-
Notifications
You must be signed in to change notification settings - Fork 225
Description
Summary
When create-pull-request is configured with target-repo and a custom github-token (PAT) in safe-outputs, the compiled safe_outputs job's checkout and git credential steps use the hardcoded ${{ github.token }} instead of the configured token. This causes Not Found errors because the default GITHUB_TOKEN is scoped to the source repository and cannot access the target repository.
This is a remaining bug from #15500, which fixed the repository: and REPO_NAME parameters but did not address the token used for authentication.
Reproduction
Workflow in org/source-repo targeting org/target-repo:
safe-outputs:
github-token: ${{ secrets.CROSS_REPO_PAT }}
create-pull-request:
target-repo: "org/target-repo"
base-branch: main
draft: trueResult: The compiled .lock.yml produces:
- name: Checkout repository
uses: actions/checkout@...
with:
repository: org/target-repo # correct (fixed in #15500)
token: ${{ github.token }} # BUG: ignores safe-outputs github-token
persist-credentials: false
fetch-depth: 1
- name: Configure Git credentials
env:
REPO_NAME: "org/target-repo" # correct (fixed in #15500)
SERVER_URL: ${{ github.server_url }}
GIT_TOKEN: ${{ github.token }} # BUG: same hardcoded tokenThe checkout fails with: Not Found - https://docs.github.com/rest/repos/repos#get-a-repository
Note: The PAT itself is valid — the same token successfully creates issues in the target repo via the create_issue safe-output fallback path, which correctly uses addSafeOutputGitHubTokenForConfig for token resolution.
Root Cause
In pkg/workflow/compiler_safe_outputs_steps.go, the buildSharedPRCheckoutSteps function (consolidated path) hardcodes ${{ github.token }} when GitHub App auth is not configured:
// Line 86-91 (current code)
} else {
checkoutToken = "${{ github.token }}"
gitRemoteToken = "${{ github.token }}"
}This bypasses the token precedence chain that every other safe-output operation respects:
- Per-config
github-token(e.g.,create-pull-request.github-token) - Safe-outputs level
github-token - Top-level
github-token ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
The same bug exists in the non-consolidated path in pkg/workflow/create_pull_request.go line 71:
gitToken := "${{ github.token }}"Proposed Fix
Replace the hardcoded ${{ github.token }} with the existing getEffectiveSafeOutputGitHubToken chain, matching how addSafeOutputGitHubTokenForConfig resolves tokens for all other safe-output operations.
In compiler_safe_outputs_steps.go (buildSharedPRCheckoutSteps):
} else {
var configToken string
if data.SafeOutputs.CreatePullRequests != nil {
configToken = data.SafeOutputs.CreatePullRequests.GitHubToken
}
var safeOutputsToken string
if data.SafeOutputs != nil {
safeOutputsToken = data.SafeOutputs.GitHubToken
}
effectiveToken := getEffectiveSafeOutputGitHubToken(configToken,
getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))
checkoutToken = effectiveToken
gitRemoteToken = effectiveToken
}In create_pull_request.go (buildCreateOutputPullRequestJob):
var safeOutputsToken string
if data.SafeOutputs != nil {
safeOutputsToken = data.SafeOutputs.GitHubToken
}
gitToken := getEffectiveSafeOutputGitHubToken(
data.SafeOutputs.CreatePullRequests.GitHubToken,
getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))Tests to add/update:
- Update
TestBuildSharedPRCheckoutSteps"create pull request only" case to expect${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}instead of${{ github.token }} - Add cases: cross-repo with
safe-outputs.github-token, with per-config token, with top-level token, without any custom token - Add integration tests:
TestCreatePullRequestCrossRepoWithCustomTokenandTestCreatePullRequestCrossRepoWithoutCustomToken - Add changeset:
patch-fix-cross-repo-checkout-token.md
Environment
- gh-aw CLI: v0.43.22
- Compiler output at commit
d00dc822f(current main) - Verified locally: all unit tests and integration tests pass with the proposed fix
Related
- Bug:
create-pull-requesttarget-repois ignored by git operations in safe_outputs job #15500 — Fixedrepository:andREPO_NAMEfor cross-repo, but left token hardcoded - Fix: Use target repository for git operations in create-pull-request #15501 — The PR that implemented the Bug:
create-pull-requesttarget-repois ignored by git operations in safe_outputs job #15500 fix (note its "After (correct)" example still showstoken: ${{ github.token }})