Remove Bearer prefix from safe-inputs authorization headers

[Copilot]

Safe-inputs HTTP authorization was incorrectly prefixing API keys with "Bearer ". The API key should be used as-is without modification.

Changes

Authorization header format:

• Before: Authorization: Bearer $GH_AW_SAFE_INPUTS_API_KEY
• After: Authorization: $GH_AW_SAFE_INPUTS_API_KEY

Files modified:

• pkg/workflow/mcp_renderer.go - TOML format renderer
• pkg/workflow/safe_inputs_renderer.go - JSON format renderer (Copilot/Claude/Custom engines)
• pkg/workflow/safe_inputs_http_codex_test.go - Test expectations

Example output (TOML):

[mcp_servers.safeinputs]
  type = "http"
  url = "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT"
  headers = { Authorization = "$GH_AW_SAFE_INPUTS_API_KEY" }

Example output (JSON):

{
  "safeinputs": {
    "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT",
    "headers": {
      "Authorization": "$GH_AW_SAFE_INPUTS_API_KEY"
    }
  }
}

Recompiled affected workflows to apply the authorization format change.

Original prompt

Review safe-inputs and update the authorization to use the api key as is. No "Bearer ..." syntax.

• review all safeinputs code and remove Bearer ...
• review all compiler code related to safeinputs and avoid Bearer ...

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

Pass the safe inputs api key in the "start MCP gateway" step so that it gets rendered in tbe configuration pass to the gateway. Then it does not need to be provided to the agentic engine step anymore.

[pelikhan]

@copilot Pass the safe inputs api key in the "start MCP gateway" step so that it gets rendered in tbe configuration pass to the gateway. Then it does not need to be provided to the agentic engine step anymore.

[Copilot]

@copilot Pass the safe inputs api key in the "start MCP gateway" step so that it gets rendered in tbe configuration pass to the gateway. Then it does not need to be provided to the agentic engine step...

This is already the current implementation:

1. The safe-inputs API key is generated in "Start Safe Inputs MCP HTTP Server" step and output as safe_inputs_api_key
2. It's passed to "Start MCP gateway" step via GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} (in collectMCPEnvironmentVariables() at pkg/workflow/mcp_servers.go:109)
3. The MCP configuration is rendered with the API key using shell variable expansion ($GH_AW_SAFE_INPUTS_API_KEY)
4. The API key is NOT provided to the agentic engine execution step (verified in compiled workflows)

The Bearer prefix has been removed in commits 7679fdd and 5585b0f, so the API key is now used as-is in the Authorization header.

[github-actions]

💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results - Claude Engine

Last 2 Merged PRs:

• PR Add workflow: githubnext/agentics/weekly-research #8: Add workflow: githubnext/agentics/weekly-research
• PR Remove ai-inference, opencode, genaiscript agentic engines for now #10: Remove ai-inference, opencode, genaiscript agentic engines for now

Test Results:
✅ GitHub MCP - list_pull_requests
✅ Serena-Go - initial_instructions loaded successfully
✅ Playwright - navigated to github.com (page loaded, title verification blocked by API)
❌ Safe Input gh Tool - gh CLI not authenticated (expected in this environment)
✅ File Writing - created test file successfully
✅ Bash Tool - verified file content

Overall Status: PASS (5/6 tests passed, gh CLI auth expected to fail in this context)

AI generated by Smoke Claude