[WIP] Fix GH_TOKEN configuration in create_pull_request jobs

[Copilot]

Fix GH_TOKEN configuration in create_pull_request safe output jobs

Problem Analysis

The create_pull_request safe output job uses git push commands in the JavaScript script (pkg/workflow/js/create_pull_request.cjs line 385) which require GH_TOKEN environment variable for authentication. Currently, the token is only passed to the GitHub Script action via with: github-token:, but the actual git CLI commands inside the script don't have access to GH_TOKEN as an environment variable.

Root Cause

In pkg/workflow/create_pull_request.go, the buildCreateOutputPullRequestJob function:

1. Uses buildGitHubScriptStep to create the main PR creation step
2. This passes token via with: github-token: parameter (for GitHub API calls)
3. But doesn't set GH_TOKEN env var needed by git push commands in the script

Reviewer steps (lines 133, 142) correctly set GH_TOKEN as env var, but main create step doesn't.

Solution Plan

• Explore repository structure and understand the issue
• Identify the root cause in pkg/workflow/create_pull_request.go
• Add GH_TOKEN environment variable to the customEnvVars in buildCreateOutputPullRequestJob
• Use the same token resolution logic as reviewer steps (getEffectiveGitHubToken)
• Write/update tests to verify GH_TOKEN is present in compiled workflow
• Verify existing workflows compile correctly with the fix
• Run make test to ensure no regressions

Files to Modify

• pkg/workflow/create_pull_request.go - Add GH_TOKEN env var to customEnvVars
• Tests as needed to verify the fix

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Fix GH_TOKEN configuration in create_pull_request safe output jobs</issue_title>
<issue_description>## Objective
Fix the missing GH_TOKEN environment variable configuration that causes create_pull_request safe output jobs to fail with "GH_TOKEN environment variable is required" errors.

Context

Analysis of safe output health shows 46% of create_pull_request failures (6 out of 13) are caused by missing GH_TOKEN configuration. The token variable is defined but not populated with an actual value, causing GitHub CLI commands to fail. This is the primary cause of the 50% failure rate for create_pull_request jobs.

Related to discussion #2532 (Safe Output Health Report).

Approach

1. Audit all workflow files in .github/workflows/ that use create_pull_request safe output
2. Identify workflows with missing or empty GH_TOKEN configuration
3. Update each affected workflow to include proper token passing:

   env:
     GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

4. Verify token permissions include pull_requests: write and issues: write in workflow permissions
5. Test fixes with affected workflows: Q, Tidy, Daily Documentation Updater, Duplicate Code Detector

Files to Modify

• Audit: .github/workflows/*.md files using safe-outputs.create-pull-request
• Update: Workflow files identified with missing GH_TOKEN
• Possible: .github/workflow-templates/ if templates are affected

Acceptance Criteria

• All workflows using create_pull_request have GH_TOKEN properly configured
• No workflow runs fail with "GH_TOKEN environment variable is required" error
• Test at least 3 affected workflows successfully create pull requests
• Update documentation if needed to prevent future occurrences
  Related to 🏥 Safe Output Health Report - October 26, 2025 #2532

AI generated by Plan Command for discussion #2532</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Fix GH_TOKEN configuration in create_pull_request safe output jobs #2533

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.