diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index e1cd2b5ddc..7cfe919f31 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -466,7 +466,7 @@ jobs: "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", "headers": { - "Authorization": "Bearer \${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" } }, "safeoutputs": { diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index addcf9160d..2797bd46cf 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -903,7 +903,7 @@ jobs: [mcp_servers.safeinputs] type = "http" url = "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT" - headers = { Authorization = "Bearer $GH_AW_SAFE_INPUTS_API_KEY" } + headers = { Authorization = "$GH_AW_SAFE_INPUTS_API_KEY" } [mcp_servers.safeoutputs] container = "node:lts-alpine" @@ -930,7 +930,7 @@ jobs: "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", "headers": { - "Authorization": "Bearer $GH_AW_SAFE_INPUTS_API_KEY" + "Authorization": "$GH_AW_SAFE_INPUTS_API_KEY" } }, "safeoutputs": { diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 0ffae514b3..f360573c4b 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -642,7 +642,7 @@ jobs: "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", "headers": { - "Authorization": "Bearer $GH_AW_SAFE_INPUTS_API_KEY" + "Authorization": "$GH_AW_SAFE_INPUTS_API_KEY" } }, "safeoutputs": { diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 546a8b8b22..68267efbe6 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -672,7 +672,7 @@ jobs: [mcp_servers.safeinputs] type = "http" url = "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT" - headers = { Authorization = "Bearer $GH_AW_SAFE_INPUTS_API_KEY" } + headers = { Authorization = "$GH_AW_SAFE_INPUTS_API_KEY" } [mcp_servers.safeoutputs] container = "node:lts-alpine" @@ -732,7 +732,7 @@ jobs: "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", "headers": { - "Authorization": "Bearer $GH_AW_SAFE_INPUTS_API_KEY" + "Authorization": "$GH_AW_SAFE_INPUTS_API_KEY" } }, "safeoutputs": { diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index f04beef63c..76eb527611 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -638,7 +638,7 @@ jobs: "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", "headers": { - "Authorization": "Bearer \${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" } }, "safeoutputs": { diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index c2b2b32f8c..e93f445dfb 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -278,7 +278,7 @@ func (r *MCPConfigRendererUnified) renderSafeInputsTOML(yaml *strings.Builder, s } yaml.WriteString(" url = \"http://" + host + ":$GH_AW_SAFE_INPUTS_PORT\"\n") - yaml.WriteString(" headers = { Authorization = \"Bearer $GH_AW_SAFE_INPUTS_API_KEY\" }\n") + yaml.WriteString(" headers = { Authorization = \"$GH_AW_SAFE_INPUTS_API_KEY\" }\n") // Note: env_vars is not supported for HTTP transport in MCP configuration // Environment variables are passed via the workflow job's env: section instead } diff --git a/pkg/workflow/safe_inputs_http_codex_test.go b/pkg/workflow/safe_inputs_http_codex_test.go index a21e2fef32..787542e04b 100644 --- a/pkg/workflow/safe_inputs_http_codex_test.go +++ b/pkg/workflow/safe_inputs_http_codex_test.go @@ -79,7 +79,7 @@ Test safe-inputs HTTP transport for Codex t.Error("Expected HTTP URL config with host.docker.internal not found in TOML format") } - if !strings.Contains(yamlStr, `headers = { Authorization = "Bearer $GH_AW_SAFE_INPUTS_API_KEY" }`) { + if !strings.Contains(yamlStr, `headers = { Authorization = "$GH_AW_SAFE_INPUTS_API_KEY" }`) { t.Error("Expected HTTP headers config not found in TOML format") } diff --git a/pkg/workflow/safe_inputs_renderer.go b/pkg/workflow/safe_inputs_renderer.go index 47c267355c..4618ad9837 100644 --- a/pkg/workflow/safe_inputs_renderer.go +++ b/pkg/workflow/safe_inputs_renderer.go @@ -86,10 +86,10 @@ func renderSafeInputsMCPConfigWithOptions(yaml *strings.Builder, safeInputs *Saf yaml.WriteString(" \"headers\": {\n") if includeCopilotFields { // Copilot format: backslash-escaped shell variable reference - yaml.WriteString(" \"Authorization\": \"Bearer \\${GH_AW_SAFE_INPUTS_API_KEY}\"\n") + yaml.WriteString(" \"Authorization\": \"\\${GH_AW_SAFE_INPUTS_API_KEY}\"\n") } else { // Claude/Custom format: direct shell variable reference - yaml.WriteString(" \"Authorization\": \"Bearer $GH_AW_SAFE_INPUTS_API_KEY\"\n") + yaml.WriteString(" \"Authorization\": \"$GH_AW_SAFE_INPUTS_API_KEY\"\n") } // Close headers - no trailing comma since this is the last field // Note: env block is NOT included for HTTP servers because the old MCP Gateway schema