Fix tests: Remove github-token from individual safe output type configurations

[Copilot]

Tests were failing because they expected github-token to be configurable at individual safe output type level (e.g., create-issue.github-token), but the schema correctly only allows it at workflow and global safe-outputs level.

Changes

• Added validation test (safe_output_types_validation.test.cjs): 8 test cases ensuring github-token never appears in safe output item types (safe-outputs.d.ts) while remaining in configuration types (safe-outputs-config.d.ts)

• Fixed integration tests: Removed github-token from individual safe-output type configurations in individual_github_token_integration_test.go and github_token_precedence_integration_test.go

Architecture

Correct placement:

safe-outputs:
  github-token: ${{ secrets.GLOBAL_PAT }}  # ✅ Global config level
  create-issue:
    title-prefix: "[AUTO] "

Incorrect placement (removed from tests):

safe-outputs:
  create-issue:
    github-token: ${{ secrets.ISSUE_PAT }}  # ❌ Per-type level not supported

This ensures authentication tokens remain at the configuration layer, not the data layer.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login tags/v5 9567962/b392/_testmain.go /home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/link -s -w -buildmode=exe /home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linconfig -o k/gh-aw/gh-aw/.github/workflows -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 5 l/linux_amd64/cgo /usr/bin/git l nk l/linux_amd64/liuser git rev-�� 4339-12710/test-purge-campaign-3130105315/.github/workflows l/linux_amd64/link 9567962/b419/workflow.test l -buildtags /usr/bin/go 9567962/b419/workflow.test (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 5f6f7fa3ce65cc88ee43edad937782e92841203e18bccf12a941a3e16bbaa28e 6549198/b313/importcfg 0/x64/bin/node 2e92841203e18bccf12a941a3e16bbaa28e/log.json -buildtags /home/REDACTED/go/xterm-color /usr/bin/gh 0/x6�� f27b0cd0c75271bc --secure-storage /usr/bin/git l -trimpath ux-amd64/pkg/too--root git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fix tests. Do not add GitHub-token to safe output types.

Custom agent used: ci-cleaner
Tidies up the repository CI state by formatting sources, running linters, fixing issues, running tests, and recompiling workflows

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.