From b95f9b3a8673d5ee354d4587eb8aafb50fdaff6c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 31 Dec 2025 07:01:19 +0000
Subject: [PATCH 1/3] Initial plan


From c2908b6a549386ffd1102cc7bb1939b9f319e1e1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 31 Dec 2025 07:09:54 +0000
Subject: [PATCH 2/3] Remove redundant safe-inputs env vars from MCP server
 config

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .../workflows/copilot-pr-merged-report.lock.yml    |  4 +---
 .github/workflows/daily-choice-test.lock.yml       |  4 ++--
 .../workflows/smoke-copilot-no-firewall.lock.yml   |  4 +---
 .../workflows/smoke-copilot-playwright.lock.yml    |  4 +---
 .../workflows/smoke-copilot-safe-inputs.lock.yml   |  4 +---
 pkg/workflow/safe_inputs_renderer.go               | 14 ++++++++------
 6 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index 21df370d31..c19a916bd6 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -432,9 +432,7 @@ jobs:
                 "tools": ["*"],
                 "env": {
                   "GH_AW_SAFE_INPUTS_PORT": "\${GH_AW_SAFE_INPUTS_PORT}",
-                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}",
-                  "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}",
-                  "GH_DEBUG": "\${GH_DEBUG}"
+                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}"
                 }
               },
               "safeoutputs": {
diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml
index d3ec2d747e..1cbb37ed40 100644
--- a/.github/workflows/daily-choice-test.lock.yml
+++ b/.github/workflows/daily-choice-test.lock.yml
@@ -278,8 +278,8 @@ jobs:
                   }
                 },
                 "required": [
-                  "test_type",
-                  "environment"
+                  "environment",
+                  "test_type"
                 ],
                 "type": "object"
               },
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index 64da76e3e7..99d7572725 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -553,9 +553,7 @@ jobs:
                 "tools": ["*"],
                 "env": {
                   "GH_AW_SAFE_INPUTS_PORT": "\${GH_AW_SAFE_INPUTS_PORT}",
-                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}",
-                  "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}",
-                  "GH_DEBUG": "\${GH_DEBUG}"
+                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}"
                 }
               },
               "safeoutputs": {
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index 15e05d72bc..6f78ba401e 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -646,9 +646,7 @@ jobs:
                 "tools": ["*"],
                 "env": {
                   "GH_AW_SAFE_INPUTS_PORT": "\${GH_AW_SAFE_INPUTS_PORT}",
-                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}",
-                  "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}",
-                  "GH_DEBUG": "\${GH_DEBUG}"
+                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}"
                 }
               },
               "safeoutputs": {
diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
index 7f75acab8a..ac4d379d5d 100644
--- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml
+++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
@@ -479,9 +479,7 @@ jobs:
                 "tools": ["*"],
                 "env": {
                   "GH_AW_SAFE_INPUTS_PORT": "\${GH_AW_SAFE_INPUTS_PORT}",
-                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}",
-                  "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}",
-                  "GH_DEBUG": "\${GH_DEBUG}"
+                  "GH_AW_SAFE_INPUTS_API_KEY": "\${GH_AW_SAFE_INPUTS_API_KEY}"
                 }
               },
               "safeoutputs": {
diff --git a/pkg/workflow/safe_inputs_renderer.go b/pkg/workflow/safe_inputs_renderer.go
index 84dc5b074d..8428a0d59f 100644
--- a/pkg/workflow/safe_inputs_renderer.go
+++ b/pkg/workflow/safe_inputs_renderer.go
@@ -64,8 +64,6 @@ func collectSafeInputsSecrets(safeInputs *SafeInputsConfig) map[string]string {
 // renderSafeInputsMCPConfigWithOptions generates the Safe Inputs MCP server configuration with engine-specific options
 // Only supports HTTP transport mode
 func renderSafeInputsMCPConfigWithOptions(yaml *strings.Builder, safeInputs *SafeInputsConfig, isLast bool, includeCopilotFields bool) {
-	envVars := getSafeInputsEnvVars(safeInputs)
-
 	yaml.WriteString("              \"" + constants.SafeInputsMCPServerID + "\": {\n")
 
 	// HTTP transport configuration - server started in separate step
@@ -98,13 +96,17 @@ func renderSafeInputsMCPConfigWithOptions(yaml *strings.Builder, safeInputs *Saf
 		yaml.WriteString("                \"tools\": [\"*\"],\n")
 	}
 
-	// Add env block for environment variable passthrough
-	envVarsWithServerConfig := append([]string{"GH_AW_SAFE_INPUTS_PORT", "GH_AW_SAFE_INPUTS_API_KEY"}, envVars...)
+	// Add env block for server configuration environment variables only
+	// Note: Tool-specific env vars (like GH_AW_GH_TOKEN) are already set in the step's env block
+	// and don't need to be passed through the MCP config since the server uses HTTP transport
 	yaml.WriteString("                \"env\": {\n")
 
+	// Only include server configuration variables
+	serverConfigVars := []string{"GH_AW_SAFE_INPUTS_PORT", "GH_AW_SAFE_INPUTS_API_KEY"}
+
 	// Write environment variables with appropriate escaping
-	for i, envVar := range envVarsWithServerConfig {
-		isLastEnvVar := i == len(envVarsWithServerConfig)-1
+	for i, envVar := range serverConfigVars {
+		isLastEnvVar := i == len(serverConfigVars)-1
 		comma := ""
 		if !isLastEnvVar {
 			comma = ","

From 31ee2737f86725630d3d3c22db945059ca0ac873 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 31 Dec 2025 07:19:22 +0000
Subject: [PATCH 3/3] Final validation: All tests pass except pre-existing
 failure

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/daily-choice-test.lock.yml   |  4 ++--
 .../js/safe_output_types_validation.test.cjs   | 18 ++++--------------
 2 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml
index 1cbb37ed40..d3ec2d747e 100644
--- a/.github/workflows/daily-choice-test.lock.yml
+++ b/.github/workflows/daily-choice-test.lock.yml
@@ -278,8 +278,8 @@ jobs:
                   }
                 },
                 "required": [
-                  "environment",
-                  "test_type"
+                  "test_type",
+                  "environment"
                 ],
                 "type": "object"
               },
diff --git a/actions/setup/js/safe_output_types_validation.test.cjs b/actions/setup/js/safe_output_types_validation.test.cjs
index 33433f024a..17dc7dfe69 100644
--- a/actions/setup/js/safe_output_types_validation.test.cjs
+++ b/actions/setup/js/safe_output_types_validation.test.cjs
@@ -14,11 +14,7 @@ import path from "path";
 
 describe("Safe Output Types Validation", () => {
   const typeDefsPath = path.join(__dirname, "types", "safe-outputs.d.ts");
-  const configDefsPath = path.join(
-    __dirname,
-    "types",
-    "safe-outputs-config.d.ts"
-  );
+  const configDefsPath = path.join(__dirname, "types", "safe-outputs-config.d.ts");
 
   it("safe-outputs.d.ts should NOT contain github-token field", () => {
     const content = fs.readFileSync(typeDefsPath, "utf-8");
@@ -40,9 +36,7 @@ describe("Safe Output Types Validation", () => {
 
     // Verify it's in the right places (base config and safe job config)
     const lines = content.split("\n");
-    const githubTokenLines = lines.filter((line) =>
-      line.includes('"github-token"')
-    );
+    const githubTokenLines = lines.filter(line => line.includes('"github-token"'));
 
     // Should appear at least twice: once in SafeOutputConfig, once in SafeJobConfig
     expect(githubTokenLines.length).toBeGreaterThanOrEqual(2);
@@ -95,9 +89,7 @@ describe("Safe Output Types Validation", () => {
     const content = fs.readFileSync(typeDefsPath, "utf-8");
 
     // Extract BaseSafeOutputItem definition
-    const baseInterfaceMatch = content.match(
-      /interface BaseSafeOutputItem\s*{([^}]*)}/
-    );
+    const baseInterfaceMatch = content.match(/interface BaseSafeOutputItem\s*{([^}]*)}/);
     expect(baseInterfaceMatch).toBeTruthy();
 
     if (baseInterfaceMatch) {
@@ -118,9 +110,7 @@ describe("Safe Output Types Validation", () => {
     const content = fs.readFileSync(configDefsPath, "utf-8");
 
     // Extract SafeOutputConfig definition
-    const baseInterfaceMatch = content.match(
-      /interface SafeOutputConfig\s*{([^}]*)}/
-    );
+    const baseInterfaceMatch = content.match(/interface SafeOutputConfig\s*{([^}]*)}/);
     expect(baseInterfaceMatch).toBeTruthy();
 
     if (baseInterfaceMatch) {