Support github-app: auth in dependencies: for cross-org APM packages#21286
Merged
Support github-app: auth in dependencies: for cross-org APM packages#21286
github-app: auth in dependencies: for cross-org APM packages#21286Conversation
… packages Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Support
Support Mar 16, 2026
github-app: auth for dependencies in APMgithub-app: auth in dependencies: for cross-org APM packages
Contributor
|
@copilot update agentic workflow that uses dependencies to also configure the github-app based on the shared/safe-output-app.md info |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Updated dependencies:
github-app:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
packages:
- microsoft/apm-sample-packageThe compiled lock file now mints the app token before the APM pack step and injects it as Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds GitHub App-based authentication support for APM dependencies: so workflows can pack/install private cross-org APM packages by minting an installation token before the APM pack step.
Changes:
- Extend
dependencies:object format to acceptgithub-appconfig and parse it from frontmatter. - Generate an
actions/create-github-app-tokenstep (id: apm-app-token) before the APM pack step and inject the minted token viaenv.GITHUB_TOKEN. - Update schema, docs, and smoke workflow fixtures; add/extend unit tests for parsing and step generation.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/frontmatter_types.go | Adds GitHubApp field to APM dependency configuration type. |
| pkg/workflow/frontmatter_extraction_metadata.go | Parses dependencies.github-app from object format and wires it into extracted config. |
| pkg/workflow/compiler_activation_job.go | Emits the GitHub App token-mint step before the APM pack step when configured. |
| pkg/workflow/apm_dependencies.go | Implements token mint step generation and injects minted token into APM pack step env. |
| pkg/workflow/apm_dependencies_test.go | Adds tests for github-app parsing and token/env step rendering; refactors step string combining. |
| pkg/parser/schemas/main_workflow_schema.json | Adds github-app to dependencies object format schema. |
| docs/src/content/docs/reference/frontmatter.md | Documents array vs object formats and shows GitHub App auth example. |
| docs/src/content/docs/reference/dependencies.md | Adds dedicated section documenting GitHub App auth fields/usage for APM dependencies. |
| .github/workflows/smoke-claude.md | Updates smoke workflow frontmatter to use dependencies.github-app object format. |
| .github/workflows/smoke-claude.lock.yml | Updates compiled workflow to include token mint step and injected GITHUB_TOKEN env. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+15
to
+29
| // buildAPMAppTokenMintStep generates the step to mint a GitHub App installation access token | ||
| // for use by the APM pack step to access cross-org private repositories. | ||
| // | ||
| // Parameters: | ||
| // - app: GitHub App configuration containing app-id, private-key, owner, and repositories | ||
| // | ||
| // Returns a slice of YAML step lines. | ||
| func buildAPMAppTokenMintStep(app *GitHubAppConfig) []string { | ||
| apmDepsLog.Printf("Building APM GitHub App token mint step: owner=%s, repos=%d", app.Owner, len(app.Repositories)) | ||
| var steps []string | ||
|
|
||
| steps = append(steps, " - name: Generate GitHub App token for APM dependencies\n") | ||
| steps = append(steps, fmt.Sprintf(" id: %s\n", apmAppTokenStepID)) | ||
| steps = append(steps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/create-github-app-token"))) | ||
| steps = append(steps, " with:\n") |
pkg/workflow/apm_dependencies.go
Outdated
Comment on lines
+59
to
+60
| // No explicit repositories: default to the current repository | ||
| steps = append(steps, " repositories: ${{ github.event.repository.name }}\n") |
Contributor
|
@copilot review generated code and ensure it works in the context of workflow_call in different repository. |
…ay scenarios Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Fixed in b5c9927. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
github-actions bot
added a commit
that referenced
this pull request
Mar 21, 2026
Adds the 🌍 Community Contributions table with 5 confirmed attributions linking community-labeled issues to their resolving PRs: - #21630 (@Mossaka) → #21655 sparse-checkout support docs - #21243 (@holwerda) → #21286 github-app auth in dependencies - #20299 (@grahame-white) → #20300 fix gh aw upgrade lock files - #20249 (@mvdbos) → #20301 cross-repo workflow_call validation - #18480 (@JoshGreenslade) → #21993 GHE Cloud data residency docs Also flags 241 community-labeled issues as attribution candidates needing manual review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
APM
dependencies:fails for cross-org private repos because the defaultGITHUB_TOKENis org-scoped. The token was also generated after the APM pack step, making it unavailable even when configured elsewhere.Changes
APMDependenciesInfo— addedGitHubApp *GitHubAppConfigfieldextractAPMDependenciesFromFrontmatter— parsesgithub-app:from object format; silently ignores incomplete configs (missingapp-idorprivate-key)buildAPMAppTokenMintStep— new function generating anactions/create-github-app-tokenstep with idapm-app-token, supporting explicit owner/repositories and["*"]for org-wide access; accepts afallbackRepoExprparameter (matching the pattern ofbuildGitHubAppTokenMintStep) so the correct repository scope is used inworkflow_callrelay scenariosbuildActivationJob— mints the APM app token before the pack step whenGitHubAppis set; inworkflow_callrelay workflows passes${{ steps.resolve-host-repo.outputs.target_repo_name }}as the fallback repository so the token is scoped to the platform (host) repo rather than the caller repoGenerateAPMPackStep— injectsGITHUB_TOKEN: ${{ steps.apm-app-token.outputs.token }}inenv:whenGitHubAppis configuredgithub-appadded to thedependenciesobject formatsmoke-claude.md— updated to usegithub-app:config (${{ vars.APP_ID }}/${{ secrets.APP_PRIVATE_KEY }}) for its APM dependency, consistent with the credential pattern fromshared/safe-output-app.mdUsage
Compiled output ordering is now:
Generate GitHub App token for APM dependencies(id: apm-app-token)Install and pack APM dependencies(withenv.GITHUB_TOKENset to the minted token)Simple array format and existing object format (
packages:+isolated:) are unchanged.workflow_callrelay supportIn cross-repo
workflow_callscenarios (including event-driven relays viaissue_comment/push),github.event.repository.namerefers to the caller repo rather than the platform (host) repo where the GitHub App is installed. The compiler now automatically uses${{ steps.resolve-host-repo.outputs.target_repo_name }}— already computed earlier in the activation job — as the repository scope when aworkflow_calltrigger is present, ensuring the minted token is always scoped to the correct repository.📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.