.app is configured, mint tokens automatically, and invalidate them in cleanup. Backwards compatibility maintained - existing workflows using secrets continue to work.