Clarify github-token is optional for update-project when GH_AW_PROJECT_GITHUB_TOKEN is set

[Copilot]

The update-project documentation incorrectly labeled github-token: as REQUIRED, but getEffectiveProjectGitHubToken falls back to ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} when omitted.

Changes:

• Commented out github-token: in example to show it's optional
• Updated inline comment: "Optional here if GH_AW_PROJECT_GITHUB_TOKEN is set; PAT with projects:write (NOT GITHUB_TOKEN) is still required"
• Clarified requirements bullet to mention both configuration methods
• Aligned with create-project pattern (line 556)

Before:

update-project:
  github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}  # REQUIRED: PAT with projects:write

After:

update-project:
  # github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}  # Optional here if GH_AW_PROJECT_GITHUB_TOKEN is set; PAT with projects:write is still required

A PAT with Projects permissions is always required, but configuring the github-token field is optional if the fallback secret exists.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR updates GitHub Agentic Workflows documentation/examples to clarify that safe-outputs.update-project.github-token is optional when GH_AW_PROJECT_GITHUB_TOKEN is set, and updates the workflow lock schemas to accept temporary project IDs for update_project.

Changes:

• Commented out github-token in the update-project docs example and clarified token configuration options (explicit field vs fallback secret).
• Updated update_project.project input schema in workflow lock files to allow temporary project IDs (aw_… / #aw_…) in addition to full project URLs.
• Adjusted requirements text in the docs to mention the fallback token option.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/test-project-url-default.lock.yml	Expands update_project.project tool schema to accept temporary project IDs.
.github/workflows/smoke-project.lock.yml	Same schema expansion for update_project.project in the smoke workflow lock.
.github/aw/github-agentic-workflows.md	Clarifies github-token optionality for update-project when fallback secret is set and updates requirements text.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The update_project tool input schema now allows temporary project IDs (aw_… / #aw_…), but the Safe Outputs validation schema later in this same workflow file still restricts project to a full GitHub URL (and will reject temporary IDs). Please update the corresponding validation pattern/error text as well so the workflow’s validation matches the tool schema.

Suggested change

	"pattern": "^(https://github\\.com/(orgs|users)/[^/]+/projects/\\d+|#?aw_[0-9a-f]{12})$",
	"pattern": "^(https://github\\.com/(orgs|users)/[^/]+/projects/\\d+|#?aw_[^\\s]+)$",

[Copilot]

Same mismatch here: the update_project tool input schema accepts temporary project IDs, but the Safe Outputs validation section in this workflow still enforces a full project URL for project. Align the validation pattern/error with the updated input schema to avoid rejecting valid agent output.

Suggested change

	"pattern": "^(https://github\\.com/(orgs|users)/[^/]+/projects/\\d+|#?aw_[0-9a-f]{12})$",
	"pattern": "^(https://github\\.com/(orgs|users)/[^/]+/projects/\\d+|#?aw_[0-9a-z]{12})$",

[Copilot]

The PR description/title is about clarifying github-token being optional, but this change also updates the project field schema to accept temporary project IDs from create_project. If this is intentional, it would help to mention it in the PR description (or split it) since it’s a behavior/doc contract change beyond the token clarification.

[Copilot]

The inline comment says “PAT with projects:write”, but the requirements section below describes classic/fine-grained PAT scopes/permissions instead. Consider rewording this to “PAT/GitHub App token with Projects permissions” (or similar) to avoid implying there’s a PAT scope literally named projects:write.

Suggested change

	# github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} # Optional here if GH_AW_PROJECT_GITHUB_TOKEN is set; PAT with projects:write (NOT GITHUB_TOKEN) is still required
	# github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} # Optional here if GH_AW_PROJECT_GITHUB_TOKEN is set; PAT or GitHub App token with Projects permissions (NOT GITHUB_TOKEN) is still required

[Copilot]

This requirements bullet still states the agent must include a full project URL in every call, but the update_project schema now allows temporary project IDs (aw_… / #aw_…) from create_project. Please update the requirement wording/examples to include temporary IDs (or explicitly state when a full URL is still required) so the docs match the actual accepted inputs.

See below for a potential fix:

        project: "https://github.com/orgs/myorg/projects/42"  # REQUIRED in agent output: full project URL or temporary project ID (e.g., aw_… / #aw_… from create_project)
        # github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}  # Optional here if GH_AW_PROJECT_GITHUB_TOKEN is set; PAT with projects:write (NOT GITHUB_TOKEN) is still required
    ```
    Use this to organize work by adding issues and pull requests to projects, updating field values (status, priority, effort, dates), creating custom fields, and setting up project views.
    
    **⚠️ IMPORTANT REQUIREMENTS:**
    - Agent must include a project identifier in **every** call: either a full project URL (e.g., `project: "https://github.com/orgs/myorg/projects/42"` or `https://github.com/users/username/projects/5"`) or a temporary project ID returned from `create_project` (e.g., `aw_abc123def456` or `#aw_abc123def456`)
    - When using project URLs, they must be full URLs; bare project numbers alone are NOT accepted (temporary project IDs starting with `aw_` or `#aw_` are allowed)