Skip to content

Add support for top-level github-token configuration in workflow frontmatter #1913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 6 commits into from
Oct 18, 2025
Merged

Add support for top-level github-token configuration in workflow frontmatter #1913

pelikhan merged 6 commits into from
Oct 18, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 18, 2025
edited
Loading

Add support for top-level github-token field in frontmatter

Plan

  • Update main_workflow_schema.json to add github-token field at top level
  • Update WorkflowData struct to include GitHubToken field
  • Parse github-token from frontmatter in compiler
  • Update checkout step generation to use custom github-token if provided
  • Update engine configurations (claude, codex, copilot, custom) to use custom github-token
  • Ensure safe-outputs github-token takes precedence over top-level github-token
  • Ensure individual safe-output github-token takes precedence over safe-outputs github-token
  • Fix all failing unit tests
  • Add integration tests for top-level github-token precedence
  • Update security.md documentation
  • Run all tests to ensure no regressions
  • Move getEffectiveGitHubToken to github_token.go

Summary

Successfully implemented top-level github-token field with complete precedence hierarchy:

  1. Individual safe-output github-token (highest priority) - e.g., create-issue.github-token
  2. Safe-outputs global github-token - e.g., safe-outputs.github-token
  3. Top-level github-token (new) - e.g., github-token: ${{ secrets.CUSTOM_PAT }}
  4. Default fallback - ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

Recent Changes

  • Moved getEffectiveGitHubToken() helper function to new github_token.go file for better code organization

Key Features

  • Flexible token management: Set a default token for the entire workflow while allowing specific safe-outputs to override
  • Engine integration: Token is automatically used in all engine configurations (claude, codex, copilot, custom)
  • Checkout integration: Token is used in checkout steps in trial mode
  • Safe-outputs integration: Proper precedence ensures individual safe-output tokens override global settings

Testing

  • ✅ All unit tests pass
  • ✅ All integration tests pass
  • ✅ New integration test verifies precedence hierarchy across all engines
  • ✅ Security documentation updated with examples
Original prompt

Add support in front matter to configure a "github-token" expression at the top level.

github-token: ${{ secrets.... }}
...

If defined, this expression is used to set the value of the GITHUB_TOKEN env in all steps that require a github token.

This expression can be overridden by the safe-outputs github-token and by the safe-output children (create-issue) github-token field.

  • update schema
  • review codegen for actions/checkout, agentic engine secrets
  • update security.md docs on authentication

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits October 18, 2025 01:56
@pelikhan
Add top-level github-token support with proper precedence
fffeaf6 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add integration tests and update security documentation
09750db 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add support for top-level github-token configuration in workflow fr…
49182ce 
…ontmatter

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for github-token in front matter Add support for top-level github-token configuration in workflow frontmatter Oct 18, 2025
Copilot AI requested a review from pelikhan October 18, 2025 02:03
pelikhan
pelikhan reviewed Oct 18, 2025
View reviewed changes
pkg/workflow/compiler.go Outdated
// 1. Custom token passed as parameter (e.g., from safe-outputs)
// 2. Top-level github-token from frontmatter
// 3. Default fallback: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
func getEffectiveGitHubToken(customToken, toplevelToken string) string {
Copy link
Contributor

@pelikhan pelikhan Oct 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot move to github_token.go

Copy link
Contributor Author

Copilot AI Oct 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to pkg/workflow/github_token.go in commit 3f5e8ac

@pelikhan
Move getEffectiveGitHubToken to github_token.go
63abbb3 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan October 18, 2025 03:48
@pelikhan pelikhan marked this pull request as ready for review October 18, 2025 04:04
@github-actions
Copy link
Contributor

github-actions bot commented Oct 18, 2025

Agentic Changeset Generator triggered by this pull request.

@pelikhan pelikhan merged commit 134fbb8 into main Oct 18, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/add-github-token-configuration branch October 18, 2025 04:13
@dsyme dsyme mentioned this pull request Oct 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan