Fix: Add checkout and Git config for create-pull-request and push-to-pull-request-branch safe outputs

[Copilot]

Fix for Safe Outputs Not Applied Issue

Problem Summary

The changeset generator workflow (run #20415382311) produced safe outputs correctly but they were NOT applied. Multiple issues were identified and fixed.

Root Causes Identified ✅

1. Missing patch artifact download (Fixed in commit f8df5f2 + 4ae1207)

   • The safe_outputs job was not downloading the aw.patch artifact
   • Fixed for both push_to_pull_request_branch and create_pull_request

2. Missing checkout and git configuration (Fixed in commit 7f3dd49)

   • The push operations were failing because the repository wasn't checked out
   • Git credentials weren't configured, causing permission errors
   • The stub functions returned nil instead of generating required steps

3. Missing write permissions on checkout (Fixed in commit e83aa00)

   • The checkout action wasn't passed a token with write permissions
   • Without a token, it used the default GITHUB_TOKEN which lacked adequate permissions
   • Push operations failed with permission errors

4. Token reference when app not configured (Fixed in commit 1ea9106)

   • The checkout was always using steps.app-token.outputs.token
   • When no app is configured, this token doesn't exist (empty reference)
   • Checkout failed because the token was missing

5. Inefficient gh CLI usage (Fixed in commit f31b86e)

   • The script was shelling out to gh pr view to fetch PR information
   • Replaced with direct GitHub API access using github.rest.pulls.get()

Fixes Implemented ✅

Commit 1: Download patch artifact

• Added patch artifact download when create_pull_request OR push_to_pull_request_branch is enabled
• Downloads aw.patch to /tmp/gh-aw/ where the scripts expect it

Commit 2: Add checkout and git config steps

• Implemented buildPushToPullRequestBranchPreStepsConsolidated with checkout and git config
• Implemented buildCreatePullRequestPreStepsConsolidated with checkout and git config
• Steps only run when respective safe output is present

Commit 3: Pass GitHub App token to checkout

• Pass ${{ steps.app-token.outputs.token }} to checkout action when app is configured
• Ensures checkout has contents:write permission via the GitHub App token
• Allows subsequent git push operations to succeed

Commit 4: Conditionally use app token or default token

• Check if data.SafeOutputs.App is configured before selecting token
• Use app-token when app is configured for enhanced permissions
• Use github.token (default) when no app is configured
• Ensures token is always valid and available

Commit 5: Use GitHub API instead of gh CLI

• Replace gh pr view command with github.rest.pulls.get() API call
• More efficient direct API access without subprocess overhead
• Updated all test mocks to use the new GitHub API pattern

All 120 workflows recompiled with all fixes applied.

Testing ✅

• ✅ TestPushToPullRequestBranchPatchArtifactDownload - passes
• ✅ TestCreatePullRequestPatchArtifactDownload - passes
• ✅ TestGitConfigurationInMainJob - passes
• ✅ All workflow compilations successful
• ✅ All JavaScript tests pass (2236 tests)

The complete fix ensures that both create-pull-request and push-to-pull-request-branch safe outputs can properly apply changes to pull request branches with correct permissions, whether using a GitHub App or default workflow token.

Custom agent used: debug-agentic-workflow
Debug and refine agentic workflows using gh-aw CLI tools - analyze logs, audit runs, and improve workflow performance

Custom agent used: debug-agentic-workflow
Debug and refine agentic workflows using gh-aw CLI tools - analyze logs, audit runs, and improve workflow performance

Original prompt

Investigate why the push_to_pull_request_branch and update_pull_request safe outputs were not applied by this agentic workflow run.
https://github.com/githubnext/gh-aw/actions/runs/20415382311/job/58658331608

Custom agent used: debug-agentic-workflow
Debug and refine agentic workflows using gh-aw CLI tools - analyze logs, audit runs, and improve workflow performance

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot also support create-pull-request safe output type

[Copilot]

@copilot also support create-pull-request safe output type

Extended the fix to also support create-pull-request safe output type. Both create-pull-request and push-to-pull-request-branch now download the aw.patch artifact in the safe_outputs job. Added test coverage for both safe output types. (commit 4ae1207)

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

Smoke Test Results

✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20415996128.txt
✅ Bash Tool: Verified file content successfully
❌ Safe Input gh Tool: Tool not available in this context

Status: PARTIAL PASS (2/3 tests passed)

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #7167 🗺️

[github-actions]

Smoke Test Results - Copilot Engine (No Firewall)

Last 2 merged PRs:

• Add comprehensive trigger shorthand syntax parser with fuzz testing and IDE-integrated error messages #7160: Add comprehensive trigger shorthand syntax parser
• Document MCP gateway failure investigation - no code changes required #7168: Document MCP gateway failure investigation

Test Results:

• ✅ GitHub MCP: Retrieved merged PRs successfully
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20415996118.txt
• ✅ Bash Tool: Verified file creation with cat
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"
• ❌ Safe Input gh: Authentication not configured (expected in test environment)

Overall Status: PASS (4/5 tests successful, gh auth expected to fail)

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #7167 🗺️

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[pelikhan]

@copilot fix the permission issue. see https://github.com/githubnext/gh-aw/actions/runs/20416098219/job/58660035095#step:8:1

[Copilot]

@copilot fix the permission issue. see https://github.com/githubnext/gh-aw/actions/runs/20416098219/job/58660035095#step:8:1

Fixed the permission issue by implementing the checkout and git configuration steps that were missing. The buildPushToPullRequestBranchPreStepsConsolidated and buildCreatePullRequestPreStepsConsolidated functions were stubs - they now properly generate checkout and git config steps with conditional execution. (commit 7f3dd49)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/githubnext/gh-aw/actions/jobs/58660035095/logs
  • Triggering command: /usr/bin/curl curl -s -H Authorization: Bearer REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot make sure the permissions has contents: write when pushing to a branch

https://github.com/githubnext/gh-aw/actions/runs/20416627405/job/58661336019#step:10:1

[Copilot]

@copilot make sure the permissions has contents: write when pushing to a branch

https://github.com/githubnext/gh-aw/actions/runs/20416627405/job/58661336019#step:10:1

Fixed by passing the GitHub App token to the checkout action. The checkout step now uses token: ${{ steps.app-token.outputs.token }} which has contents:write permission, allowing git push operations to succeed. (commit e83aa00)

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[pelikhan]

@copilot the gh token is missing on https://github.com/githubnext/gh-aw/actions/runs/20416884194/job/58661915737#step:10:1

Check job permissions has pull request read at least

[Copilot]

@copilot the gh token is missing on https://github.com/githubnext/gh-aw/actions/runs/20416884194/job/58661915737#step:10:1

Check job permissions has pull request read at least

Fixed by making the token selection conditional based on app configuration. The checkout now uses ${{ steps.app-token.outputs.token }} when an app is configured, or ${{ github.token }} (default) when no app is configured. This ensures the token is always valid and available, preventing the "gh token is missing" error. (commit 1ea9106)

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[pelikhan]

@copilot use the GitHub object to query GitHub instead of calling gh at

  const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]);

[Copilot]

@copilot use the GitHub object to query GitHub instead of calling gh at

...

Replaced gh pr view with github.rest.pulls.get() API call. This is more efficient as it uses the GitHub API directly through the github object (already available in the script context) instead of shelling out to the gh CLI and parsing JSON output. (commit f31b86e)

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰