Add test workflow for project-related safe output token failure paths #14682
Conversation
…lures Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
🔍 PR Triage ResultsCategory: test | Risk: low | Priority: 55/100 Scores Breakdown
📋 Recommended Action: batch_reviewRationale: This PR adds important test coverage for project-related safe output token failure paths. The changes are low-risk (test files only) and directly contribute to quality and stability by validating error handling. In release mode, test improvements like this align perfectly with our focus on quality. What This Tests:
Review Recommendation: Ready for review once CI completes. The comprehensive description and clear test cases make this suitable for efficient batch review with other test-related PRs. Triaged by PR Triage Agent on 2026-02-09 - Run #21836303013
|
🔍 PR Triage Results - UpdatedCategory: test | Risk: medium | Priority: 39/100 Scores Breakdown
📋 Recommended Action: BATCH_REVIEW✅ Batched with PR #14702 as Changes: Adds test workflow for project-related safe output token failure paths. Validates handling of missing tokens, invalid tokens, and insufficient permissions (1,471 lines across 2 files). Batch Context: Part of test infrastructure improvements. Both PRs in this batch enhance test coverage for different aspects of the system. Next Steps:
Status: Previously triaged on 2026-02-09, re-triaged with updated batch assignment. Triaged by PR Triage Agent on 2026-02-10 00:45 UTC
|
|
@copilot Recompile workflow |
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a new agentic test workflow intended to validate failure-path messaging and guardrails for project-related safe outputs when the required Projects-capable token is not provided.
Changes:
- Introduces a new
.mdworkflow manifest to document and drive manualworkflow_dispatchtesting for project token failures. - Adds the compiled
.lock.ymlworkflow that runs the agent and processes safe outputs for the three project-related handlers.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/test-project-token-failure.md | New workflow manifest documenting token-failure test cases for update_project, create_project_status_update, and create_project. |
| .github/workflows/test-project-token-failure.lock.yml | Compiled workflow that executes the agent and runs the safe-output processing step for the new test workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| GH_AW_PROJECT_URL: "https://github.com/orgs/example-org/projects/1" | ||
| GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} |
There was a problem hiding this comment.
The safe_outputs job passes github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} to actions/github-script. When that secret is intentionally unset (as described in this workflow), this evaluates to an empty string and overrides github-script’s default ${{ github.token }}, so the step will run unauthenticated rather than using the default GITHUB_TOKEN. To actually exercise the “default token lacks Projects v2” failure path, omit github-token or set it to a fallback like ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN || github.token }} (or explicitly ${{ github.token }} to force the default token).
| github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} | |
| github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN || github.token }} |
| project: "https://github.com/orgs/github/projects/24068" | ||
| create-project-status-update: | ||
| max: 1 | ||
| project: "https://github.com/orgs/github/projects/24068" |
There was a problem hiding this comment.
The workflow frontmatter hard-codes a real project URL (https://github.com/orgs/github/projects/24068), but the test case examples use https://github.com/orgs/example-org/projects/1 (and the compiled .lock.yml also uses the example-org URL). This inconsistency makes it unclear which project URL is intended for the test and can lead to misleading results if someone follows the examples. Align the frontmatter safe-outputs.*.project values and the example JSON to use the same (preferably placeholder) project URL.
| project: "https://github.com/orgs/github/projects/24068" | |
| create-project-status-update: | |
| max: 1 | |
| project: "https://github.com/orgs/github/projects/24068" | |
| project: "https://github.com/orgs/example-org/projects/1" | |
| create-project-status-update: | |
| max: 1 | |
| project: "https://github.com/orgs/example-org/projects/1" |
| 1. **Token Detection**: The system should detect that authentication is `github-actions[bot]` | ||
| 2. **Early Failure**: Should fail fast with clear error message BEFORE attempting GraphQL queries | ||
| 3. **Actionable Guidance**: Error message should explain: |
There was a problem hiding this comment.
The “Early Failure” expectation says the run should fail before attempting GraphQL queries, but the current project handlers use GraphQL calls (e.g., viewer { login } for update_project) as part of token identity / permission detection. Consider rewording this to something precise like “fail before project resolution/mutation calls” (or “fail before write operations”) so the success criteria matches the actual execution path.
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.