fix: use GITHUB_TOKEN in bot-detection precompute step (expired GH_AW_BOT_DETECTION_TOKEN causing 84% failure rate)

[Copilot]

GH_AW_BOT_DETECTION_TOKEN is expired, and because it evaluates to a non-empty string, the || secrets.GITHUB_TOKEN fallback never triggers. The precompute job fails immediately when getRunCreatedAt() calls github.rest.actions.getWorkflowRun with a 401.

Changes

• bot-detection.md: Replace ${{ secrets.GH_AW_BOT_DETECTION_TOKEN || secrets.GITHUB_TOKEN }} → ${{ secrets.GITHUB_TOKEN }} on the precompute step's github-token
• bot-detection.lock.yml: Recompiled

GITHUB_TOKEN is sufficient — the precompute job already declares actions: read, contents: read, pull-requests: read, and issues: read, which covers all API calls in the script.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git 3185212807/.githgit (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --format=%T resolved$ /usr/bin/git ../pkg/workflow/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -unreachable=false /tmp/go-build2960279424/b249/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet h ../../../.pretgit (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha plorer.md .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git */*.ts' '**/*.jsgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git util.test 0279424/b024/vetrev-parse ortcfg.link git rev-�� --show-toplevel G-1UWS-RTmPmqNfDkx/ZOr9OALr-Y_wUWOhi5lV/HOdaOxyubd7-mZtvjihi /usr/bin/git agent-persona-exgit 0279424/b097/vetrev-parse g_.a git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build2960279424/b421/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p github.com/githurev-parse -lang=go1.25 ache/node/24.14.0/x64/bin/node s-70�� ets.TOKEN }} /tmp/go-build2960279424/b110/vet.cfg /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 09/001/test-compgit c .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git t1062360039/.gitgit 0279424/b090/vetrev-parse .cfg git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha js/**/*.json' --ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build2960279424/b392/importcfg -pack /tmp/go-build2960279424/b392/_testmain.go ode_�� (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build2960279424/b395/importcfg -pack /tmp/go-build2960279424/b395/_testmain.go ode_�� (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/go-build2960279424/b422/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p main -lang=go1.25 ache/node/24.14.0/x64/bin/node s-24�� ub.actor }} -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path git x_amd64/vet --get remote.origin.urrev-parse /usr/bin/git x_amd64/vet rev-�� --show-toplevel git tions/setup/node_modules/.bin/sh user.email test@example.comrev-parse /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha xterm-color k/_temp/ghcca-no/tmp/go-build2960279424/b248/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet on' --ignore-patgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path git x_amd64/vet add origin /opt/hostedtoolc--show-toplevel x_amd64/vet rev-�� --show-toplevel node 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh /home/REDACTED/worgit x_amd64/vet /usr/bin/gh git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build2960279424/b174/vet.cfg 0279424/b323/vet.cfg (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /tmp/go-build2960279424/b377/_pkg_.a -trimpath 0279424/b353/vet.cfg -p github.com/davecrev-parse -lang=go1.16 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� k/gh-aw/gh-aw/.github/workflows /tmp/go-build2960279424/b212/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -c=4 -nolocalimports -importcfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /tmp/go-build2960279424/b372/_pkg_.a -trimpath 0279424/b342/vet.cfg -p main -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags 0279424/b419/stringutil.test -errorsas -ifaceassert -nilfunc 0279424/b419/stringutil.test (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 --local 64/pkg/tool/linux_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 --local 64/pkg/tool/linux_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 --local 64/pkg/tool/linux_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 --local x_amd64/compile pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 --local x_amd64/link pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 --local x_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 --local x_amd64/compile pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha on' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha on' --ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha on' --ignore-path ../../../.pret--log-level=error (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha on' --ignore-path ../../../.pret.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha on' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ignore (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ode_modules/.bin-lang=go1.17 (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build2960279424/b383/cli.test /tmp/go-build2960279424/b383/cli.test -test.testlogfile=/tmp/go-build2960279424/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

---

✨ PR Review Safe Output Test - Run 23194715491

💥 [THE END] — Illustrated by Smoke Claude · ◷

[Copilot]

Pull request overview

Fixes the bot-detection workflow’s failing precompute step by removing use of an expired secret token and always using the repository-provided GITHUB_TOKEN.

Changes:

• Update the precompute step to use ${{ secrets.GITHUB_TOKEN }} instead of an expression that preferred an expired token.
• Recompile the generated workflow lockfile to reflect the source workflow change.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/bot-detection.md	Switch actions/github-script github-token input to secrets.GITHUB_TOKEN for the precompute step.
.github/workflows/bot-detection.lock.yml	Regenerated compiled workflow to mirror the token change (and updated metadata hash).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Good fix! Using GITHUB_TOKEN directly is cleaner and more reliable than falling back from an expired custom token. The permissions declared in the job (actions: read, contents: read, etc.) cover all required API calls.

[github-actions]

Lock file correctly recompiled with the updated token reference. The metadata hash change at line 26 reflects this compilation update.