Fix checkout frontmatter: emit token (not github-token) for actions/checkout

[Corb3nik]

Fix checkout frontmatter: emit token (not github-token) for actions/checkout

Bug summary

When checkout frontmatter includes a custom github-token, the compiler emits an actions/checkout step with a github-token input. The actions/checkout action expects the input name token, so custom tokens do not work and checkout can fail or use the wrong credentials.

Analysis

Root cause: In pkg/workflow/checkout_manager.go, the YAML for the actions/checkout step is built with the literal key github-token in two places:

• Line 234 in GenerateDefaultCheckoutStep: when applying user overrides (non–trial mode), it emits fmt.Fprintf(&sb, " github-token: %s\n", override.token).
• Line 277 in generateCheckoutStepLines: for additional checkout steps it emits fmt.Fprintf(&sb, " github-token: %s\n", entry.token).

The actions/checkout action only accepts the input token. The same file already uses token correctly for trial mode at line 222: fmt.Fprintf(&sb, " token: %s\n", effectiveToken). The fix is to emit token (not github-token) wherever the token is passed to actions/checkout. The frontmatter key can remain github-token (user-facing); only the emitted YAML key for the action input must be token.

Implementation plan

Please implement the following so an agent can execute it step by step.

1. Fix YAML emission in pkg/workflow/checkout_manager.go

• In GenerateDefaultCheckoutStep (around line 233–235): when override.token != "", emit the input as token, not github-token.
  Change:
  fmt.Fprintf(&sb, " github-token: %s\n", override.token)
  to:
  fmt.Fprintf(&sb, " token: %s\n", override.token).

• In generateCheckoutStepLines (around line 276–278): when entry.token != "", emit the input as token, not github-token.
  Change:
  fmt.Fprintf(&sb, " github-token: %s\n", entry.token)
  to:
  fmt.Fprintf(&sb, " token: %s\n", entry.token).

No other changes in this file are required: struct fields and parsing can keep the name GitHubToken / github-token for frontmatter/schema; only the generated action input name must be token.

2. Update tests that assert on github-token in checkout steps

• pkg/workflow/checkout_manager_test.go

  • Replace assertions that expect github-token: in the generated checkout step YAML with expectations of token: (same value, different key).
  • Example (around line 127): change the expected string from "github-token: ${{ secrets.MY_TOKEN }}" to "token: ${{ secrets.MY_TOKEN }}" (and similar cases in that file).

• pkg/workflow/checkout_optimization_test.go

  • It already expects token: ${{ secrets.CUSTOM_TOKEN }} (line 94). Ensure no remaining expectations use github-token for the checkout step; if any do, update them to token.

• pkg/workflow/trial_mode_test.go

  • Tests that look for “github-token in checkout step” (e.g. around lines 77–88, 136–208, 321–324) should be updated to look for token in the checkout step’s with: block (since the correct input name is token). Adjust comments and assertions accordingly.

• pkg/workflow/pr_checkout_test.go

  • Around lines 406–408 the test expects github-token in the “Checkout PR branch” step. That step uses actions/github-script, not actions/checkout. The actions/github-script action uses the input github-token. So leave this test unchanged; only the actions/checkout steps should use token.

3. Optional: add a regression test

• In pkg/workflow/checkout_manager_test.go (or a dedicated test), add a case that:
  • Builds a checkout config with a custom token (e.g. GitHubToken: "${{ secrets.MY_TOKEN }}").
  • Calls GenerateDefaultCheckoutStep or the helper that produces the additional checkout steps.
  • Asserts that the generated YAML contains token: ${{ secrets.MY_TOKEN }} and does not contain github-token: in the same step (to avoid regressing to the wrong input name).

4. Documentation

• In pkg/workflow/checkout_manager.go, the comment around lines 19–21 shows an example with github-token: in the YAML. Update that example so it shows the emitted format: use token: in the example of the generated step (or add a short note that the frontmatter key github-token is emitted as the token input for actions/checkout).
• If docs/ or pkg/parser/schemas document the checkout step output format, ensure they state that the compiler emits token for the token input of actions/checkout (and that frontmatter still uses github-token).

5. Follow project guidelines

• Use console formatting from pkg/console for any new CLI output.
• Run make agent-finish (or at least make build, make test, make recompile, make fmt, make lint) before considering the change done.
• Error messages (if any) should follow the project style: [what’s wrong]. [what’s expected]. [example].

Verification

After the change:

• A workflow with frontmatter like:
  checkout:
  • repository: my-repo
    path: my-repo
    ref: dev
    github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}

should compile to an actions/checkout step whose with: block includes token: ${{ secrets.GH_AW_GITHUB_TOKEN }}, and must not include github-token: for that step.