Add optional target-repo + vault token support for selected scheduled create-issue workflows

[strawgate]

Summary

• add optional target-repo and token-policy workflow_call inputs (plus optional GH_AW_GITHUB_TOKEN secret) to gh-aw-scheduled-audit, gh-aw-docs-patrol, gh-aw-bug-hunter, and gh-aw-text-auditor
• wire target-repo into create-issue safe-output config for those workflows, and include scheduled-audit fragment support
• add previous-findings-target-repo fragment so previous-finding dedupe queries run against ${{ inputs.target-repo || github.repository }} with token fallback ${{ secrets.GH_AW_GITHUB_TOKEN || github.token }}

Test plan

• Run make compile
• Confirm targeted workflow sources include new optional inputs/secrets and target-repo wiring
• Verify lock files regenerate cleanly for updated workflows

Made with Cursor

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows and fragments were updated to support targeting a separate repository for issue operations and optionally minting ephemeral GitHub tokens. New workflow_call inputs target-repo and token-policy were added across workflows; a conditional step create-token (when token-policy is non-empty) produces an ephemeral token used by downstream steps. Workflows now derive TARGET_REPO from inputs or the current repo, replace static token/repo references with the new token and TARGET_REPO, add a vault-token fragment for token creation, and replace previous-findings with a repo-scoped previous-findings-target-repo fragment. Safe-outputs configs now include a target-repo field.

Possibly related PRs

• Update to 0.50.4 and improve workflows #406: Related changes to the previous-findings fragment and de-duplication logic that this PR adapts to support TARGET_REPO and ephemeral token usage.

Suggested labels

medium_boom

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-vault-token-injection

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

.github/workflows/gh-aw-docs-drift.lock.yml (1)

680-682: ⚠️ Potential issue | 🟠 Major

Same cross-job step reference issue as bug-hunter.lock.yml.

The agent and conclusion jobs reference steps.create-token.outputs.token, but the step is only defined in safe_outputs. See bug-hunter review for details.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-drift.lock.yml around lines 680 - 682, The
agent and conclusion jobs reference steps.create-token.outputs.token but that
step lives inside the safe_outputs job, so change those references to use the
job-level output (needs.safe_outputs.outputs.token) or otherwise export the
token as a job output from safe_outputs; specifically replace occurrences of
steps.create-token.outputs.token in the GH_TOKEN and github-token entries with
needs.safe_outputs.outputs.token (or ensure safe_outputs defines outputs.token
and the jobs declare needs: [safe_outputs]) so the token is available cross-job.

🧹 Nitpick comments (1)

.github/workflows/gh-aw-scheduled-audit.lock.yml (1)

590-592: steps.create-token is out of scope in agent and conclusion jobs.

The create-token step exists only in safe_outputs, so these cross-job references always fall back to GH_AW_GITHUB_TOKEN or GITHUB_TOKEN. If the minted token should reach these jobs, plumb it through job outputs or define create-token in each job that needs it. Fix in the source .md file so the next compile picks it up.

Also applies to lines 1311, 1324, 1344, 1361.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-scheduled-audit.lock.yml around lines 590 - 592, The
workflow uses steps.create-token in GH_TOKEN and github-token expressions inside
the agent and conclusion jobs but create-token is only defined in the
safe_outputs job, so those references are out of scope; update the source .md so
the minted token is either exported from safe_outputs as a job output and then
consumed via needs.safe_outputs.outputs.<token_name> in the agent and conclusion
jobs, or define a create-token step inside each job that requires it (replace
steps.create-token with needs.safe_outputs.outputs.<token_name> or local
create-token step accordingly) and apply the same fix for the other occurrences
noted (lines referenced: the other GH_TOKEN/github-token usages).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Around line 662-664: The Checkout PR branch step in the agent job is
referencing steps.create-token.outputs.token even though no create-token step
exists in that job; either add/move the create-token step into the agent job (or
rename it to match the existing step) so steps.create-token.outputs.token is
defined before use, or remove that output reference and rely only on
secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN; update the Checkout PR
branch step accordingly and ensure consistency with the ephemeral token step
defined in safe_outputs (or reference the correct step id from safe_outputs if
you intend to use that token).

In @.github/workflows/gh-aw-docs-patrol.lock.yml:
- Around line 86-100: The default input "title-prefix" currently set to
"[docs-patrol]" is not unique across multiple source repos targeting the same
target-repo; change the workflow fragment that defines the input "title-prefix"
so its default is namespaced to the caller repo (e.g. include the source repo
owner/name or owner/name-short) using the GitHub context, or update the logic
that queries/filters previous findings to include a caller discriminator (source
repo) so dedup only compares issues from the same source. Locate the
"title-prefix" input in the workflow fragment and either set its default to a
templated value that includes the source repo (via github.repository or
github.repository_owner) or ensure the "previous-findings" query and
issue-creation code include and persist the source repo identifier when
searching/creating issues.

In @.github/workflows/gh-aw-scheduled-audit.md:
- Around line 45-49: The workflow uses token-policy but still authenticates
lookups with GH_AW_GITHUB_TOKEN || github.token, so callers supplying only
token-policy cannot read private target-repo history and dedup will silently
fail; fix by minting the Vault token prior to the dedup/lookup step (or require
GH_AW_GITHUB_TOKEN when target-repo is private) and ensure the lookup step uses
the minted token instead of github.token; update all lookup blocks that
reference GH_AW_GITHUB_TOKEN, github.token, token-policy and target-repo (the
other similar block later in the file) to use the minted Vault token or enforce
the explicit GH_AW_GITHUB_TOKEN requirement.

In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Around line 105-119: The current fixed title-prefix parameter (title-prefix)
causes cross-repo deduplication; update the workflow fragment where the input
'title-prefix' is defined to include a caller-specific namespace (e.g. use the
repo slug) so generated issue titles are unique per source repo: change the
default/description to incorporate the GitHub repository context (for example
make the default something like `${{ github.repository }} [text-auditor]` or
explicitly document using `${{ github.repository }}` when calling the workflow),
and ensure any other identical definitions (the other title-prefix occurrences
referenced) are updated similarly so dedup filtering based on in:title uses a
repo-scoped prefix rather than the fixed "[text-auditor]".

---

Duplicate comments:
In @.github/workflows/gh-aw-docs-drift.lock.yml:
- Around line 680-682: The agent and conclusion jobs reference
steps.create-token.outputs.token but that step lives inside the safe_outputs
job, so change those references to use the job-level output
(needs.safe_outputs.outputs.token) or otherwise export the token as a job output
from safe_outputs; specifically replace occurrences of
steps.create-token.outputs.token in the GH_TOKEN and github-token entries with
needs.safe_outputs.outputs.token (or ensure safe_outputs defines outputs.token
and the jobs declare needs: [safe_outputs]) so the token is available cross-job.

---

Nitpick comments:
In @.github/workflows/gh-aw-scheduled-audit.lock.yml:
- Around line 590-592: The workflow uses steps.create-token in GH_TOKEN and
github-token expressions inside the agent and conclusion jobs but create-token
is only defined in the safe_outputs job, so those references are out of scope;
update the source .md so the minted token is either exported from safe_outputs
as a job output and then consumed via needs.safe_outputs.outputs.<token_name> in
the agent and conclusion jobs, or define a create-token step inside each job
that requires it (replace steps.create-token with
needs.safe_outputs.outputs.<token_name> or local create-token step accordingly)
and apply the same fix for the other occurrences noted (lines referenced: the
other GH_TOKEN/github-token usages).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac1a8dd1-a1ce-41b1-8d44-d9c6de6eb38e

📥 Commits

Reviewing files that changed from the base of the PR and between 5c3bbdc and cee0e80.

📒 Files selected for processing (12)

• .github/workflows/gh-aw-bug-hunter.lock.yml
• .github/workflows/gh-aw-bug-hunter.md
• .github/workflows/gh-aw-docs-drift.lock.yml
• .github/workflows/gh-aw-docs-patrol.lock.yml
• .github/workflows/gh-aw-docs-patrol.md
• .github/workflows/gh-aw-fragments/previous-findings-target-repo.md
• .github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md
• .github/workflows/gh-aw-fragments/vault-token.md
• .github/workflows/gh-aw-scheduled-audit.lock.yml
• .github/workflows/gh-aw-scheduled-audit.md
• .github/workflows/gh-aw-text-auditor.lock.yml
• .github/workflows/gh-aw-text-auditor.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The default [docs-patrol] prefix stops being unique in a shared target repo.

Once multiple repos file into the same target-repo, dedup now reads every [docs-patrol] issue in that destination. That lets one repo suppress another repo's finding because the workflow has no caller-specific discriminator in either the previous-findings query or the created title prefix. Namespace the default prefix with the source repo, or persist/filter on the source repo instead. Fix this in the source workflow/fragment so the next compile picks it up.

Also applies to: 646-650, 1528-1530

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-patrol.lock.yml around lines 86 - 100, The
default input "title-prefix" currently set to "[docs-patrol]" is not unique
across multiple source repos targeting the same target-repo; change the workflow
fragment that defines the input "title-prefix" so its default is namespaced to
the caller repo (e.g. include the source repo owner/name or owner/name-short)
using the GitHub context, or update the logic that queries/filters previous
findings to include a caller discriminator (source repo) so dedup only compares
issues from the same source. Locate the "title-prefix" input in the workflow
fragment and either set its default to a templated value that includes the
source repo (via github.repository or github.repository_owner) or ensure the
"previous-findings" query and issue-creation code include and persist the source
repo identifier when searching/creating issues.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

token-policy doesn't cover remote dedup.

This lookup still authenticates with GH_AW_GITHUB_TOKEN || github.token, so a caller using only target-repo + token-policy cannot read previous findings from a private target repo. That silently skips dedup here and can re-file an existing issue later. Mint the vault token before this step, or explicitly require GH_AW_GITHUB_TOKEN whenever target-repo points at a private repo.

Also applies to: 99-111

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-scheduled-audit.md around lines 45 - 49, The
workflow uses token-policy but still authenticates lookups with
GH_AW_GITHUB_TOKEN || github.token, so callers supplying only token-policy
cannot read private target-repo history and dedup will silently fail; fix by
minting the Vault token prior to the dedup/lookup step (or require
GH_AW_GITHUB_TOKEN when target-repo is private) and ensure the lookup step uses
the minted token instead of github.token; update all lookup blocks that
reference GH_AW_GITHUB_TOKEN, github.token, token-policy and target-repo (the
other similar block later in the file) to use the minted Vault token or enforce
the explicit GH_AW_GITHUB_TOKEN requirement.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Namespace the default prefix before centralizing issues.

With the fixed [text-auditor] prefix, every caller targeting the same target-repo now shares one dedup namespace. Repo A can cause repo B to noop a distinct finding because previous-findings only filters on in:title "$TITLE_PREFIX" and created issues keep the same prefix. Include a caller identifier in the generated title prefix (for example ${{ github.repository }}), or persist/filter on the source repo instead. Fix this in the source workflow/fragment so the next compile picks it up.

Also applies to: 716-720, 1598-1600

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-text-auditor.lock.yml around lines 105 - 119, The
current fixed title-prefix parameter (title-prefix) causes cross-repo
deduplication; update the workflow fragment where the input 'title-prefix' is
defined to include a caller-specific namespace (e.g. use the repo slug) so
generated issue titles are unique per source repo: change the
default/description to incorporate the GitHub repository context (for example
make the default something like `${{ github.repository }} [text-auditor]` or
explicitly document using `${{ github.repository }}` when calling the workflow),
and ensure any other identical definitions (the other title-prefix occurrences
referenced) are updated similarly so dedup filtering based on in:title uses a
repo-scoped prefix rather than the fixed "[text-auditor]".

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/gh-aw-text-auditor.lock.yml (1)

716-720: ⚠️ Potential issue | 🟠 Major

Dedup namespace is still shared across callers in a common target-repo.

Line 720 searches only in:title "$TITLE_PREFIX". With the default on Line 111 ([text-auditor]), different source repos targeting the same destination can suppress each other’s findings. Scope dedup by source repo (e.g., include ${{ github.repository }} in the effective prefix/search, or persist/filter by source repo metadata). Apply this in the source workflow/fragment and recompile.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-text-auditor.lock.yml around lines 716 - 720, The
search for previous findings only uses TITLE_PREFIX, causing dedup across
different source repos; update the effective dedup key used when listing issues
(the gh issue list invocation that uses TITLE_PREFIX and TARGET_REPO) to include
the source repo identifier (e.g., append or prefix `${{ github.repository }}` to
TITLE_PREFIX) or add a filter that persists/filters by source repo metadata so
that List previous findings only matches issues created by the same source repo,
and ensure the same augmented TITLE_PREFIX is produced in the source
workflow/fragment that sets TITLE_PREFIX so compilation stays consistent.

.github/workflows/gh-aw-docs-patrol.lock.yml (1)

646-650: ⚠️ Potential issue | 🟠 Major

Dedup remains non-namespaced when multiple repos share one target-repo.

Line 650 queries by in:title "$TITLE_PREFIX" only. With the static default on Line 92 ([docs-patrol]), one repo’s issue can incorrectly dedup another repo’s finding in the same destination repo. Add a caller discriminator (for example source repo) to the effective prefix/search or persist/filter by source repo.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-patrol.lock.yml around lines 646 - 650, The
current gh issue list search uses only TITLE_PREFIX which allows cross-source
deduping; update the command to include the caller/source repo discriminator
(github.repository) so dedup is namespaced: either expand TITLE_PREFIX to
include the source (e.g. build an effective prefix using TITLE_PREFIX + " " +
github.repository) before running gh issue list, or add an additional filter to
the gh issue list invocation to match that source marker in the issue
title/body; adjust the variables (TITLE_PREFIX, TARGET_REPO) and the run line
that writes /tmp/previous-findings.json so the search becomes e.g. --search
"in:title \"$EFFECTIVE_TITLE_PREFIX\"" where EFFECTIVE_TITLE_PREFIX includes the
source repo identifier.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/gh-aw-docs-patrol.lock.yml:
- Around line 646-650: The current gh issue list search uses only TITLE_PREFIX
which allows cross-source deduping; update the command to include the
caller/source repo discriminator (github.repository) so dedup is namespaced:
either expand TITLE_PREFIX to include the source (e.g. build an effective prefix
using TITLE_PREFIX + " " + github.repository) before running gh issue list, or
add an additional filter to the gh issue list invocation to match that source
marker in the issue title/body; adjust the variables (TITLE_PREFIX, TARGET_REPO)
and the run line that writes /tmp/previous-findings.json so the search becomes
e.g. --search "in:title \"$EFFECTIVE_TITLE_PREFIX\"" where
EFFECTIVE_TITLE_PREFIX includes the source repo identifier.

In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Around line 716-720: The search for previous findings only uses TITLE_PREFIX,
causing dedup across different source repos; update the effective dedup key used
when listing issues (the gh issue list invocation that uses TITLE_PREFIX and
TARGET_REPO) to include the source repo identifier (e.g., append or prefix `${{
github.repository }}` to TITLE_PREFIX) or add a filter that persists/filters by
source repo metadata so that List previous findings only matches issues created
by the same source repo, and ensure the same augmented TITLE_PREFIX is produced
in the source workflow/fragment that sets TITLE_PREFIX so compilation stays
consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43c99f48-7283-4aff-ad2b-4120a677b3db

📥 Commits

Reviewing files that changed from the base of the PR and between cee0e80 and 816cfd7.

📒 Files selected for processing (11)

• .github/workflows/gh-aw-bug-hunter.lock.yml
• .github/workflows/gh-aw-bug-hunter.md
• .github/workflows/gh-aw-docs-drift.lock.yml
• .github/workflows/gh-aw-docs-patrol.lock.yml
• .github/workflows/gh-aw-docs-patrol.md
• .github/workflows/gh-aw-fragments/previous-findings-target-repo.md
• .github/workflows/gh-aw-fragments/vault-token.md
• .github/workflows/gh-aw-scheduled-audit.lock.yml
• .github/workflows/gh-aw-scheduled-audit.md
• .github/workflows/gh-aw-text-auditor.lock.yml
• .github/workflows/gh-aw-text-auditor.md

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/gh-aw-text-auditor.md
• .github/workflows/gh-aw-fragments/vault-token.md