From ac7551d87765aea869d7a2332da88c578bb68fc0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 20:40:14 +0000 Subject: [PATCH 1/8] Initial plan From f8df5f2749882f409503197047ae7fbe685d082c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 21:06:52 +0000 Subject: [PATCH 2/8] Fix: Download patch artifact in safe_outputs job for push_to_pull_request_branch The safe_outputs job was not downloading the aw.patch artifact, causing push_to_pull_request_branch operations to fail silently. The agent would create and commit changes, but the push step would find no patch file and return without pushing, resulting in changes not being applied. Changes: - Add patch artifact download step in consolidated safe_outputs job - Download aw.patch to /tmp/gh-aw/ when push_to_pull_request_branch is enabled - Add test to verify patch download step is included - Recompile all 120 workflows with the fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 6 ++ .github/workflows/craft.lock.yml | 6 ++ .github/workflows/mergefest.lock.yml | 6 ++ .github/workflows/poem-bot.lock.yml | 6 ++ .github/workflows/tidy.lock.yml | 6 ++ .../compiler_safe_outputs_consolidated.go | 13 ++++ .../push_to_pull_request_branch_test.go | 72 +++++++++++++++++++ 7 files changed, 115 insertions(+) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 959928d6979..4c603fbbff3 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -7482,6 +7482,12 @@ jobs: permission-contents: write permission-issues: write permission-pull-requests: write + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 1e45316d153..4fa3bd434e5 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -7646,6 +7646,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 8d1e6e0081d..3bede013fb9 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -7356,6 +7356,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index c557f9cfbda..eb3cdc34ba5 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -8030,6 +8030,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index adfe24f27af..e3ea40d06ad 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -7164,6 +7164,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/pkg/workflow/compiler_safe_outputs_consolidated.go b/pkg/workflow/compiler_safe_outputs_consolidated.go index ab5d065e49c..a2c17e4421b 100644 --- a/pkg/workflow/compiler_safe_outputs_consolidated.go +++ b/pkg/workflow/compiler_safe_outputs_consolidated.go @@ -153,6 +153,19 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa // Add artifact download steps once at the beginning steps = append(steps, buildAgentOutputDownloadSteps()...) + // Add patch artifact download if push-to-pull-request-branch is enabled + // This is required for the push_to_pull_request_branch step to find the patch file + if data.SafeOutputs.PushToPullRequestBranch != nil { + consolidatedSafeOutputsLog.Print("Adding patch artifact download for push-to-pull-request-branch") + patchDownloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ + ArtifactName: "aw.patch", + DownloadPath: "/tmp/gh-aw/", + SetupEnvStep: false, // No environment variable needed, the script checks the file directly + StepName: "Download patch artifact", + }) + steps = append(steps, patchDownloadSteps...) + } + // Add JavaScript files setup step if using file mode if scriptFilesResult != nil && len(scriptFilesResult.Files) > 0 { // Prepare files with rewritten require paths diff --git a/pkg/workflow/push_to_pull_request_branch_test.go b/pkg/workflow/push_to_pull_request_branch_test.go index e8615b5166a..44cc6834a7f 100644 --- a/pkg/workflow/push_to_pull_request_branch_test.go +++ b/pkg/workflow/push_to_pull_request_branch_test.go @@ -804,3 +804,75 @@ Test that the push-to-pull-request-branch job receives activation comment enviro t.Errorf("Generated workflow should contain GH_AW_COMMENT_REPO environment variable") } } + +// TestPushToPullRequestBranchPatchArtifactDownload verifies that when push-to-pull-request-branch +// is enabled, the safe_outputs job includes a step to download the aw.patch artifact +func TestPushToPullRequestBranchPatchArtifactDownload(t *testing.T) { + // Create a temporary directory for the test + tmpDir := testutil.TempDir(t, "test-*") + + // Create a test markdown file with push-to-pull-request-branch configuration + testMarkdown := `--- +on: + pull_request: + types: [opened] +safe-outputs: + push-to-pull-request-branch: +--- + +# Test Push to PR Branch Patch Download + +This test verifies that the aw.patch artifact is downloaded in the safe_outputs job. +` + + // Write the test file + mdFile := filepath.Join(tmpDir, "test-push-patch-download.md") + if err := os.WriteFile(mdFile, []byte(testMarkdown), 0644); err != nil { + t.Fatalf("Failed to write test markdown file: %v", err) + } + + // Create compiler and compile the workflow + compiler := NewCompiler(false, "", "test") + + if err := compiler.CompileWorkflow(mdFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + // Read the generated .lock.yml file + lockFile := strings.TrimSuffix(mdFile, ".md") + ".lock.yml" + lockContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + lockContentStr := string(lockContent) + + // Verify that safe_outputs job exists + if !strings.Contains(lockContentStr, "safe_outputs:") { + t.Fatalf("Generated workflow should contain safe_outputs job") + } + + // Verify that patch download step exists in safe_outputs job + if !strings.Contains(lockContentStr, "- name: Download patch artifact") { + t.Errorf("Expected 'Download patch artifact' step in safe_outputs job when push-to-pull-request-branch is enabled") + } + + // Verify that patch is downloaded to correct path + if !strings.Contains(lockContentStr, "name: aw.patch") { + t.Errorf("Expected patch artifact to be named 'aw.patch'") + } + + if !strings.Contains(lockContentStr, "path: /tmp/gh-aw/") { + t.Errorf("Expected patch artifact to be downloaded to '/tmp/gh-aw/'") + } + + // Verify that the push step exists and references the patch file + if !strings.Contains(lockContentStr, "- name: Push To Pull Request Branch") { + t.Errorf("Expected 'Push To Pull Request Branch' step in safe_outputs job") + } + + // Verify that the condition checks for push_to_pull_request_branch output type + if !strings.Contains(lockContentStr, "contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')") { + t.Errorf("Expected condition to check for 'push_to_pull_request_branch' in output_types") + } +} From 4ae120741bc1a85b9123b8d12a0ae860fdab3430 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 21:20:14 +0000 Subject: [PATCH 3/8] Extend patch download to also support create-pull-request safe output Both create-pull-request and push-to-pull-request-branch safe outputs require the aw.patch artifact to apply changes. Updated the condition to download the patch when either safe output type is enabled. Changes: - Update condition to check for CreatePullRequests OR PushToPullRequestBranch - Add TestCreatePullRequestPatchArtifactDownload test - Recompile all 120 workflows with extended fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ci-coach.lock.yml | 6 ++ .github/workflows/cloclo.lock.yml | 6 ++ .github/workflows/daily-doc-updater.lock.yml | 6 ++ .../workflows/daily-workflow-updater.lock.yml | 6 ++ .../developer-docs-consolidator.lock.yml | 6 ++ .github/workflows/dictation-prompt.lock.yml | 6 ++ .../github-mcp-tools-report.lock.yml | 6 ++ .../workflows/glossary-maintainer.lock.yml | 6 ++ .github/workflows/go-logger.lock.yml | 6 ++ .github/workflows/hourly-ci-cleaner.lock.yml | 6 ++ .github/workflows/incident-response.lock.yml | 6 ++ .../workflows/instructions-janitor.lock.yml | 6 ++ .github/workflows/jsweep.lock.yml | 6 ++ .../workflows/layout-spec-maintainer.lock.yml | 6 ++ .github/workflows/org-wide-rollout.lock.yml | 6 ++ .github/workflows/q.lock.yml | 6 ++ .github/workflows/security-fix-pr.lock.yml | 6 ++ .../workflows/slide-deck-maintainer.lock.yml | 6 ++ .github/workflows/spec-kit-execute.lock.yml | 6 ++ .github/workflows/spec-kit-executor.lock.yml | 6 ++ .../workflows/technical-doc-writer.lock.yml | 6 ++ .github/workflows/unbloat-docs.lock.yml | 6 ++ pkg/workflow/compile_outputs_pr_test.go | 73 +++++++++++++++++++ .../compiler_safe_outputs_consolidated.go | 8 +- 24 files changed, 209 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index a3fd0d36cc7..c28ad4b29f2 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -7292,6 +7292,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index a104933143e..1903951047a 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -7539,6 +7539,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index ccbbe7d49ba..070c1c5faea 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -6279,6 +6279,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 866a032c28d..c9b78dd10fe 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -6549,6 +6549,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 30903bfab44..d24207ff4d8 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -6831,6 +6831,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 558d307d0b9..4b3657d0f43 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -6444,6 +6444,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 0f9d99c9443..d82aa2439ee 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -6642,6 +6642,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 5fda8cd5174..93f94005426 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -7137,6 +7137,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index a6abe873a52..1c7cec09fba 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -6353,6 +6353,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 36503e438ca..c0af884a841 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -6775,6 +6775,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml index f3a28a4a205..88924256ca4 100644 --- a/.github/workflows/incident-response.lock.yml +++ b/.github/workflows/incident-response.lock.yml @@ -7265,6 +7265,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 9de726e6e93..fb5d372b6af 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -6233,6 +6233,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 5a8a0bba37a..83496db363b 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -6647,6 +6647,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index abcac790503..f49352b0564 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -6667,6 +6667,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml index 265cbc983bb..a3ce285d693 100644 --- a/.github/workflows/org-wide-rollout.lock.yml +++ b/.github/workflows/org-wide-rollout.lock.yml @@ -7293,6 +7293,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 80a5d3e336f..1b32b1803e1 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -7940,6 +7940,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 64935534d11..83fe0a0b19c 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -6443,6 +6443,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 35788ca0309..4e03155c88e 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -6941,6 +6941,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml index 2a11bdcc27a..a01184b7021 100644 --- a/.github/workflows/spec-kit-execute.lock.yml +++ b/.github/workflows/spec-kit-execute.lock.yml @@ -7043,6 +7043,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml index 599dad539fb..4e9ce59a948 100644 --- a/.github/workflows/spec-kit-executor.lock.yml +++ b/.github/workflows/spec-kit-executor.lock.yml @@ -6918,6 +6918,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 619e24b03f3..534c74ca20b 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -6952,6 +6952,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 4f1778bde8e..7653e93ccc9 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -7157,6 +7157,12 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs/ find "/tmp/gh-aw/safeoutputs/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Download patch artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: aw.patch + path: /tmp/gh-aw/ - name: Setup JavaScript files id: setup_scripts shell: bash diff --git a/pkg/workflow/compile_outputs_pr_test.go b/pkg/workflow/compile_outputs_pr_test.go index b1848b32a92..b77c105114c 100644 --- a/pkg/workflow/compile_outputs_pr_test.go +++ b/pkg/workflow/compile_outputs_pr_test.go @@ -432,3 +432,76 @@ This workflow tests the default if-no-changes behavior. t.Error("Expected GH_AW_PR_IF_NO_CHANGES environment variable to be set in generated workflow") } } + +// TestCreatePullRequestPatchArtifactDownload verifies that when create-pull-request +// is enabled, the safe_outputs job includes a step to download the aw.patch artifact +func TestCreatePullRequestPatchArtifactDownload(t *testing.T) { + // Create a temporary directory for the test + tmpDir := testutil.TempDir(t, "test-*") + + // Create a test markdown file with create-pull-request configuration + testMarkdown := `--- +on: + pull_request: + types: [opened] +safe-outputs: + create-pull-request: + title-prefix: "[bot] " +--- + +# Test Create Pull Request Patch Download + +This test verifies that the aw.patch artifact is downloaded in the safe_outputs job. +` + + // Write the test file + mdFile := filepath.Join(tmpDir, "test-create-pr-patch-download.md") + if err := os.WriteFile(mdFile, []byte(testMarkdown), 0644); err != nil { + t.Fatalf("Failed to write test markdown file: %v", err) + } + + // Create compiler and compile the workflow + compiler := NewCompiler(false, "", "test") + + if err := compiler.CompileWorkflow(mdFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + // Read the generated .lock.yml file + lockFile := strings.TrimSuffix(mdFile, ".md") + ".lock.yml" + lockContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + lockContentStr := string(lockContent) + + // Verify that safe_outputs job exists + if !strings.Contains(lockContentStr, "safe_outputs:") { + t.Fatalf("Generated workflow should contain safe_outputs job") + } + + // Verify that patch download step exists in safe_outputs job + if !strings.Contains(lockContentStr, "- name: Download patch artifact") { + t.Errorf("Expected 'Download patch artifact' step in safe_outputs job when create-pull-request is enabled") + } + + // Verify that patch is downloaded to correct path + if !strings.Contains(lockContentStr, "name: aw.patch") { + t.Errorf("Expected patch artifact to be named 'aw.patch'") + } + + if !strings.Contains(lockContentStr, "path: /tmp/gh-aw/") { + t.Errorf("Expected patch artifact to be downloaded to '/tmp/gh-aw/'") + } + + // Verify that the create_pull_request step exists + if !strings.Contains(lockContentStr, "- name: Create Pull Request") { + t.Errorf("Expected 'Create Pull Request' step in safe_outputs job") + } + + // Verify that the condition checks for create_pull_request output type + if !strings.Contains(lockContentStr, "contains(needs.agent.outputs.output_types, 'create_pull_request')") { + t.Errorf("Expected condition to check for 'create_pull_request' in output_types") + } +} diff --git a/pkg/workflow/compiler_safe_outputs_consolidated.go b/pkg/workflow/compiler_safe_outputs_consolidated.go index a2c17e4421b..5af324d3057 100644 --- a/pkg/workflow/compiler_safe_outputs_consolidated.go +++ b/pkg/workflow/compiler_safe_outputs_consolidated.go @@ -153,10 +153,10 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa // Add artifact download steps once at the beginning steps = append(steps, buildAgentOutputDownloadSteps()...) - // Add patch artifact download if push-to-pull-request-branch is enabled - // This is required for the push_to_pull_request_branch step to find the patch file - if data.SafeOutputs.PushToPullRequestBranch != nil { - consolidatedSafeOutputsLog.Print("Adding patch artifact download for push-to-pull-request-branch") + // Add patch artifact download if create-pull-request or push-to-pull-request-branch is enabled + // Both of these safe outputs require the patch file to apply changes + if data.SafeOutputs.CreatePullRequests != nil || data.SafeOutputs.PushToPullRequestBranch != nil { + consolidatedSafeOutputsLog.Print("Adding patch artifact download for create-pull-request or push-to-pull-request-branch") patchDownloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ ArtifactName: "aw.patch", DownloadPath: "/tmp/gh-aw/", From 7f3dd49233edd6b236e9e63d916d4cd3f4f167c6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 21:48:25 +0000 Subject: [PATCH 4/8] Fix: Add checkout and git config steps for push_to_pull_request_branch and create_pull_request The push_to_pull_request_branch and create_pull_request steps were failing with permission errors because they tried to push to the repository without first checking it out and configuring Git credentials. The buildPushToPullRequestBranchPreStepsConsolidated and buildCreatePullRequestPreStepsConsolidated functions were stubs returning nil. They now properly generate checkout and git config steps with conditional execution matching the safe output step conditions. Changes: - Implement buildPushToPullRequestBranchPreStepsConsolidated to add checkout and git config - Implement buildCreatePullRequestPreStepsConsolidated to add checkout and git config - Both use the GitHub App token for authentication - Steps are conditional on the safe output being triggered - Recompile all 120 workflows with the fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 18 +++++ .github/workflows/ci-coach.lock.yml | 18 +++++ .github/workflows/cloclo.lock.yml | 18 +++++ .github/workflows/craft.lock.yml | 18 +++++ .github/workflows/daily-doc-updater.lock.yml | 18 +++++ .../workflows/daily-workflow-updater.lock.yml | 18 +++++ .../developer-docs-consolidator.lock.yml | 18 +++++ .github/workflows/dictation-prompt.lock.yml | 18 +++++ .../github-mcp-tools-report.lock.yml | 18 +++++ .../workflows/glossary-maintainer.lock.yml | 18 +++++ .github/workflows/go-logger.lock.yml | 18 +++++ .github/workflows/hourly-ci-cleaner.lock.yml | 18 +++++ .github/workflows/incident-response.lock.yml | 18 +++++ .../workflows/instructions-janitor.lock.yml | 18 +++++ .github/workflows/jsweep.lock.yml | 18 +++++ .../workflows/layout-spec-maintainer.lock.yml | 18 +++++ .github/workflows/mergefest.lock.yml | 18 +++++ .github/workflows/org-wide-rollout.lock.yml | 18 +++++ .github/workflows/poem-bot.lock.yml | 36 +++++++++ .github/workflows/q.lock.yml | 18 +++++ .github/workflows/security-fix-pr.lock.yml | 18 +++++ .../workflows/slide-deck-maintainer.lock.yml | 18 +++++ .github/workflows/spec-kit-execute.lock.yml | 18 +++++ .github/workflows/spec-kit-executor.lock.yml | 18 +++++ .../workflows/technical-doc-writer.lock.yml | 18 +++++ .github/workflows/tidy.lock.yml | 36 +++++++++ .github/workflows/unbloat-docs.lock.yml | 18 +++++ .../compiler_safe_outputs_consolidated.go | 76 +++++++++++++++++-- 28 files changed, 592 insertions(+), 6 deletions(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 4c603fbbff3..82c9a5f45da 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -8826,6 +8826,24 @@ jobs: executeUpdate: executePRUpdate, }); (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index c28ad4b29f2..b7c50676baf 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -7567,6 +7567,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 1903951047a..013a0cdd27f 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -8391,6 +8391,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 4fa3bd434e5..d99b30012cf 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -8860,6 +8860,24 @@ jobs: return createdComments; } (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 070c1c5faea..36db87e01c9 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -6554,6 +6554,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index c9b78dd10fe..2a7fd24d1c8 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -6824,6 +6824,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index d24207ff4d8..b10561583a9 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -8160,6 +8160,24 @@ jobs: core.info(`Successfully created ${createdDiscussions.length} discussion(s)`); } (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 4b3657d0f43..4820e52719d 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -6719,6 +6719,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d82aa2439ee..ca59ef04939 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -7971,6 +7971,24 @@ jobs: core.info(`Successfully created ${createdDiscussions.length} discussion(s)`); } (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 93f94005426..513bb9e1f8c 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -7412,6 +7412,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 1c7cec09fba..b3145d9d0d7 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -6628,6 +6628,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index c0af884a841..5008afea5be 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -7050,6 +7050,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml index 88924256ca4..5b1cf016f59 100644 --- a/.github/workflows/incident-response.lock.yml +++ b/.github/workflows/incident-response.lock.yml @@ -9265,6 +9265,24 @@ jobs: (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index fb5d372b6af..8004ad08490 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -6508,6 +6508,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 83496db363b..e3036e1417a 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -6922,6 +6922,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index f49352b0564..5a24a9332dc 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -6942,6 +6942,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 3bede013fb9..42717d997cc 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -7563,6 +7563,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml index a3ce285d693..f3ae9a60073 100644 --- a/.github/workflows/org-wide-rollout.lock.yml +++ b/.github/workflows/org-wide-rollout.lock.yml @@ -9293,6 +9293,24 @@ jobs: (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index eb3cdc34ba5..3ded067f92a 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -11554,6 +11554,24 @@ jobs: core.info(`Successfully created ${createdDiscussions.length} discussion(s)`); } (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) @@ -12906,6 +12924,24 @@ jobs: executeUpdate: executeIssueUpdate, }); (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 1b32b1803e1..b65cf13021e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -8792,6 +8792,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 83fe0a0b19c..2be5287dddf 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -6718,6 +6718,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 4e03155c88e..6355abc3135 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -7216,6 +7216,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml index a01184b7021..dcfbec4607e 100644 --- a/.github/workflows/spec-kit-execute.lock.yml +++ b/.github/workflows/spec-kit-execute.lock.yml @@ -7318,6 +7318,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml index 4e9ce59a948..bc1cef48a60 100644 --- a/.github/workflows/spec-kit-executor.lock.yml +++ b/.github/workflows/spec-kit-executor.lock.yml @@ -7193,6 +7193,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 534c74ca20b..9f4818f8db5 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -7804,6 +7804,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index e3ea40d06ad..a98d40231b4 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -7477,6 +7477,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) @@ -7980,6 +7998,24 @@ jobs: } } (async () => { await main(); })(); + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 7653e93ccc9..ba6fd6e19b5 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -8009,6 +8009,24 @@ jobs: }; EOF_967a5011 + - name: Checkout repository + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + fetch-depth: 0 + - name: Configure Git credentials + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) diff --git a/pkg/workflow/compiler_safe_outputs_consolidated.go b/pkg/workflow/compiler_safe_outputs_consolidated.go index 5af324d3057..df4162409b8 100644 --- a/pkg/workflow/compiler_safe_outputs_consolidated.go +++ b/pkg/workflow/compiler_safe_outputs_consolidated.go @@ -1267,14 +1267,78 @@ func (c *Compiler) buildUpdateProjectStepConfig(data *WorkflowData, mainJobName // buildCreatePullRequestPreSteps builds the pre-steps for create-pull-request func (c *Compiler) buildCreatePullRequestPreStepsConsolidated(data *WorkflowData, cfg *CreatePullRequestsConfig, condition ConditionNode) []string { - // This is a simplified version - the actual implementation would include - // checkout, git config, and patch application steps - return nil + var preSteps []string + + // Step 1: Checkout repository with conditional execution + preSteps = append(preSteps, " - name: Checkout repository\n") + // Add the condition to only checkout if create_pull_request will run + preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) + preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) + preSteps = append(preSteps, " with:\n") + preSteps = append(preSteps, " persist-credentials: false\n") + preSteps = append(preSteps, " fetch-depth: 0\n") + if c.trialMode { + if c.trialLogicalRepoSlug != "" { + preSteps = append(preSteps, fmt.Sprintf(" repository: %s\n", c.trialLogicalRepoSlug)) + } + preSteps = append(preSteps, " token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}\n") + } + + // Step 2: Configure Git credentials with conditional execution + gitConfigSteps := []string{ + " - name: Configure Git credentials\n", + fmt.Sprintf(" if: %s\n", condition.Render()), + " env:\n", + " REPO_NAME: ${{ github.repository }}\n", + " SERVER_URL: ${{ github.server_url }}\n", + " run: |\n", + " git config --global user.email \"github-actions[bot]@users.noreply.github.com\"\n", + " git config --global user.name \"github-actions[bot]\"\n", + " # Re-authenticate git with GitHub token\n", + " SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n", + " git remote set-url origin \"https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", + " echo \"Git configured with standard GitHub Actions identity\"\n", + } + preSteps = append(preSteps, gitConfigSteps...) + + return preSteps } // buildPushToPullRequestBranchPreSteps builds the pre-steps for push-to-pull-request-branch func (c *Compiler) buildPushToPullRequestBranchPreStepsConsolidated(data *WorkflowData, cfg *PushToPullRequestBranchConfig, condition ConditionNode) []string { - // This is a simplified version - the actual implementation would include - // checkout and git config steps - return nil + var preSteps []string + + // Step 1: Checkout repository with conditional execution + preSteps = append(preSteps, " - name: Checkout repository\n") + // Add the condition to only checkout if push_to_pull_request_branch will run + preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) + preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) + preSteps = append(preSteps, " with:\n") + preSteps = append(preSteps, " persist-credentials: false\n") + preSteps = append(preSteps, " fetch-depth: 0\n") + if c.trialMode { + if c.trialLogicalRepoSlug != "" { + preSteps = append(preSteps, fmt.Sprintf(" repository: %s\n", c.trialLogicalRepoSlug)) + } + preSteps = append(preSteps, " token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}\n") + } + + // Step 2: Configure Git credentials with conditional execution + gitConfigSteps := []string{ + " - name: Configure Git credentials\n", + fmt.Sprintf(" if: %s\n", condition.Render()), + " env:\n", + " REPO_NAME: ${{ github.repository }}\n", + " SERVER_URL: ${{ github.server_url }}\n", + " run: |\n", + " git config --global user.email \"github-actions[bot]@users.noreply.github.com\"\n", + " git config --global user.name \"github-actions[bot]\"\n", + " # Re-authenticate git with GitHub token\n", + " SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n", + " git remote set-url origin \"https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", + " echo \"Git configured with standard GitHub Actions identity\"\n", + } + preSteps = append(preSteps, gitConfigSteps...) + + return preSteps } From e83aa00c65aa34f064d8def7626387d6014a3995 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 22:33:16 +0000 Subject: [PATCH 5/8] Fix: Pass GitHub App token to checkout action for write permissions The checkout action needs to use a token with write permissions to allow subsequent git push operations. Previously, no token was passed to the checkout action, so it used the default GITHUB_TOKEN which may not have had adequate permissions in the safe_outputs job context. Now the GitHub App token (from steps.app-token.outputs.token) is passed to the checkout action, ensuring it has the necessary contents:write permission to push changes to branches. Changes: - Pass App token to checkout in buildPushToPullRequestBranchPreStepsConsolidated - Pass App token to checkout in buildCreatePullRequestPreStepsConsolidated - Remove trial-mode-specific token handling (now always uses App token) - Recompile all 120 workflows with the fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 1 + .github/workflows/ci-coach.lock.yml | 1 + .github/workflows/cloclo.lock.yml | 1 + .github/workflows/craft.lock.yml | 1 + .github/workflows/daily-doc-updater.lock.yml | 1 + .github/workflows/daily-workflow-updater.lock.yml | 1 + .github/workflows/developer-docs-consolidator.lock.yml | 1 + .github/workflows/dictation-prompt.lock.yml | 1 + .github/workflows/github-mcp-tools-report.lock.yml | 1 + .github/workflows/glossary-maintainer.lock.yml | 1 + .github/workflows/go-logger.lock.yml | 1 + .github/workflows/hourly-ci-cleaner.lock.yml | 1 + .github/workflows/incident-response.lock.yml | 1 + .github/workflows/instructions-janitor.lock.yml | 1 + .github/workflows/jsweep.lock.yml | 1 + .github/workflows/layout-spec-maintainer.lock.yml | 1 + .github/workflows/mergefest.lock.yml | 1 + .github/workflows/org-wide-rollout.lock.yml | 1 + .github/workflows/poem-bot.lock.yml | 2 ++ .github/workflows/q.lock.yml | 1 + .github/workflows/security-fix-pr.lock.yml | 1 + .github/workflows/slide-deck-maintainer.lock.yml | 1 + .github/workflows/spec-kit-execute.lock.yml | 1 + .github/workflows/spec-kit-executor.lock.yml | 1 + .github/workflows/technical-doc-writer.lock.yml | 1 + .github/workflows/tidy.lock.yml | 2 ++ .github/workflows/unbloat-docs.lock.yml | 1 + pkg/workflow/compiler_safe_outputs_consolidated.go | 4 ++-- 28 files changed, 31 insertions(+), 2 deletions(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 82c9a5f45da..7ae29c18661 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -8830,6 +8830,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index b7c50676baf..83763f45b29 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -7571,6 +7571,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 013a0cdd27f..753dcc45dd6 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -8395,6 +8395,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index d99b30012cf..25dc4caf282 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -8864,6 +8864,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 36db87e01c9..3740cc0eae5 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -6558,6 +6558,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 2a7fd24d1c8..5d8cbe8319a 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -6828,6 +6828,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b10561583a9..663e06c51d9 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -8164,6 +8164,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 4820e52719d..3d593d6eed4 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -6723,6 +6723,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index ca59ef04939..36481b77a23 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -7975,6 +7975,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 513bb9e1f8c..92ca1eeff6d 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -7416,6 +7416,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index b3145d9d0d7..431c8186375 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -6632,6 +6632,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 5008afea5be..4dd3f669f6f 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -7054,6 +7054,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml index 5b1cf016f59..8125f37db8d 100644 --- a/.github/workflows/incident-response.lock.yml +++ b/.github/workflows/incident-response.lock.yml @@ -9269,6 +9269,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 8004ad08490..c483f8ee228 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -6512,6 +6512,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index e3036e1417a..707fcbe1086 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -6926,6 +6926,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 5a24a9332dc..61098b04c40 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -6946,6 +6946,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 42717d997cc..90a74ae087d 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -7567,6 +7567,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml index f3ae9a60073..3a9a0351e46 100644 --- a/.github/workflows/org-wide-rollout.lock.yml +++ b/.github/workflows/org-wide-rollout.lock.yml @@ -9297,6 +9297,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 3ded067f92a..59c3993ed6b 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -11558,6 +11558,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -12928,6 +12929,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index b65cf13021e..58692e54022 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -8796,6 +8796,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 2be5287dddf..8cb1df284a3 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -6722,6 +6722,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 6355abc3135..f52c5078d29 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -7220,6 +7220,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml index dcfbec4607e..20885592989 100644 --- a/.github/workflows/spec-kit-execute.lock.yml +++ b/.github/workflows/spec-kit-execute.lock.yml @@ -7322,6 +7322,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml index bc1cef48a60..73a9aa8aeba 100644 --- a/.github/workflows/spec-kit-executor.lock.yml +++ b/.github/workflows/spec-kit-executor.lock.yml @@ -7197,6 +7197,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 9f4818f8db5..efe01cd2305 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -7808,6 +7808,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index a98d40231b4..35d17a247e3 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -7481,6 +7481,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8002,6 +8003,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index ba6fd6e19b5..b4cd067a287 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -8013,6 +8013,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials diff --git a/pkg/workflow/compiler_safe_outputs_consolidated.go b/pkg/workflow/compiler_safe_outputs_consolidated.go index df4162409b8..a17a677dd5c 100644 --- a/pkg/workflow/compiler_safe_outputs_consolidated.go +++ b/pkg/workflow/compiler_safe_outputs_consolidated.go @@ -1275,13 +1275,13 @@ func (c *Compiler) buildCreatePullRequestPreStepsConsolidated(data *WorkflowData preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) preSteps = append(preSteps, " with:\n") + preSteps = append(preSteps, " token: ${{ steps.app-token.outputs.token }}\n") preSteps = append(preSteps, " persist-credentials: false\n") preSteps = append(preSteps, " fetch-depth: 0\n") if c.trialMode { if c.trialLogicalRepoSlug != "" { preSteps = append(preSteps, fmt.Sprintf(" repository: %s\n", c.trialLogicalRepoSlug)) } - preSteps = append(preSteps, " token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}\n") } // Step 2: Configure Git credentials with conditional execution @@ -1314,13 +1314,13 @@ func (c *Compiler) buildPushToPullRequestBranchPreStepsConsolidated(data *Workfl preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) preSteps = append(preSteps, " with:\n") + preSteps = append(preSteps, " token: ${{ steps.app-token.outputs.token }}\n") preSteps = append(preSteps, " persist-credentials: false\n") preSteps = append(preSteps, " fetch-depth: 0\n") if c.trialMode { if c.trialLogicalRepoSlug != "" { preSteps = append(preSteps, fmt.Sprintf(" repository: %s\n", c.trialLogicalRepoSlug)) } - preSteps = append(preSteps, " token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}\n") } // Step 2: Configure Git credentials with conditional execution From 1ea9106794725dfd08cf55732c9bee87398488c8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 23:00:03 +0000 Subject: [PATCH 6/8] Fix: Use appropriate token for checkout based on app configuration The checkout and git config steps were always using steps.app-token.outputs.token, but this token is only available when a GitHub App is configured. When no app is configured, the app-token step doesn't exist and the token reference is empty, causing checkout failures. Now the pre-steps check if data.SafeOutputs.App is configured: - If app configured: Use ${{ steps.app-token.outputs.token }} - If no app: Use ${{ github.token }} (default GITHUB_TOKEN) This ensures the checkout action always has a valid token with appropriate permissions, whether using a GitHub App or the default workflow token. Changes: - Update buildPushToPullRequestBranchPreStepsConsolidated to conditionally use token - Update buildCreatePullRequestPreStepsConsolidated to conditionally use token - Both functions now check data.SafeOutputs.App before selecting token - Recompile all 120 workflows with the fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ci-coach.lock.yml | 4 +-- .github/workflows/cloclo.lock.yml | 4 +-- .github/workflows/craft.lock.yml | 4 +-- .github/workflows/daily-doc-updater.lock.yml | 4 +-- .../workflows/daily-workflow-updater.lock.yml | 4 +-- .../developer-docs-consolidator.lock.yml | 4 +-- .github/workflows/dictation-prompt.lock.yml | 4 +-- .../github-mcp-tools-report.lock.yml | 4 +-- .../workflows/glossary-maintainer.lock.yml | 4 +-- .github/workflows/go-logger.lock.yml | 4 +-- .github/workflows/hourly-ci-cleaner.lock.yml | 4 +-- .github/workflows/incident-response.lock.yml | 4 +-- .../workflows/instructions-janitor.lock.yml | 4 +-- .github/workflows/jsweep.lock.yml | 4 +-- .../workflows/layout-spec-maintainer.lock.yml | 4 +-- .github/workflows/mergefest.lock.yml | 4 +-- .github/workflows/org-wide-rollout.lock.yml | 4 +-- .github/workflows/poem-bot.lock.yml | 8 ++--- .github/workflows/q.lock.yml | 4 +-- .github/workflows/security-fix-pr.lock.yml | 4 +-- .../workflows/slide-deck-maintainer.lock.yml | 4 +-- .github/workflows/spec-kit-execute.lock.yml | 4 +-- .github/workflows/spec-kit-executor.lock.yml | 4 +-- .../workflows/technical-doc-writer.lock.yml | 4 +-- .github/workflows/tidy.lock.yml | 8 ++--- .github/workflows/unbloat-docs.lock.yml | 4 +-- .../compiler_safe_outputs_consolidated.go | 32 ++++++++++++++++--- 27 files changed, 84 insertions(+), 60 deletions(-) diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 83763f45b29..a38f5d3297f 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -7571,7 +7571,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7584,7 +7584,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 753dcc45dd6..5d90241101b 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -8395,7 +8395,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8408,7 +8408,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 25dc4caf282..7e5896dafe7 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -8864,7 +8864,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8877,7 +8877,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 3740cc0eae5..3d5803aa28f 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -6558,7 +6558,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6571,7 +6571,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 5d8cbe8319a..a4971c33fab 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -6828,7 +6828,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6841,7 +6841,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 663e06c51d9..ee52fb9124e 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -8164,7 +8164,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8177,7 +8177,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 3d593d6eed4..d9a94b16061 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -6723,7 +6723,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6736,7 +6736,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 36481b77a23..05b6bbc4093 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -7975,7 +7975,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7988,7 +7988,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 92ca1eeff6d..7f64e063c72 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -7416,7 +7416,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7429,7 +7429,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 431c8186375..a19caf300c1 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -6632,7 +6632,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6645,7 +6645,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 4dd3f669f6f..b0e5bacd54f 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -7054,7 +7054,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7067,7 +7067,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml index 8125f37db8d..09d992061cc 100644 --- a/.github/workflows/incident-response.lock.yml +++ b/.github/workflows/incident-response.lock.yml @@ -9269,7 +9269,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -9282,7 +9282,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index c483f8ee228..540b25fd7c5 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -6512,7 +6512,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6525,7 +6525,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 707fcbe1086..8ad4c0b71c8 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -6926,7 +6926,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6939,7 +6939,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 61098b04c40..26f9cafb2a5 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -6946,7 +6946,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6959,7 +6959,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 90a74ae087d..c9ac280e1b8 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -7567,7 +7567,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7580,7 +7580,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml index 3a9a0351e46..7db55a975c4 100644 --- a/.github/workflows/org-wide-rollout.lock.yml +++ b/.github/workflows/org-wide-rollout.lock.yml @@ -9297,7 +9297,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -9310,7 +9310,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 59c3993ed6b..af277678f01 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -11558,7 +11558,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -11571,7 +11571,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request @@ -12929,7 +12929,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -12942,7 +12942,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 58692e54022..75c8c9564bd 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -8796,7 +8796,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8809,7 +8809,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 8cb1df284a3..a73458ace5b 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -6722,7 +6722,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -6735,7 +6735,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index f52c5078d29..2f0b600185f 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -7220,7 +7220,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7233,7 +7233,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml index 20885592989..35bf0e874c9 100644 --- a/.github/workflows/spec-kit-execute.lock.yml +++ b/.github/workflows/spec-kit-execute.lock.yml @@ -7322,7 +7322,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7335,7 +7335,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml index 73a9aa8aeba..4cc2210414c 100644 --- a/.github/workflows/spec-kit-executor.lock.yml +++ b/.github/workflows/spec-kit-executor.lock.yml @@ -7197,7 +7197,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7210,7 +7210,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index efe01cd2305..e4d2a0c3bd8 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -7808,7 +7808,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7821,7 +7821,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 35d17a247e3..86b6e2cbc47 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -7481,7 +7481,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -7494,7 +7494,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request @@ -8003,7 +8003,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8016,7 +8016,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Push To Pull Request Branch id: push_to_pull_request_branch diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index b4cd067a287..7dfea21a325 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -8013,7 +8013,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ github.token }} persist-credentials: false fetch-depth: 0 - name: Configure Git credentials @@ -8026,7 +8026,7 @@ jobs: git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Create Pull Request id: create_pull_request diff --git a/pkg/workflow/compiler_safe_outputs_consolidated.go b/pkg/workflow/compiler_safe_outputs_consolidated.go index a17a677dd5c..47c631887b7 100644 --- a/pkg/workflow/compiler_safe_outputs_consolidated.go +++ b/pkg/workflow/compiler_safe_outputs_consolidated.go @@ -1269,13 +1269,25 @@ func (c *Compiler) buildUpdateProjectStepConfig(data *WorkflowData, mainJobName func (c *Compiler) buildCreatePullRequestPreStepsConsolidated(data *WorkflowData, cfg *CreatePullRequestsConfig, condition ConditionNode) []string { var preSteps []string + // Determine which token to use for checkout + // If an app is configured, use the app token; otherwise use the default github.token + var checkoutToken string + var gitRemoteToken string + if data.SafeOutputs.App != nil { + checkoutToken = "${{ steps.app-token.outputs.token }}" + gitRemoteToken = "${{ steps.app-token.outputs.token }}" + } else { + checkoutToken = "${{ github.token }}" + gitRemoteToken = "${{ github.token }}" + } + // Step 1: Checkout repository with conditional execution preSteps = append(preSteps, " - name: Checkout repository\n") // Add the condition to only checkout if create_pull_request will run preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) preSteps = append(preSteps, " with:\n") - preSteps = append(preSteps, " token: ${{ steps.app-token.outputs.token }}\n") + preSteps = append(preSteps, fmt.Sprintf(" token: %s\n", checkoutToken)) preSteps = append(preSteps, " persist-credentials: false\n") preSteps = append(preSteps, " fetch-depth: 0\n") if c.trialMode { @@ -1296,7 +1308,7 @@ func (c *Compiler) buildCreatePullRequestPreStepsConsolidated(data *WorkflowData " git config --global user.name \"github-actions[bot]\"\n", " # Re-authenticate git with GitHub token\n", " SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n", - " git remote set-url origin \"https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", + fmt.Sprintf(" git remote set-url origin \"https://x-access-token:%s@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", gitRemoteToken), " echo \"Git configured with standard GitHub Actions identity\"\n", } preSteps = append(preSteps, gitConfigSteps...) @@ -1308,13 +1320,25 @@ func (c *Compiler) buildCreatePullRequestPreStepsConsolidated(data *WorkflowData func (c *Compiler) buildPushToPullRequestBranchPreStepsConsolidated(data *WorkflowData, cfg *PushToPullRequestBranchConfig, condition ConditionNode) []string { var preSteps []string + // Determine which token to use for checkout + // If an app is configured, use the app token; otherwise use the default github.token + var checkoutToken string + var gitRemoteToken string + if data.SafeOutputs.App != nil { + checkoutToken = "${{ steps.app-token.outputs.token }}" + gitRemoteToken = "${{ steps.app-token.outputs.token }}" + } else { + checkoutToken = "${{ github.token }}" + gitRemoteToken = "${{ github.token }}" + } + // Step 1: Checkout repository with conditional execution preSteps = append(preSteps, " - name: Checkout repository\n") // Add the condition to only checkout if push_to_pull_request_branch will run preSteps = append(preSteps, fmt.Sprintf(" if: %s\n", condition.Render())) preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/checkout"))) preSteps = append(preSteps, " with:\n") - preSteps = append(preSteps, " token: ${{ steps.app-token.outputs.token }}\n") + preSteps = append(preSteps, fmt.Sprintf(" token: %s\n", checkoutToken)) preSteps = append(preSteps, " persist-credentials: false\n") preSteps = append(preSteps, " fetch-depth: 0\n") if c.trialMode { @@ -1335,7 +1359,7 @@ func (c *Compiler) buildPushToPullRequestBranchPreStepsConsolidated(data *Workfl " git config --global user.name \"github-actions[bot]\"\n", " # Re-authenticate git with GitHub token\n", " SERVER_URL_STRIPPED=\"${SERVER_URL#https://}\"\n", - " git remote set-url origin \"https://x-access-token:${{ steps.app-token.outputs.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", + fmt.Sprintf(" git remote set-url origin \"https://x-access-token:%s@${SERVER_URL_STRIPPED}/${REPO_NAME}.git\"\n", gitRemoteToken), " echo \"Git configured with standard GitHub Actions identity\"\n", } preSteps = append(preSteps, gitConfigSteps...) From f31b86eabefb047ae072283a4ca751e1d0ba2aa1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 21 Dec 2025 23:26:24 +0000 Subject: [PATCH 7/8] Refactor: Use GitHub API instead of gh CLI for fetching PR info Replaced the gh pr view command with github.rest.pulls.get() API call in push_to_pull_request_branch script. This is more efficient and direct, avoiding the need to shell out to the gh CLI. Benefits: - Direct API access through github object (already available in context) - No need to parse JSON from CLI output - More reliable and faster execution - Consistent with other GitHub API usage in the codebase Changes: - Replace exec.getExecOutput('gh', ['pr', 'view', ...]) with github.rest.pulls.get() - Update test mocks to mock github.rest.pulls.get instead of gh CLI - Add validation to ensure pullNumber is defined before API call - Update all test cases to use new API mock pattern Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 21 +++-- .github/workflows/craft.lock.yml | 21 +++-- .github/workflows/mergefest.lock.yml | 21 +++-- .github/workflows/poem-bot.lock.yml | 21 +++-- .github/workflows/tidy.lock.yml | 21 +++-- .../js/push_to_pull_request_branch.cjs | 23 +++-- .../js/push_to_pull_request_branch.test.cjs | 92 +++++++++++-------- 7 files changed, 128 insertions(+), 92 deletions(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 7ae29c18661..30eced9bd53 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -9009,16 +9009,19 @@ jobs: let branchName; let prTitle = ""; let prLabels = []; + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); core.setFailed(`Failed to determine branch name for PR ${pullNumber}`); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 7e5896dafe7..4792b06926c 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -9042,16 +9042,19 @@ jobs: let branchName; let prTitle = ""; let prLabels = []; + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); core.setFailed(`Failed to determine branch name for PR ${pullNumber}`); diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index c9ac280e1b8..d898936764f 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -7745,16 +7745,19 @@ jobs: let branchName; let prTitle = ""; let prLabels = []; + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); core.setFailed(`Failed to determine branch name for PR ${pullNumber}`); diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index af277678f01..1ed65768a47 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -13108,16 +13108,19 @@ jobs: let branchName; let prTitle = ""; let prLabels = []; + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); core.setFailed(`Failed to determine branch name for PR ${pullNumber}`); diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 86b6e2cbc47..e17013db656 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -8181,16 +8181,19 @@ jobs: let branchName; let prTitle = ""; let prLabels = []; + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); core.setFailed(`Failed to determine branch name for PR ${pullNumber}`); diff --git a/pkg/workflow/js/push_to_pull_request_branch.cjs b/pkg/workflow/js/push_to_pull_request_branch.cjs index 8b3f6afe0cb..a333318f110 100644 --- a/pkg/workflow/js/push_to_pull_request_branch.cjs +++ b/pkg/workflow/js/push_to_pull_request_branch.cjs @@ -200,17 +200,22 @@ async function main() { let prTitle = ""; let prLabels = []; + // Validate pull number is defined before fetching + if (!pullNumber) { + core.setFailed("Pull request number is required but not found"); + return; + } + // Fetch the specific PR to get its head branch, title, and labels try { - const prInfoRes = await exec.getExecOutput(`gh`, [`pr`, `view`, `${pullNumber}`, `--json`, `headRefName,title,labels`, `--jq`, `{headRefName, title, labels: (.labels // [] | map(.name))}`]); - if (prInfoRes.exitCode === 0) { - const prData = JSON.parse(prInfoRes.stdout.trim()); - branchName = prData.headRefName; - prTitle = prData.title || ""; - prLabels = prData.labels || []; - } else { - throw new Error("No PR data found"); - } + const { data: pullRequest } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pullNumber + }); + branchName = pullRequest.head.ref; + prTitle = pullRequest.title || ""; + prLabels = pullRequest.labels.map(label => label.name); } catch (error) { core.info(`Warning: Could not fetch PR ${pullNumber} details: ${error instanceof Error ? error.message : String(error)}`); // Exit with failure if we cannot determine the branch name diff --git a/pkg/workflow/js/push_to_pull_request_branch.test.cjs b/pkg/workflow/js/push_to_pull_request_branch.test.cjs index 9365097dcb6..8ce269d370b 100644 --- a/pkg/workflow/js/push_to_pull_request_branch.test.cjs +++ b/pkg/workflow/js/push_to_pull_request_branch.test.cjs @@ -29,7 +29,21 @@ const mockCore = { summary: { addRaw: vi.fn().mockReturnThis(), write: vi.fn().mockResolvedValue() }, }, mockContext = { eventName: "pull_request", payload: { pull_request: { number: 123 }, repository: { html_url: "https://github.com/testowner/testrepo" } }, repo: { owner: "testowner", repo: "testrepo" } }, - mockGithub = { graphql: vi.fn(), request: vi.fn() }; + mockGithub = { + graphql: vi.fn(), + request: vi.fn(), + rest: { + pulls: { + get: vi.fn().mockResolvedValue({ + data: { + head: { ref: "feature-branch" }, + title: "Test PR Title", + labels: [{ name: "bug" }, { name: "enhancement" }] + } + }) + } + } + }; ((global.core = mockCore), (global.context = mockContext), (global.github = mockGithub), @@ -64,10 +78,6 @@ const mockCore = { (mockExec = { exec: vi.fn().mockResolvedValue(0), getExecOutput: vi.fn().mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1] && args.includes("--json") && args.includes("headRefName,title,labels")) { - const prData = JSON.stringify({ headRefName: "feature-branch", title: "Test PR Title", labels: ["bug", "enhancement"] }); - return Promise.resolve({ exitCode: 0, stdout: prData + "\n", stderr: "" }); - } return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), }), @@ -242,12 +252,12 @@ const mockCore = { (process.env.GH_AW_PR_TITLE_PREFIX = "[bot] "), mockFs.existsSync.mockReturnValue(!0), mockPatchContent("diff --git a/file.txt b/file.txt\n+new content"), - mockExec.getExecOutput.mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "[bot] Add new feature", labels: [] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData), stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "[bot] Add new feature", + labels: [] } - return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), await executeScript(), expect(mockCore.info).toHaveBeenCalledWith('✓ Title prefix validation passed: "[bot] "'), @@ -258,12 +268,12 @@ const mockCore = { (process.env.GH_AW_PR_TITLE_PREFIX = "[bot] "), mockFs.existsSync.mockReturnValue(!0), mockPatchContent("diff --git a/file.txt b/file.txt\n+new content"), - mockExec.getExecOutput.mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "Add new feature", labels: [] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData), stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "Add new feature", + labels: [] } - return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), await executeScript(), expect(mockCore.setFailed).toHaveBeenCalledWith('Pull request title "Add new feature" does not start with required prefix "[bot] "')); @@ -273,12 +283,12 @@ const mockCore = { (process.env.GH_AW_PR_LABELS = "automation,enhancement"), mockFs.existsSync.mockReturnValue(!0), mockPatchContent("diff --git a/file.txt b/file.txt\n+new content"), - mockExec.getExecOutput.mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "Add new feature", labels: ["automation", "enhancement", "feature"] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData), stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "Add new feature", + labels: [{ name: "automation" }, { name: "enhancement" }, { name: "feature" }] } - return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), await executeScript(), expect(mockCore.info).toHaveBeenCalledWith("✓ Labels validation passed: automation,enhancement"), @@ -289,12 +299,12 @@ const mockCore = { (process.env.GH_AW_PR_LABELS = "automation,enhancement"), mockFs.existsSync.mockReturnValue(!0), mockPatchContent("diff --git a/file.txt b/file.txt\n+new content"), - mockExec.getExecOutput.mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "Add new feature", labels: ["feature"] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData), stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "Add new feature", + labels: [{ name: "feature" }] } - return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), await executeScript(), expect(mockCore.setFailed).toHaveBeenCalledWith("Pull request is missing required labels: automation, enhancement. Current labels: feature")); @@ -305,12 +315,12 @@ const mockCore = { (process.env.GH_AW_PR_LABELS = "bot,feature"), mockFs.existsSync.mockReturnValue(!0), mockPatchContent("diff --git a/file.txt b/file.txt\n+new content"), - mockExec.getExecOutput.mockImplementation((command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "[automated] Add new feature", labels: ["bot", "feature", "enhancement"] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData), stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "[automated] Add new feature", + labels: [{ name: "bot" }, { name: "feature" }, { name: "enhancement" }] } - return "git" === command && args && "rev-parse" === args[0] && "HEAD" === args[1] ? Promise.resolve({ exitCode: 0, stdout: "abc123def456\n", stderr: "" }) : Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), await executeScript(), expect(mockCore.info).toHaveBeenCalledWith('✓ Title prefix validation passed: "[automated] "'), @@ -390,11 +400,14 @@ const mockCore = { if ("string" == typeof cmd && cmd.includes("git am")) throw ((gitAmCalled = !0), new Error("Patch does not apply")); return 0; }), - mockExec.getExecOutput.mockImplementation(async (command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "Test PR Title", labels: ["bug", "enhancement"] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData) + "\n", stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "Test PR Title", + labels: [{ name: "bug" }, { name: "enhancement" }] } + }), + mockExec.getExecOutput.mockImplementation(async (command, args) => { return "git" === command && args && "status" === args[0] ? Promise.resolve({ exitCode: 0, stdout: "On branch feature-branch\nYour branch is up to date\n", stderr: "" }) : "git" === command && args && "log" === args[0] && "--oneline" === args[1] && "-5" === args[2] @@ -435,11 +448,14 @@ const mockCore = { if ("string" == typeof cmd && cmd.includes("git am")) throw new Error("Patch does not apply"); return 0; }), - mockExec.getExecOutput.mockImplementation(async (command, args) => { - if ("gh" === command && args && "pr" === args[0] && "view" === args[1]) { - const prData = { headRefName: "feature-branch", title: "Test PR Title", labels: [] }; - return Promise.resolve({ exitCode: 0, stdout: JSON.stringify(prData) + "\n", stderr: "" }); + mockGithub.rest.pulls.get.mockResolvedValueOnce({ + data: { + head: { ref: "feature-branch" }, + title: "Test PR Title", + labels: [] } + }), + mockExec.getExecOutput.mockImplementation(async (command, args) => { if ("git" === command) throw new Error("Git command failed"); return Promise.resolve({ exitCode: 0, stdout: "", stderr: "" }); }), From e419a869445ce8b1cb4f882bccb428246615a2e3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 21 Dec 2025 23:32:47 +0000 Subject: [PATCH 8/8] Add changeset [skip-ci] --- .changeset/patch-fix-safe-outputs-apply.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .changeset/patch-fix-safe-outputs-apply.md diff --git a/.changeset/patch-fix-safe-outputs-apply.md b/.changeset/patch-fix-safe-outputs-apply.md new file mode 100644 index 00000000000..b1a684e5da4 --- /dev/null +++ b/.changeset/patch-fix-safe-outputs-apply.md @@ -0,0 +1,14 @@ +--- +"gh-aw": patch +--- + +Fix: Ensure `create-pull-request` and `push-to-pull-request-branch` safe outputs +are applied correctly by downloading the patch artifact, checking out the +repository, configuring git, and using the appropriate token when available. + +This is an internal tooling fix for action workflows; it does not change the +public CLI API. + +-- +PR: #7167 +