`environment:` frontmatter field not propagated to `safe_outputs` job — breaks environment-level secrets

[bbonafed]

environment: frontmatter field not propagated to safe_outputs job — breaks environment-level secrets

Describe the feature

When using the environment: frontmatter field, the compiler only applies it to the agent job in the compiled .lock.yml. The safe_outputs job does not receive the environment: field, which means any secrets scoped exclusively to GitHub deployment environments (e.g., dev, prod) are inaccessible in the safe_outputs job.

This is a problem when using GitHub App authentication via safe-outputs.app: with environment-level secrets, because the safe_outputs job generates the App token at runtime:

# In the compiled .lock.yml — safe_outputs job (NO environment: field)
- name: Generate GitHub App token
  id: safe-outputs-app-token
  uses: actions/create-github-app-token@v3
  with:
    app-id: ${{ secrets.WORKFLOW_APP_ID }}         # ← empty, no environment context
    private-key: ${{ secrets.WORKFLOW_APP_PRIVATE_KEY }}  # ← empty, no environment context

Expected behavior

The environment: frontmatter field should be propagated to all compiler-generated jobs that reference secrets, including safe_outputs, activation, conclusion, and any other jobs that use safe-outputs.app: or safe-outputs.github-token:.

For example, if the frontmatter is:

environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}

Then the compiled safe_outputs job should include:

safe_outputs:
  needs: [activation, agent]
  runs-on: ubuntu-slim
  environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}  # ← missing today
  # ...

Reproduction

1. Create a workflow with environment: in frontmatter and safe-outputs.app: referencing environment-level secrets
2. Compile with gh aw compile
3. Inspect the .lock.yml — only the agent job has the environment: field
4. The safe_outputs job references the same secrets but has no environment: context

Workaround

Store the GitHub App credentials (WORKFLOW_APP_ID, WORKFLOW_APP_PRIVATE_KEY) as repository-level secrets instead of environment-level secrets so they are accessible from all jobs regardless of environment: context.

Context

• gh-aw version: v0.51.5 (also verified in v0.57.1 docs — no fix present)
• Use case: CentralRepoOps pattern with environment-based dev/prod secret isolation
• Impact: Any workflow using environment: with exclusively environment-scoped secrets will have its safe outputs silently fail (App token generation returns empty strings)

[pelikhan]

@copilot add environment support in safe outputs with front matter field to allow overriding environment for safe outputs