From cdecc4ae2d1548ba5a8f7fec4d031d3ad4287791 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Mar 2026 00:48:24 +0000 Subject: [PATCH 1/2] Initial plan From a0e5c5bf2e0e34e814140b96367b5f22ff7667b4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Mar 2026 01:01:38 +0000 Subject: [PATCH 2/2] refactor: extract github_app shared $def in main_workflow_schema to avoid duplication Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/parser/schemas/main_workflow_schema.json | 176 +++++-------------- 1 file changed, 43 insertions(+), 133 deletions(-) diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index dcc0936b137..a0f4abd5dc8 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1558,31 +1558,8 @@ "examples": ["${{ secrets.MY_GITHUB_TOKEN }}"] }, "github-app": { - "type": "object", + "$ref": "#/$defs/github_app", "description": "GitHub App configuration for minting a token used in pre-activation reactions, activation status comments, and skip-if search queries. When configured, a single GitHub App installation access token is minted and shared across all these operations instead of using the default GITHUB_TOKEN. Can be defined in a shared agentic workflow and inherited by importing workflows.", - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID (e.g., '${{ vars.APP_ID }}'). Required to mint a GitHub App token." - }, - "private-key": { - "type": "string", - "description": "GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}'). Required to mint a GitHub App token." - }, - "owner": { - "type": "string", - "description": "Optional owner of the GitHub App installation (defaults to current repository owner if not specified)" - }, - "repositories": { - "type": "array", - "description": "Optional list of repositories to grant access to (defaults to current repository if not specified)", - "items": { - "type": "string" - } - } - }, - "required": ["app-id", "private-key"], - "additionalProperties": false, "examples": [ { "app-id": "${{ vars.APP_ID }}", @@ -3297,31 +3274,8 @@ "enum": ["none", "unapproved", "approved", "merged"] }, "github-app": { - "type": "object", + "$ref": "#/$defs/github_app", "description": "GitHub App configuration for token minting. When configured, a GitHub App installation access token is minted at workflow start and used instead of the default token. This token overrides any custom github-token setting and provides fine-grained permissions matching the agent job requirements.", - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID (e.g., '${{ vars.APP_ID }}'). Required to mint a GitHub App token." - }, - "private-key": { - "type": "string", - "description": "GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}'). Required to mint a GitHub App token." - }, - "owner": { - "type": "string", - "description": "Optional owner of the GitHub App installation (defaults to current repository owner if not specified)" - }, - "repositories": { - "type": "array", - "description": "Optional list of repositories to grant access to (defaults to current repository if not specified)", - "items": { - "type": "string" - } - } - }, - "required": ["app-id", "private-key"], - "additionalProperties": false, "examples": [ { "app-id": "${{ vars.APP_ID }}", @@ -7365,35 +7319,8 @@ "examples": ["${{ secrets.GITHUB_TOKEN }}", "${{ secrets.CUSTOM_PAT }}", "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"] }, "github-app": { - "type": "object", - "description": "GitHub App credentials for minting installation access tokens. When configured, a token will be generated using the app credentials and used for all safe output operations.", - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID. Should reference a variable (e.g., ${{ vars.APP_ID }}).", - "examples": ["${{ vars.APP_ID }}", "${{ secrets.APP_ID }}"] - }, - "private-key": { - "type": "string", - "description": "GitHub App private key. Should reference a secret (e.g., ${{ secrets.APP_PRIVATE_KEY }}).", - "examples": ["${{ secrets.APP_PRIVATE_KEY }}"] - }, - "owner": { - "type": "string", - "description": "Optional: The owner of the GitHub App installation. If empty, defaults to the current repository owner.", - "examples": ["my-organization", "${{ github.repository_owner }}"] - }, - "repositories": { - "type": "array", - "description": "Optional: Comma or newline-separated list of repositories to grant access to. If owner is set and repositories is empty, access will be scoped to all repositories in the provided repository owner's installation. If owner and repositories are empty, access will be scoped to only the current repository.", - "items": { - "type": "string" - }, - "examples": [["repo1", "repo2"], ["my-repo"]] - } - }, - "required": ["app-id", "private-key"], - "additionalProperties": false + "$ref": "#/$defs/github_app", + "description": "GitHub App credentials for minting installation access tokens. When configured, a token will be generated using the app credentials and used for all safe output operations." }, "max-patch-size": { "type": "integer", @@ -8227,33 +8154,8 @@ "description": "If true, agent restore step clears primitive dirs before unpacking." }, "github-app": { - "type": "object", - "description": "GitHub App credentials for minting installation access tokens used by APM to access cross-org private repositories.", - "required": ["app-id", "private-key"], - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID (e.g., '${{ vars.APP_ID }}').", - "examples": ["${{ vars.APP_ID }}"] - }, - "private-key": { - "type": "string", - "description": "GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}').", - "examples": ["${{ secrets.APP_PRIVATE_KEY }}"] - }, - "owner": { - "type": "string", - "description": "Optional owner of the GitHub App installation. Defaults to current repository owner if not specified." - }, - "repositories": { - "type": "array", - "description": "Optional list of repositories to grant access to. Use [\"*\"] for all repositories in the installation owner's org.", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false + "$ref": "#/$defs/github_app", + "description": "GitHub App credentials for minting installation access tokens used by APM to access cross-org private repositories." } }, "required": ["packages"], @@ -9050,6 +8952,41 @@ "description": "GitHub token expression using secrets. Pattern details: `[A-Za-z_][A-Za-z0-9_]*` matches a valid secret name (starts with a letter or underscore, followed by letters, digits, or underscores). The full pattern matches expressions like `${{ secrets.NAME }}` or `${{ secrets.NAME1 || secrets.NAME2 }}`.", "examples": ["${{ secrets.GITHUB_TOKEN }}", "${{ secrets.CUSTOM_PAT }}", "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"] }, + "github_app": { + "type": "object", + "description": "GitHub App credentials for minting installation access tokens.", + "properties": { + "app-id": { + "type": "string", + "description": "GitHub App ID (e.g., '${{ vars.APP_ID }}'). Required to mint a GitHub App token.", + "examples": ["${{ vars.APP_ID }}"] + }, + "private-key": { + "type": "string", + "description": "GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}'). Required to mint a GitHub App token.", + "examples": ["${{ secrets.APP_PRIVATE_KEY }}"] + }, + "owner": { + "type": "string", + "description": "Optional owner of the GitHub App installation (defaults to current repository owner if not specified)" + }, + "repositories": { + "type": "array", + "description": "Optional list of repositories to grant access to (defaults to current repository if not specified)", + "items": { + "type": "string" + } + } + }, + "required": ["app-id", "private-key"], + "additionalProperties": false, + "examples": [ + { + "app-id": "${{ vars.APP_ID }}", + "private-key": "${{ secrets.APP_PRIVATE_KEY }}" + } + ] + }, "githubActionsStep": { "type": "object", "description": "GitHub Actions workflow step", @@ -9174,35 +9111,8 @@ "examples": ["${{ secrets.MY_PAT }}", "${{ secrets.CROSS_REPO_PAT }}"] }, "github-app": { - "type": "object", - "description": "GitHub App authentication. Mints a short-lived installation access token via actions/create-github-app-token. Mutually exclusive with github-token.", - "required": ["app-id", "private-key"], - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID. Use ${{ vars.APP_ID }} to reference a variable.", - "examples": ["${{ vars.APP_ID }}"] - }, - "private-key": { - "type": "string", - "description": "GitHub App private key. Use ${{ secrets.APP_PRIVATE_KEY }} to reference a secret.", - "examples": ["${{ secrets.APP_PRIVATE_KEY }}"] - }, - "owner": { - "type": "string", - "description": "Owner of the GitHub App installation. Defaults to the current repository owner.", - "examples": ["my-org"] - }, - "repositories": { - "type": "array", - "description": "Repositories to grant the token access to. Defaults to the current repository. Use [\"*\"] for org-wide access.", - "items": { - "type": "string" - }, - "examples": [["repo-a", "repo-b"], ["*"]] - } - }, - "additionalProperties": false + "$ref": "#/$defs/github_app", + "description": "GitHub App authentication. Mints a short-lived installation access token via actions/create-github-app-token. Mutually exclusive with github-token." }, "current": { "type": "boolean",