Move APM packaging into own job with minimal permissions#22738
Move APM packaging into own job with minimal permissions#22738
Conversation
- Add APMJobName constant to pkg/constants/constants.go - Create compiler_apm_job.go with buildAPMJob() and buildAPMJobWrapper() - Remove APM steps from activation job (compiler_activation_job.go) - Add apm to agent job's needs in compiler_main_job.go - Call buildAPMJobWrapper from buildJobs in compiler_jobs.go - Update APM compilation tests to check new APM job structure - Recompile all 177 workflow lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/585cea56-aa1b-489a-9220-9d62657b0bda
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Results — §23509681603
Overall:
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Smoke Test Run 23509681612 — Results: Core: ✅✅✅✅✅✅✅✅✅✅✅ Overall: PARTIAL (tests #15 and #18 skipped — no threads/test-PR to act on)
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| // the packed bundle so the agent job can download and restore it. | ||
| // | ||
| // The APM job uses minimal permissions ({}) because all required tokens are passed | ||
| // explicitly via env/secrets rather than relying on the workflow's GITHUB_TOKEN scope. |
There was a problem hiding this comment.
Good separation of concerns — moving APM packaging into its own buildAPMJob function makes the activation job cleaner and the APM logic easier to test in isolation.
| @@ -641,6 +641,7 @@ var DangerousPropertyNames = []string{ | |||
|
|
|||
| const AgentJobName JobName = "agent" | |||
| const ActivationJobName JobName = "activation" | |||
There was a problem hiding this comment.
The new APMJobName constant follows the existing naming pattern (AgentJobName, ActivationJobName, etc.) — consistent style.
|
Commit pushed:
|
|
Smoke test (run 23509681637):
|
Summary
Moves APM (Agent Package Manager) packing out of the activation job into a new dedicated
apmjob, and gives it minimal permissions.What changed
New
apmjob:needs: activation— runs after activation, gettingneeds.activation.outputs.target_repo_namefor cross-orgworkflow_callfallback (replacing the oldsteps.resolve-host-repo.outputs.target_repo_namereference)permissions: {}— minimal permissions; all tokens are passed explicitly via secrets/env (noGITHUB_TOKENscope needed:microsoft/apm-actionuses the explicitGITHUB_TOKENenv,actions/upload-artifactusesACTIONS_RUNTIME_TOKEN,actions/create-github-app-tokenuses app credentials from secrets, and token revocation uses the minted token directly)microsoft/apm-actionpack step, bundle artifact upload, GitHub App token invalidation step (if configured)Agent job: now
needs: [activation, apm]when APM dependencies are configured (mirrors the existingindexingjob pattern).activationstays in needs soneeds.activation.outputs.*expressions remain resolvable.Activation job: APM pack/upload/token steps and
GH_AW_INFO_APM_VERSIONjob env are removed.Files changed
pkg/constants/constants.go— addedAPMJobName JobName = "apm"pkg/workflow/compiler_apm_job.go— new file:buildAPMJob()+buildAPMJobWrapper()pkg/workflow/compiler_jobs.go— callbuildAPMJobWrapper()when APM is configuredpkg/workflow/compiler_activation_job.go— remove APM steps and env varpkg/workflow/compiler_main_job.go— addapmto agent jobneedspkg/workflow/apm_dependencies_compilation_test.go— updated assertions to check APM jobpkg/workflow/compiler_activation_jobs_test.go— moved token invalidation test toTestBuildAPMJob_TokenInvalidationpkg/workflow/top_level_github_app_integration_test.go— updated comment.lock.ymlfiles recompiled✨ PR Review Safe Output Test - Run 23509681612
Changeset
apmjob with minimal permissions and updates agent job dependencies to consume APM outputs.