Add top-level `github-app` frontmatter as universal fallback for token minting by Copilot · Pull Request #21510 · github/gh-aw

Copilot · 2026-03-18T02:36:23Z

Workflows with multiple sections requiring GitHub App tokens (safe-outputs, checkout, MCP, APM dependencies, activation) had to repeat the same github-app config in each section. This adds a single top-level github-app field that propagates as a fallback to all nested token minting operations.

Fallback precedence

Section-specific github-app always wins; top-level is used only when the section has no explicit config. Explicit github-token settings also take priority and suppress the fallback:

on.github-app / on.github-token — activation (reactions, status comments, skip-if)
safe-outputs.github-app / safe-outputs.github-token
checkout.github-app / checkout.github-token — entries without explicit auth
tools.github.github-app / tools.github.github-token — GitHub MCP server; tools.github: false also suppresses the fallback
dependencies.github-app — APM packages

Usage

github-app:                                   # top-level fallback
  app-id: ${{ vars.APP_ID }}
  private-key: ${{ secrets.APP_PRIVATE_KEY }}

safe-outputs:
  create-issue: {}                            # inherits top-level app

checkout:
  repository: myorg/private-repo             # inherits top-level app

tools:
  github:
    mode: remote                              # inherits top-level app

The top-level github-app can also be defined in a shared agent workflow and imported by consuming workflows. The same first-wins precedence applies: the current workflow's own github-app takes priority over one imported from a shared workflow.

Implementation

Schema — added github-app to top-level properties in main_workflow_schema.json
WorkflowData — new TopLevelGitHubApp *GitHubAppConfig field
resolveTopLevelGitHubApp() — resolves the top-level config from frontmatter, falling back to MergedTopLevelGitHubApp from imports (same pattern as resolveActivationGitHubApp)
applyTopLevelGitHubAppFallbacks() — called at end of extractAdditionalConfigurations; patches both the typed struct fields and the raw tools map (necessary because applyDefaults rebuilds ParsedTools from the map); skips each section when an explicit github-token or github-app is already set, and skips tools.github when it is explicitly disabled (github: false)
Import pipeline — importAccumulator now extracts the top-level github-app from each imported workflow (first-wins); result surfaced via ImportsResult.MergedTopLevelGitHubApp
validateGitHubAppJSON() — shared helper extracted to avoid duplicating required-field validation between extractOnGitHubApp and extractTopLevelGitHubApp

Tests

Six scenario workflow files in pkg/cli/workflows/ (one per fallback target + one showing section-specific precedence), with corresponding integration tests in pkg/workflow/top_level_github_app_integration_test.go. Unit tests in pkg/workflow/top_level_github_app_import_test.go cover all five fallback targets × three variants each (fallback applied, section-specific override wins, explicit token suppresses fallback), plus import scenarios (import fallback, local override, activation propagation).

Original prompt

Add frontmatter support for a top-level github-app that can be used as a fallback in all nested github-app token minting operations.

Add integration tests for each scenarios in pkg/cli/workflows

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

…oken minting Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan

@copilot make sure the top-level github-app can be imported from a shared agent workflow

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-18T03:32:26Z

@copilot make sure the top-level github-app can be imported from a shared agent workflow

Done in 3d9dc56. The top-level github-app can now be defined in a shared agent workflow and imported into consuming workflows. When a workflow imports a shared workflow that declares a top-level github-app, the imported app config is used as the fallback (following the same first-wins strategy as on.github-app imports).

The workflow's own top-level github-app always takes precedence over one from an import. The changes are in the parser's importAccumulator (new topLevelGitHubApp field + extraction), ImportsResult (new MergedTopLevelGitHubApp field), and the resolveTopLevelGitHubApp() function in the compiler (checks own frontmatter first, then falls back to imports). Three unit tests cover the import, local-override, and activation-propagation scenarios.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Copilot

Pull request overview

Adds support for a top-level github-app frontmatter key that serves as a universal fallback for GitHub App token minting across workflow sections, reducing repeated configuration.

Changes:

Extend the main workflow schema to allow top-level github-app.
Extract/store top-level GitHub App config in WorkflowData and apply it as a fallback to activation, safe-outputs, checkout, tools.github, and APM dependencies.
Add integration tests plus sample workflow fixtures demonstrating each fallback/precedence scenario.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/top_level_github_app_integration_test.go	New integration tests validating top-level fallback behavior and precedence.
pkg/workflow/compiler_types.go	Adds `TopLevelGitHubApp` field to workflow compilation state.
pkg/workflow/compiler_orchestrator_workflow.go	Implements extraction + fallback application across nested token-minting consumers.
pkg/parser/schemas/main_workflow_schema.json	Adds top-level `github-app` to the frontmatter schema.
pkg/cli/workflows/test-top-level-github-app-*.md	Adds sample workflows used as scenario fixtures for integration tests/docs.

Comments suppressed due to low confidence (2)

pkg/workflow/compiler_orchestrator_workflow.go:599

The top-level github-app fallback is applied to activation whenever ActivationGitHubApp is nil, but this ignores an explicit on.github-token. If a workflow sets on.github-token (and no on.github-app), applying the top-level github-app changes auth precedence and will cause the pre-activation/activation steps to prefer an app token over the user-specified token. Update the fallback condition to only apply when both ActivationGitHubApp is nil AND ActivationGitHubToken is empty (i.e., no explicit activation auth configured).

	if importsResult != nil && importsResult.MergedTopLevelGitHubApp != "" {
		var appMap map[string]any
		if err := json.Unmarshal([]byte(importsResult.MergedTopLevelGitHubApp), &appMap); err == nil {
			app := parseAppConfig(appMap)
			if app.AppID != "" && app.PrivateKey != "" {

pkg/workflow/compiler_orchestrator_workflow.go:605

The safe-outputs fallback currently applies whenever SafeOutputs.GitHubApp is nil, even if SafeOutputs.GitHubToken is explicitly set. Because downstream logic prioritizes GitHubApp over GitHubToken, this would silently override a user-provided safe-outputs.github-token when a top-level github-app exists. Only apply the top-level fallback when neither safe-outputs.github-app nor safe-outputs.github-token is configured.

				return app
			}
		}
	}
	return nil

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/workflow/compiler_orchestrator_workflow.go

+	if data.ParsedTools != nil && data.ParsedTools.GitHub != nil && data.ParsedTools.GitHub.GitHubApp == nil {
+		orchestratorWorkflowLog.Print("Applying top-level github-app fallback for tools.github")
+		data.ParsedTools.GitHub.GitHubApp = fallback
+		// Also update the raw tools map so applyDefaultTools (called from applyDefaults in
+		// processOnSectionAndFilters) does not lose the fallback when it rebuilds ParsedTools
+		// from the map.
+		if github, ok := data.Tools["github"].(map[string]any); ok {


pkg/workflow/top_level_github_app_integration_test.go

+				"app-id: ${{ vars.SAFE_OUTPUTS_APP_ID }}",
+				"app-id: ${{ vars.ACTIVATION_APP_ID }}",
+			},
+		},


pelikhan · 2026-03-18T03:35:38Z

@copilot Review comments

…test entry Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-18T03:43:55Z

@copilot Review comments

Done in 8ade6cb. Addressed both review comments:

github-token skip — the tools.github fallback now checks GitHubToken == "" before applying the app config (same guard already used for checkout), so an explicit tools.github.github-token always wins.
Non-map normalization — when data.Tools["github"] is not already a map (e.g. github: true), the raw entry is now replaced with a fresh map[string]any{"github-app": appMap} so the injected config survives the applyDefaults re-parse.

Also added the missing MCP entry to TestTopLevelGitHubAppWorkflowFiles and a new unit test TestTopLevelGitHubAppToolsGitHubTokenSkip that verifies the github-token skip path.

pelikhan · 2026-03-18T04:15:48Z

@copilot Keep working

pelikhan · 2026-03-18T04:33:11Z

@copilot keep working

pelikhan · 2026-03-18T10:12:26Z

@copilot keep working

…plicitly disabled Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-18T10:31:08Z

@copilot keep working

Fixed an additional edge case in ac43855: when tools.github: false is explicitly set to disable the GitHub MCP tool, the top-level github-app fallback was incorrectly re-enabling it by replacing the false value with a map. Added the data.Tools["github"] != false guard and a new test TestTopLevelGitHubAppToolsGitHubFalseSkip to cover this path.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE de_modules/.bin/--show-toplevel git rev-�� --show-toplevel go /usr/bin/git *.json' '!../../git GO111MODULE x_amd64/link git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --silent Name,createdAt,s-bool git rev-�� heckout/git/ref/-errorsas bash /usr/bin/git --noprofile go /tmp/go-build269--show-toplevel git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw l /opt/pipx_bin/ba--show-toplevel git rev-�� etup-node/git/ref/tags/v4 bash /usr/bin/git --noprofile go ache/node/24.14.--show-toplevel git (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name k/gh-aw/gh-aw/inGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--write -V=f�� -nilfunc /opt/hostedtoolc--ignore-path 64/bin/go -unreachable=fal/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link /tmp/go-build716-V=full 64/bin/go go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha run l /usr/bin/git --detach GO111MODULE 64/bin/go git rev-�� --git-dir go r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,disp--show-toplevel ub/workflows flow-test-12345 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ortcfg /usr/bin/git g/logger/doc.go g/logger/logger.rev-parse /home/REDACTED/wor--show-toplevel git rev-�� d /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH"; [ -n "$GObash sh /usr/bin/git "prettier" --wrigit GOPROXY /opt/hostedtoolc--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git SameOutput393091git GOPROXY 8037765/b392=> git rev-�� --show-toplevel sh /usr/bin/git w-1J/yR9N4Z91Ffrbash go /node_modules/.b--noprofile git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -aw/git/ref/tags/v2.0.0 go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE -d /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� ithub-script/git/ref/tags/v8 -buildtags 0/x64/bin/node -errorsas -ifaceassert -nilfunc 0/x64/bin/node (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ache/go/1.25.0/x64/bin/go son GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha GOMODCACHE e9tz4e_/urVQRthztest@example.com /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/gh -json GO111MODULE tions/setup/js/n--show-toplevel gh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git te '**/*.cjs' '*git GO111MODULE sh git rev-�� --show-toplevel go /usr/bin/git rite '../../../*git GO111MODULE tartedAt,updated--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha 64/bin/go go /usr/bin/git js/**/*.json' --git GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE node git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git 53/001/test-frongit GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linu^remote\..*\.gh-resolved$ /usr/bin/git g_.a GO111MODULE k/gh-aw/gh-aw/no--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go git /pre�� log.showsignature=false log 64/bin/go -d --format=format:--norc 8ade6cbca8179a6f--noprofile go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha h ../../../.pret--log-level=error /opt/hostedtoolcGO111MODULE 64/bin/go tierignore /tmp/go-build716/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/pre�� 64/bin/go /usr/lib/systemd../../../**/*.json --de�� w/js/**/*.json' --ignore-path --log-level 64/bin/go --log-target journal-or-kmsg 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha h ../../../.pret.prettierignore /opt/hostedtoolc--log-level=error /node tierignore /tmp/go-build716--norc 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE ode_modules/.bin--show-toplevel git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 64/bin/go go /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md go (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha install --package-lock-only $name) { hasDiscussionsEnabled } } /tmp/file-trackegit go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/docker --show-toplevel go /usr/bin/git docker (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha install --package-lock-only $name) { hasDiscussionsEnabled } } --show-toplevel go ache/node/24.14.xterm-color git rev-�� --show-toplevel ache/node/24.14.0/x64/bin/node /usr/bin/git ub.actor }} rev-parse /usr/bin/git git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-patgo1.25.0 GOPROXY /opt/hostedtoolcache/node/24.14.0/x64/lib/node_modules/npm/node_-nolocalimports GOSUMDB GOWORK run-script/lib/n--show-toplevel sh -c npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path erignore /opt/hostedtoolcache/uv/0.10.11/x86_64/bash -json GO111MODULE 64/bin/go bash (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel bash 6bb2cdd9aa363a44-d --noprofile l /opt/hostedtoolc--noprofile git rev-�� tmp/TestGetNpmBinPathSetup_GorootOrdering438495665/001/go/1.25.0/x64"; export PATH="$(find "/tmpgit /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/git /tmp/go-build269git -importcfg /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility 40\} ature-branch.patch r: $owner, name: $name) { hasDiscussionsEnabled } } /tmp/TestHashCongh /usr/bin/podman ps git rev-�� --show-toplevel ps /usr/bin/git t go /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY /usr/local/bin/sh GOSUMDB GOWORK 64/bin/go sh -c npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ache/go/1.25.0/xGO111MODULE /usr/bin/bash -json GO111MODULE 64/bin/go bash (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY ache/go/1.25.0/x64/pkg/tool/linux_amd64/link GOSUMDB GOWORK 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link -c 8037765/b409/parser.test ache/go/1.25.0/xGO111MODULE 8037765/b409/importcfg.link 3584633/b369/_pkgit GO111MODULE 64/bin/go OGzfkCkDCP7ih/VOGj0k6DVJBySFsQcG0k/ljzr0Okv-MUxS0lueIlF/kkM_9baOGzfkCkDCP7ih (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 0/x64/bin/bash GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE ules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� 53/001/test-simple-frontmatter.md GO111MODULE n-dir/bash ignore GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE x86_64/bash ignore GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE sole.test GOINSECURE GOMOD GOMODCACHE sole.test (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 57e1b9ef13e24a1ff5b8bfd1f5e0f228eaf8285613918677-d GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE .test GOINSECURE GOMOD GOMODCACHE .test (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path k/gh-aw/gh-aw/pk--ignore-path k/gh-aw/gh-aw/pk../../../.prettierignore modules/@npmcli/run-script/lib/node-gyp-bin/sh GOSUMDB GOWORK 64/bin/go YTXO4VNc859R -o re --log-level=e!../../../pkg/workflow/js/**/*.json -trimpath /prettier -p github.com/githurev-parse -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 main -lang=go1.25 go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go 0/x6�� (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/lib/node_modules/npm/node_-buildmode=exe GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -m -json 64/bin/go -bool -buildtags 64/bin/go go env -json GO111MODULE ode_modules/.bin-nilfunc GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE es/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ll 2>&1 GO111MODULE eaf8285613918677-d GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha w/js/**/*.json' --ignore-path GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ode_modules/.bin-test.short=true GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel bash /usr/bin/git sistency_KeyOrde./gh-aw sh /usr/bin/git git rev-�� --show-toplevel git e /tmp/compile-ins/usr/bin/gh rev-parse /usr/bin/git git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE oJ/BhqTCoRMGewfss9ZXZGY/X4XoDkfiiEtxJ64HjgrP (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go iles use Prettiesh GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/xGO111MODULE -o re --log-level=error -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go uzCnsPjD9NZN -o re --log-level=error -trimpath modules/@npmcli/run-script/lib/node-gyp-bin/node -p github.com/githu--norc -lang=go1.25 go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build2698037765/b383/cli.test /tmp/go-build2698037765/b383/cli.test -test.testlogfile=/tmp/go-build2698037765/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOSUMDB GOWORK run-script/lib/nrun 7C6nT7XLBSeD /hom�� h ../../../.prettierignore scripts/**/*.js 6bb2cdd9aa363a44-d -d /tmp/go-build716--norc 64/bin/go go (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go gcc -###�� nore --log-level=error 2>&1 c 64/bin/go -d -buildtags 64/bin/go go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-18T10:36:29Z

@copilot add more tests for each possible override

…fix activation and safe-outputs github-token skip guards Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-18T10:48:02Z

@copilot add more tests for each possible override

Done in b426ffd. Added 12 new unit tests covering all five fallback targets (activation, safe-outputs, checkout, tools.github, dependencies) with three variants each: fallback applied, section-specific override wins, and explicit token skips the fallback.

Also fixed two related bugs uncovered while writing the tests:

Activation: the fallback was applied even when on.github-token was set — app tokens take priority at runtime so this would silently change auth behavior. Fixed by adding && data.ActivationGitHubToken == "" to the guard.
Safe-outputs: same issue with safe-outputs.github-token. Fixed by adding && data.SafeOutputs.GitHubToken == "" to the guard.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-18T11:13:10Z

@copilot create helper function to determine if global overuse is needed and apply at every if state that does the override so that the behavior is consistent

…ll five fallback sites Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-18T11:18:37Z

@copilot create helper function to determine if global overuse is needed and apply at every if state that does the override so that the behavior is consistent

Done in a9c5c39. Extracted topLevelFallbackNeeded(app *GitHubAppConfig, token string) bool — returns true only when neither an explicit github-app nor a github-token is already set. All five override sites in applyTopLevelGitHubAppFallbacks now call this helper, so the guard logic is identical everywhere.

* docs: add GH_HOST and RUNNER_TEMP to glossary (daily scan 2026-03-18) (#21553) * docs: update GHES CLI docs and add Copilot GHES troubleshooting guide (#21528) * Fix list height not updating on terminal resize (#21555) * fix(daily-workflow-updater): unblock PR creation by setting protected-files: allowed (#21554) * chore: bump MCP Gateway v0.1.15→v0.1.17 (#21552) * feat: custom Huh theme mapped from pkg/styles Dracula palette (#21557) * Add top-level `github-app` frontmatter as universal fallback for token minting (#21510) * feat: add GitHub App-only permissions support (#21511) * fix: fall back to existing remote tracking ref when incremental patch fetch fails (#21568) * Add weekly blog post writer agentic workflow (#21575) * ci: add timeout-minutes to all 25 jobs lacking explicit limits (#21601) * fix: add setupGlobals in generate_aw_info step to fix staged mode ReferenceError (#21602) * Disable lockdown mode for weekly blog post generator (#21598) * fix: replace git push with GraphQL signed commits to satisfy required_signatures rulesets (#21576) * docs: add weekly update blog post for 2026-03-18 (#21608) Covers v0.58.0 through v0.61.0 (7 releases this week), notable PRs, and auto-triage-issues as Agent of the Week. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix failing CI: merge main to include setupGlobals in generate_aw_info step and update golden files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

…ains on data residency (#21527) * Initial plan * Fix threat detection AWF run missing --copilot-api-target and GHE domains on data residency When engine.api-target is configured for GHE Cloud with data residency, propagate the APITarget from the main engine config to the detection engine config so the threat detection AWF invocation receives the same --copilot-api-target flag and GHE-specific domains in --allow-domains. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add GITHUB_COPILOT_BASE_URL env var support and fix integration test api-target - Fix TestAPITargetDomainsInThreatDetectionStep to use api.contoso-aw.ghe.com (copilot-api. prefix does not trigger base-domain derivation in GetAPITargetDomains) - Add GetCopilotAPITarget() helper: resolves --copilot-api-target from engine.api-target (explicit) or GITHUB_COPILOT_BASE_URL in engine.env (fallback), mirroring the OPENAI_BASE_URL/ANTHROPIC_BASE_URL pattern for Codex/Claude - Update awf_helpers.go, copilot_engine_execution.go, and domains.go to use the helper - Add unit tests for GetCopilotAPITarget and engine execution step - Add integration test TestGitHubCopilotBaseURLInCompiledWorkflow - Update engines.md docs to document GITHUB_COPILOT_BASE_URL Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Update DefaultMCPGatewayVersion to v0.1.17 and regenerate golden/lock files (#21609) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix: merge main to resolve failing build-wasm and test CI jobs (#21612) * docs: add GH_HOST and RUNNER_TEMP to glossary (daily scan 2026-03-18) (#21553) * docs: update GHES CLI docs and add Copilot GHES troubleshooting guide (#21528) * Fix list height not updating on terminal resize (#21555) * fix(daily-workflow-updater): unblock PR creation by setting protected-files: allowed (#21554) * chore: bump MCP Gateway v0.1.15→v0.1.17 (#21552) * feat: custom Huh theme mapped from pkg/styles Dracula palette (#21557) * Add top-level `github-app` frontmatter as universal fallback for token minting (#21510) * feat: add GitHub App-only permissions support (#21511) * fix: fall back to existing remote tracking ref when incremental patch fetch fails (#21568) * Add weekly blog post writer agentic workflow (#21575) * ci: add timeout-minutes to all 25 jobs lacking explicit limits (#21601) * fix: add setupGlobals in generate_aw_info step to fix staged mode ReferenceError (#21602) * Disable lockdown mode for weekly blog post generator (#21598) * fix: replace git push with GraphQL signed commits to satisfy required_signatures rulesets (#21576) * docs: add weekly update blog post for 2026-03-18 (#21608) Covers v0.58.0 through v0.61.0 (7 releases this week), notable PRs, and auto-triage-issues as Agent of the Week. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix failing CI: merge main to include setupGlobals in generate_aw_info step and update golden files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Initial plan

2c998de

Copilot AI assigned Copilot and pelikhan Mar 18, 2026

Copilot started work on behalf of pelikhan March 18, 2026 02:36 View session

Add top-level github-app frontmatter support as fallback for nested t…

626c38a

…oken minting Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add frontmatter support for top-level GitHub app~~ Add top-level github-app frontmatter as universal fallback for token minting Mar 18, 2026

Copilot AI requested a review from pelikhan March 18, 2026 03:15

Copilot finished work on behalf of pelikhan March 18, 2026 03:15

pelikhan reviewed Mar 18, 2026

View reviewed changes

Copilot started work on behalf of pelikhan March 18, 2026 03:20 View session

pelikhan marked this pull request as ready for review March 18, 2026 03:30

Copilot AI review requested due to automatic review settings March 18, 2026 03:30

Copilot started reviewing on behalf of pelikhan March 18, 2026 03:31 View session

Support importing top-level github-app from shared agent workflows

3d9dc56

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI requested a review from pelikhan March 18, 2026 03:33

Copilot finished work on behalf of pelikhan March 18, 2026 03:33

Copilot AI reviewed Mar 18, 2026

View reviewed changes

Copilot started work on behalf of pelikhan March 18, 2026 03:35 View session

Fix tools.github fallback edge cases and add missing MCP integration …

8ade6cb

…test entry Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot started work on behalf of pelikhan March 18, 2026 04:15 View session

Copilot started work on behalf of pelikhan March 18, 2026 04:33 View session

github-actions bot mentioned this pull request Mar 18, 2026

[Daily Report] 2026-03-18 — Daily Status Report #21544

Open

Copilot started work on behalf of pelikhan March 18, 2026 10:12 View session

Fix github:false edge case - skip fallback when GitHub MCP tool is ex…

ac43855

…plicitly disabled Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan March 18, 2026 10:31

Copilot started work on behalf of pelikhan March 18, 2026 10:36 View session

Add comprehensive override/skip tests for all five fallback targets; …

b426ffd

…fix activation and safe-outputs github-token skip guards Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan March 18, 2026 10:49

Copilot started work on behalf of pelikhan March 18, 2026 11:13 View session

Extract topLevelFallbackNeeded helper and apply consistently across a…

a9c5c39

…ll five fallback sites Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan March 18, 2026 11:19

pelikhan merged commit 444ffcc into main Mar 18, 2026
53 checks passed

pelikhan deleted the copilot/add-frontmatter-support-github-app branch March 18, 2026 11:42

This was referenced Mar 18, 2026

fix: fall back to existing remote tracking ref when incremental patch fetch fails #21568

Merged

[blog] Weekly blog post – 2026-03-18 #21608

Merged

Conversation

Copilot AI commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Fallback precedence

Usage

Implementation

Tests

Uh oh!

pelikhan left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

Copilot AI commented Mar 18, 2026

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

Copilot AI commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

Copilot AI commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 18, 2026

Uh oh!

Copilot AI commented Mar 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 18, 2026 •

edited

Loading

Copilot AI commented Mar 18, 2026 •

edited

Loading

Copilot AI commented Mar 18, 2026 •

edited

Loading

Copilot AI commented Mar 18, 2026 •

edited

Loading