Skip to content

fix: github-app auth support in SideRepoOps maintenance workflow generator#43406

Draft
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/fix-gh-app-checkout-auth
Draft

fix: github-app auth support in SideRepoOps maintenance workflow generator#43406
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/fix-gh-app-checkout-auth

Conversation

Copilot AI commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

When a source workflow uses github-app: for cross-repo checkout auth, the generated agentics-maintenance-<owner>-<repo>.yml silently fell back to ${{ secrets.GH_AW_GITHUB_TOKEN }} — a secret App-only consumers never set — causing 100% failure on every scheduled run.

Changes

pkg/workflow/side_repo_maintenance.go

  • SideRepoTarget: add GitHubApp *GitHubAppConfig field (mutually exclusive with GitHubToken, matching CheckoutConfig)
  • collectSideRepoTargets: replace tokenByRepo map[string]string with a sideRepoAuth struct tracking both token and app config; first-seen auth wins, later occurrences upgrade only from "no auth" → "has auth"; logs when a conflicting later auth is ignored
  • effectiveSideRepoToken: returns ${{ steps.side-repo-app-token.outputs.token }} when GitHubApp != nil
  • sideRepoAppTokenMintStepYAML: new helper that builds the create-github-app-token step YAML by delegating to the existing buildGitHubAppTokenMintStepWithMeta infrastructure
  • generateSideRepoMaintenanceWorkflow: injects the mint step as the first step of each cross-repo job (close-expired-entities, apply_safe_outputs, create_labels, activity_report) when app auth is configured; validate_workflows keeps GITHUB_TOKEN (own-repo only)

Example

A source workflow like:

checkout:
  - repository: microsoft/aspire.dev
    github-app:
      app-id: ${{ secrets.ASPIRE_BOT_APP_ID }}
      private-key: ${{ secrets.ASPIRE_BOT_PRIVATE_KEY }}
      owner: "microsoft"
      repositories: [aspire.dev, aspire]
    current: true

now generates maintenance jobs with:

    steps:
      - name: Generate GitHub App token
        id: side-repo-app-token
        uses: actions/create-github-app-token@...
        with:
          client-id: ${{ secrets.ASPIRE_BOT_APP_ID }}
          private-key: ${{ secrets.ASPIRE_BOT_PRIVATE_KEY }}
          owner: microsoft
          repositories: |-
            aspire.dev
            aspire
          github-api-url: ${{ github.api_url }}
      - name: Apply Safe Outputs
        ...
        with:
          github-token: ${{ steps.side-repo-app-token.outputs.token }}

${{ secrets.GH_AW_GITHUB_TOKEN }} is preserved as the fallback only when neither github-token: nor github-app: is configured.

Tests

  • Unit tests for collectSideRepoTargets covering app config collection, upgrade-from-nothing, and first-seen-wins semantics
  • Unit tests for all three effectiveSideRepoToken paths
  • Integration test: App auth flow (verifies mint step, credentials, token in github-token: and GH_TOKEN:, ordering)
  • Integration test: App auth + expires combo (verifies close-expired-entities also receives the mint step)

Copilot AI and others added 3 commits July 4, 2026 16:17
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…generator

When a source workflow authenticates its cross-repo checkout with a GitHub App,
the generated agentics-maintenance-<owner>-<repo>.yml now emits a
create-github-app-token mint step at the top of each cross-repo job and uses
the minted token (${{ steps.side-repo-app-token.outputs.token }}) for all
github-token: inputs and GH_TOKEN: env vars.

Changes:
- SideRepoTarget: add GitHubApp *GitHubAppConfig field
- collectSideRepoTargets: track both GitHubToken and GitHubApp from checkout
  configs with upgrade-from-nothing semantics (first-seen auth wins)
- effectiveSideRepoToken: return minted token ref when GitHubApp != nil
- sideRepoAppTokenMintStepYAML: new helper that builds the create-github-app-token
  step YAML reusing the existing buildGitHubAppTokenMintStepWithMeta infrastructure
- generateSideRepoMaintenanceWorkflow: inject mint step as first step in each
  cross-repo job (close-expired-entities, apply_safe_outputs, create_labels,
  activity_report) when GitHubApp is configured
- Add unit tests for new collectSideRepoTargets and effectiveSideRepoToken paths
- Add two integration tests: basic App auth flow and App auth + expires combo

Closes #43021

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Add log message when a later checkout auth is ignored for the same repo
  (first-seen wins; makes the choice traceable via maintenanceLog)
- Rename test: 'first-seen auth wins' → 'later auth does not override existing auth'
- Add assertions in integration test that minted token appears in
  github-token: inputs and GH_TOKEN: env vars in generated cross-repo steps

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix SideRepoOps maintenance workflow GitHub App checkout auth fix: github-app auth support in SideRepoOps maintenance workflow generator Jul 4, 2026
Copilot AI requested a review from pelikhan July 4, 2026 16:33
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage — Run §28715668077

Field Value
Category bug
Risk 🟡 Medium
Score 60/100
Impact 30/50
Urgency 20/30
Quality 10/20
Action batch_review
Batch pr-batch:go-bugfix

Fixes github-app auth in SideRepoOps maintenance workflow generator. +90/-15 Go logic, +122+170 test lines. Medium risk (auth path). Batch with go-bugfix group.

Generated by 🔧 PR Triage Agent · 113.5 AIC · ⌖ 13 AIC · ⊞ 5.5K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SideRepoOps maintenance workflow ignores github-app checkout auth and falls back to unset GH_AW_GITHUB_TOKEN

2 participants