Rename app: to github-app: with codemod#19295
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Rename 'app:' to 'github-app:' in configuration
Rename Mar 3, 2026
app: to github-app: with deprecation and codemod
Contributor
There was a problem hiding this comment.
Pull request overview
Renames the GitHub App auth configuration key from app: to github-app: across workflow schema, parsing, docs, and adds a codemod while keeping backward compatibility.
Changes:
- Added
github-app:as the preferred field (withapp:deprecated but still supported) in schema and parsers. - Added a codemod (
gh aw fix/gh aw upgrade) to migrateapp:→github-app:in supported sections. - Updated documentation/spec examples to use
github-app:.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| scratchpad/github-mcp-access-control-specification.md | Updates spec section and YAML examples to github-app:. |
| pkg/workflow/tools_parser.go | Prefers github-app over deprecated app when parsing GitHub tool config. |
| pkg/workflow/safe_outputs_config.go | Prefers github-app over deprecated app when parsing safe-outputs config. |
| pkg/workflow/mcp_github_config.go | Detects GitHub App config via either github-app or deprecated app. |
| pkg/workflow/checkout_manager.go | Accepts both keys for checkout app auth and improves error message specificity. |
| pkg/parser/schemas/main_workflow_schema.json | Introduces github-app and retains deprecated app definitions in schema. |
| pkg/cli/fix_codemods.go | Registers the new GitHub App codemod. |
| pkg/cli/codemod_github_app_test.go | Adds unit tests for the new codemod behavior. |
| pkg/cli/codemod_github_app.go | Implements codemod to rename app: → github-app: in frontmatter. |
| docs/src/content/docs/reference/safe-outputs-specification.md | Updates safe-outputs examples to github-app:. |
| docs/src/content/docs/reference/frontmatter-full.md | Regenerates reference frontmatter docs including new github-app: and deprecated app:. |
| docs/src/content/docs/reference/cross-repository.md | Updates checkout example to github-app:. |
| docs/src/content/docs/reference/auth.mdx | Updates auth examples and narrative to github-app:. |
| .github/aw/github-agentic-workflows.md | Updates agentic workflows docs to reference github-app:. |
Comments suppressed due to low confidence (1)
docs/src/content/docs/reference/frontmatter-full.md:2933
- After renaming the configuration key to
github-app, telling users to use'app'for GitHub App auth is likely to be confusing (it reads like the deprecated field name). If'app'is a literal sentinel value in this specific setting, consider clarifying that it’s a value (not the deprecated config key) or renaming the sentinel to'github-app'for consistency, if supported.
# Use a secret expression (e.g. '${{ secrets.CI_TOKEN }}') for a custom token, or
# 'app' for GitHub App auth.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkg/cli/codemod_github_app.go
Outdated
Comment on lines
+179
to
+183
| // isDirectChild returns true if childIndent is exactly one indentation level deeper than parentIndent. | ||
| // It handles both spaces and tabs but assumes consistent indentation within a file. | ||
| func isDirectChild(childIndent, parentIndent string) bool { | ||
| return len(childIndent) > len(parentIndent) | ||
| } |
There was a problem hiding this comment.
The implementation doesn’t match the function name or comment: it returns true for any descendant indentation, not “exactly one indentation level deeper.” This makes the codemod behavior harder to reason about and increases the risk of renaming app: keys deeper inside the target blocks than intended. Either tighten the check to reflect “direct child” (and update callers accordingly) or rename/update the comment to reflect that it’s a generic descendant check.
| @@ -8059,7 +8117,7 @@ | |||
| "description": "GitHub token for authentication. Use ${{ secrets.MY_TOKEN }} to reference a secret. Mutually exclusive with app. Credentials are always removed after checkout (persist-credentials: false is enforced).", | |||
There was a problem hiding this comment.
This schema description still says “Mutually exclusive with app” even though the primary field is now github-app (with app deprecated). Update the wording to avoid confusing users—e.g., “Mutually exclusive with github-app (and deprecated app).”
Suggested change
| "description": "GitHub token for authentication. Use ${{ secrets.MY_TOKEN }} to reference a secret. Mutually exclusive with app. Credentials are always removed after checkout (persist-credentials: false is enforced).", | |
| "description": "GitHub token for authentication. Use ${{ secrets.MY_TOKEN }} to reference a secret. Mutually exclusive with github-app (and deprecated app). Credentials are always removed after checkout (persist-credentials: false is enforced).", |
Contributor
|
@copilot merge main and fix test https://github.com/github/gh-aw/actions/runs/22603792584/job/65491624997 |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Merged main and fixed the failing tests in 38806e2. The Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
@copilot apply comments |
…checkout array test Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Applied all 4 reviewer comments in eb04c50:
|
Contributor
|
@copilot completely remove deprecated "app" field |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Completely removed the deprecated
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Copilot
AI
changed the title
Rename
Rename Mar 3, 2026
app: to github-app: with deprecation and codemodapp: to github-app: with codemod
Contributor
|
@copilot do a deep code review, rename Go field "App" to "GitHubApp" |
Contributor
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Contributor
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Contributor
|
Commit pushed:
|
Contributor
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
Contributor
Smoke Test Results - Run §22606038320
Overall: PARTIAL (16 passed, 1 skipped)
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
Contributor
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Fixed in 29d8b46:
|
Contributor
|
@copilot Fix tests |
…itHubApp in imports Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Fixed in e0c7504. The test failures were:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
github-actions bot
pushed a commit
that referenced
this pull request
Mar 3, 2026
- Fix safe-outputs.md: update section heading from deprecated `app:` to `github-app:` to match the rename in #19295 - Add 'Workflow Job Timed Out' entry to common-issues.md documenting the new timeout detection and frontmatter hint from #19307 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-app:field support alongsideapp:(deprecated)github-app:fieldcodemod_github_app.gofix_codemods.gofix_codemods_test.goto expect 26 codemodsapp:fieldApp→GitHubAppin all structs and update all referencesschema_compiler.go: add"github-app"tosafeOutputMetaFields(was"app")imports.go: addGitHubAppmerge logic inmergeSafeOutputConfiggithub_mcp_app_token_test.go: update expected error message fromtools.github.apptotools.github.github-appschema_test.go: update meta field check from"app"to"github-app"Original prompt
app:togithub-app:#19291💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.
Rename
app:togithub-app:with codemodgithub-app:field support alongsideapp:(deprecated)github-app:fieldcodemod_github_app.gofix_codemods.gofix_codemods_test.goto expect 26 codemodsapp:fieldApp→GitHubAppin all structs and update all references:tools_types.go:GitHubToolConfig.App→GitHubApp, yaml tag"github-app,omitempty"compiler_types.go:SafeOutputsConfig.App→GitHubApp, yaml tag"github-app,omitempty"checkout_manager.go:CheckoutConfig.App→GitHubApp, json tag"github-app,omitempty";resolvedCheckout.app→githubAppapp:togithub-app:Original prompt
app:togithub-app:#19291💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey]((gh.io/redacted)
Changeset
app:workflow field togithub-app:and added the codemod plus schema/Go updates to keep tooling in sync.Warning
The following domain was blocked by the firewall during workflow execution:
github.comTo allow these domains, add them to the
network.allowedlist in your workflow frontmatter:See Network Configuration for more information.
✨ PR Review Safe Output Test - Run 22606038320