fix: activate GitHub App configuration in shared workflow configs#21329
fix: activate GitHub App configuration in shared workflow configs#21329
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...] |
| # app-id: ${{ vars.APP_ID }} | ||
| # private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| safe-outputs: | ||
| app: |
There was a problem hiding this comment.
Fixed in 144aa46 — renamed app: to github-app: to match the field name the Go parser expects (outputMap["github-app"] in safe_outputs_config.go). Also fixed a pre-existing off-by-one in the token insertion index that was exposed once the app config became active (hardcoded 6 for checkout step vs actual 7 lines in dev mode).
This comment has been minimized.
This comment has been minimized.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
… consolidated safe outputs job Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...] |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
This comment has been minimized.
This comment has been minimized.
|
@copilot import safe-output-map.md in the changeset.md agentic workflow |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
There was a problem hiding this comment.
Pull request overview
Enables GitHub App authentication for safe-outputs by activating the shared app configuration and fixing step insertion so the minted token is injected at the correct position in generated workflows.
Changes:
- Uncomment/activate
safe-outputs.github-appconfiguration in the sharedsafe-output-app.md. - Fix safe-outputs job compilation logic to compute the GitHub App token step insertion index from actual generated step YAML lengths.
- Regenerate affected workflow lock files to include “Generate GitHub App token” / “Invalidate GitHub App token” steps; add a wasm golden fixture mirror for the shared config.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/shared/safe-output-app.md |
Activates the safe-outputs.github-app config so workflows actually mint an app token for safe-outputs. |
pkg/workflow/compiler_safe_outputs_job.go |
Adjusts insertion-index calculation to use real generated step lengths (instead of hardcoded counts). |
.github/workflows/artifacts-summary.lock.yml |
Regenerated lock file now uses the minted app token for safe-outputs steps and revokes it afterward. |
.github/workflows/changeset.lock.yml |
Regenerated lock file now uses the minted app token for safe-outputs steps and revokes it afterward. |
.github/workflows/daily-file-diet.lock.yml |
Regenerated lock file now uses the minted app token for safe-outputs steps and revokes it afterward. |
.github/workflows/daily-mcp-concurrency-analysis.lock.yml |
Regenerated lock file now uses the minted app token for safe-outputs steps and revokes it afterward. |
.github/workflows/daily-testify-uber-super-expert.lock.yml |
Regenerated lock file now uses the minted app token for safe-outputs steps and revokes it afterward. |
pkg/workflow/testdata/wasm_golden/fixtures/shared/safe-output-app.md |
Adds a wasm golden fixture mirror of the shared safe-output app configuration (kept commented). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| @@ -266,10 +266,8 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa | |||
| // Count setup action steps (checkout + setup if in dev mode without action-tag, or just setup) | |||
| setupActionRef := c.resolveActionReference("./actions/setup", data) | |||
| if setupActionRef != "" { | |||
| @@ -0,0 +1,31 @@ | |||
| --- | |||
| #safe-outputs: | |||
| # app: | |||
|
@copilot update app-config.md and activation-app.md to use the github-app field instead of app |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot rewrite |
…ted lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in 6eb3e2b — uncommented the Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...] |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Several shared workflow configs had GitHub App configuration either commented out or using the wrong field name, causing workflows that import them to silently skip GitHub App authentication.
Changes
shared/safe-output-app.md— uncommentsafe-outputs.github-appblock (using the correct field name that the Go parser expects):shared/app-config.md— renamesafe-outputs.app→safe-outputs.github-appto match the Go parser's expected field name (outputMap["github-app"]insafe_outputs_config.go).shared/activation-app.md— uncommenton.github-app:block to activate GitHub App authentication for the activation job in all 11 importing workflows (code-simplifier,dead-code-remover,ubuntu-image-analyzer,daily-testify-uber-super-expert,breaking-change-checker,daily-rendering-scripts-verifier,code-scanning-fixer,issue-monster,slide-deck-maintainer,daily-file-diet,daily-safe-output-optimizer).pkg/workflow/compiler_safe_outputs_job.go— fix off-by-one bug in the app token step insertion index: replace hardcoded step counts (6for checkout,4for setup) with actuallen()calls against the real step-generation functions. The hardcoded6was wrong for dev mode, which generates 7 lines (includesrepository:), causing theecho "GH_AW_AGENT_OUTPUT=..."line to be embedded inside thewith:block ofcreate-github-app-tokeninstead of in its own step.Generate GitHub App tokenandInvalidate GitHub App tokensteps (orGenerate GitHub App token for skip-if checks) with correct YAML structure.testdata/wasm_golden/fixtures/shared/safe-output-app.md— added fixture mirror with config kept commented out, consistent with thegithub-mcp-app.mdfixture convention.Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.