Skip to content

Fix: Pass github-token to project safe-output handlers via GH_AW_PROJECT_GITHUB_TOKEN env var #13284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mnkiefer merged 2 commits into from
Feb 2, 2026
Merged

Fix: Pass github-token to project safe-output handlers via GH_AW_PROJECT_GITHUB_TOKEN env var #13284

mnkiefer merged 2 commits into from
Feb 2, 2026

Conversation

Copy link
Contributor

Copilot AI commented Feb 2, 2026
edited
Loading

Project-related safe outputs (update-project, create-project-status-update, create-project) were failing with unhelpful errors when the handler manager couldn't read process.env.GH_AW_PROJECT_GITHUB_TOKEN. The token was configured in frontmatter (github-token: ${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}) and passed in the handler config JSON, but the environment variable wasn't being set by the compiler.

Changes

  • Modified pkg/workflow/compiler_safe_outputs_steps.go: Set GH_AW_PROJECT_GITHUB_TOKEN env var in handler manager step when any project config is present
  • Token precedence: per-config token → top-level token → ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}
  • Coverage: Handles update-project, create-project-status-update, and create-project configs

Before/After

# Before - handler fails with "GH_AW_PROJECT_GITHUB_TOKEN not set"
env:
  GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{...\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\"...}"
  GH_AW_PROJECT_URL: "https://github.com/orgs/myorg/projects/1"

# After - handler can authenticate and surface actual access errors
env:
  GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{...\"github-token\":\"${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}\"...}"
  GH_AW_PROJECT_URL: "https://github.com/orgs/myorg/projects/1"
  GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.SMOKE_PROJECT_GITHUB_TOKEN }}

Real project access failures (insufficient permissions, project not found) are now properly surfaced instead of being masked by token configuration errors.

Original prompt

Check run: https://github.com/githubnext/gh-aw/actions/runs/21593208108/job/62218818703#step:6:63
Project in another org is not accessible. We have actions.secrets token SMOKE_PROJECT_GITHUB_TOKEN, so it should have access. Make sure if errors like this happen, they get surfaced.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@mnkiefer
Fix: Set GH_AW_PROJECT_GITHUB_TOKEN env var for project safe-outputs
5b347c0 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot AI changed the title [WIP] Check accessibility of projects in another organization Fix: Pass github-token to project safe-output handlers via GH_AW_PROJECT_GITHUB_TOKEN env var Feb 2, 2026
Copilot AI requested a review from mnkiefer February 2, 2026 14:30
@mnkiefer mnkiefer marked this pull request as ready for review February 2, 2026 14:31
@mnkiefer mnkiefer merged commit 70dd002 into main Feb 2, 2026
152 checks passed
@mnkiefer mnkiefer deleted the copilot/surface-access-error-messages branch February 2, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mnkiefer mnkiefer mnkiefer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mnkiefer