Skip to content

fix: use CREATE_PR_PAT for agentic workflows in Microsoft org#144

Merged
sergio-sisternes-epam merged 2 commits intomainfrom
fix/agentic-workflows-pat
Mar 3, 2026
Merged

fix: use CREATE_PR_PAT for agentic workflows in Microsoft org#144
sergio-sisternes-epam merged 2 commits intomainfrom
fix/agentic-workflows-pat

Conversation

@danielmeppiel
Copy link
Collaborator

@danielmeppiel danielmeppiel commented Mar 3, 2026

Summary

Fixes #143 — Daily Test Improver (and Daily Doc Updater) fail with create_pull_request: GitHub Actions is not permitted to create or approve pull requests because the Microsoft org blocks GITHUB_TOKEN from creating PRs.

Changes

  • daily-test-improver.md: Added github-token: ${{ secrets.CREATE_PR_PAT }} to safe-outputs
  • daily-doc-updater.md: Added github-token: ${{ secrets.CREATE_PR_PAT }} to safe-outputs
  • Recompiled all workflows via gh aw compile

Prerequisites

A fine-grained PAT stored as the CREATE_PR_PAT repository secret with these permissions on microsoft/apm:

Permission Access
Contents Read & Write
Pull requests Read & Write
Issues Read & Write
Metadata Read

@danielmeppiel
fix: use CREATE_PR_PAT for agentic workflows in Microsoft org
ec74239 
GitHub Actions GITHUB_TOKEN cannot create PRs in the Microsoft org.
Add github-token secret to safe-outputs in daily-test-improver and
daily-doc-updater workflows, then recompile via gh aw compile.

Fixes #143
Copilot AI review requested due to automatic review settings March 3, 2026 21:58
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates gh-aw “agentic” workflows to use a fine-grained PAT (CREATE_PR_PAT) for PR-creation related operations, addressing Microsoft org restrictions that prevent GITHUB_TOKEN from creating/approving PRs.

Changes:

  • Add safe-outputs.github-token: ${{ secrets.CREATE_PR_PAT }} to the Daily Test Improver and Daily Documentation Updater workflow sources.
  • Recompiled gh-aw workflows so the generated .lock.yml workflows consistently use CREATE_PR_PAT and redact it.
  • Regenerated gh-aw maintenance workflow and updated the actions lockfile to include the new gh-aw setup action pin.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/daily-test-improver.md Configures safe-outputs to use CREATE_PR_PAT for workflow GitHub operations.
.github/workflows/daily-test-improver.lock.yml Generated workflow updated to use CREATE_PR_PAT in relevant steps and redaction config.
.github/workflows/daily-doc-updater.md Configures safe-outputs to use CREATE_PR_PAT for PR creation.
.github/workflows/daily-doc-updater.lock.yml Generated workflow updated to use CREATE_PR_PAT in relevant steps and redaction config.
.github/workflows/agentics-maintenance.yml Regenerated maintenance workflow (gh-aw v0.52.1) including new manual operation dispatch path.
.github/aw/actions-lock.json Adds pinned SHA entry for github/gh-aw/actions/setup@v0.52.1.
Comments suppressed due to low confidence (5)

.github/workflows/daily-test-improver.md:35

  • This hard-requires the CREATE_PR_PAT secret and drops the existing fallback token chain used by other gh-aw workflows in this repo (e.g. secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN). Consider making CREATE_PR_PAT the first option but keeping a fallback (PAT-first) so the workflow still runs in environments where the secret isn’t configured yet, while still fixing the Microsoft org restriction.
safe-outputs:
  github-token: ${{ secrets.CREATE_PR_PAT }}
  add-comment:

.github/workflows/daily-test-improver.md:34

  • This workflow now depends on a new repo secret (CREATE_PR_PAT) to function in Microsoft orgs. Per the docs-up-to-date guideline, please add a short note in the docs/ documentation (e.g., under the GitHub Actions authentication section) explaining when CREATE_PR_PAT is required and the minimal permissions it needs.

safe-outputs:
  github-token: ${{ secrets.CREATE_PR_PAT }}

.github/workflows/daily-doc-updater.md:34

  • Same as daily-test-improver: consider making this PAT-first but not PAT-only. Keeping a fallback chain (CREATE_PR_PAT → existing GH_AW_* secrets → GITHUB_TOKEN) matches the pattern in other compiled gh-aw workflows in this repo and avoids hard failures when the secret isn’t configured yet.
safe-outputs:
  github-token: ${{ secrets.CREATE_PR_PAT }}
  create-pull-request:

.github/workflows/daily-doc-updater.md:34

  • Please document the new CREATE_PR_PAT prerequisite in docs/ (recommended location: the GitHub Actions auth section) so maintainers know how to configure the secret and why GITHUB_TOKEN is insufficient in the Microsoft org.
safe-outputs:
  github-token: ${{ secrets.CREATE_PR_PAT }}
  create-pull-request:

.github/workflows/agentics-maintenance.yml:103

  • This recompile introduces new behavior beyond the CREATE_PR_PAT change: a workflow_dispatch input plus a new run_operation job with actions: write / contents: write / pull-requests: write permissions that can run disable|enable|update|upgrade. If this is intended, it should be called out explicitly in the PR description; if it’s unintended, consider compiling with the prior gh-aw version or splitting this into a separate PR for review.
  schedule:
    - cron: "37 */6 * * *"  # Every 6 hours (based on minimum expires: 2 days)
  workflow_dispatch:
    inputs:
      operation:
        description: 'Optional maintenance operation to run'
        required: false
        type: choice
        default: ''
        options:
          - ''
          - 'disable'
          - 'enable'
          - 'update'
          - 'upgrade'

permissions: {}

jobs:
  close-expired-entities:
    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
    runs-on: ubuntu-slim
    permissions:
      discussions: write
      issues: write
      pull-requests: write
    steps:
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@a86e657586e4ac5f549a790628971ec02f6a4a8f # v0.52.1
        with:
          destination: /opt/gh-aw/actions

      - name: Close expired discussions
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
            setupGlobals(core, github, context, exec, io);
            const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs');
            await main();

      - name: Close expired issues
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
            setupGlobals(core, github, context, exec, io);
            const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs');
            await main();

      - name: Close expired pull requests
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          script: |
            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
            setupGlobals(core, github, context, exec, io);
            const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs');
            await main();

  run_operation:
    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation != '' && !github.event.repository.fork }}
    runs-on: ubuntu-slim
    permissions:
      actions: write
      contents: write
      pull-requests: write
    steps:

@sergio-sisternes-epam sergio-sisternes-epam merged commit 0e5acde into main Mar 3, 2026
6 checks passed
@sergio-sisternes-epam sergio-sisternes-epam deleted the fix/agentic-workflows-pat branch March 3, 2026 23:41
@danielmeppiel danielmeppiel mentioned this pull request Mar 4, 2026
Closed
danielmeppiel added a commit to microsoft/homebrew-apm that referenced this pull request Mar 9, 2026
@danielmeppiel
fix: use CREATE_PR_PAT for workflow auth and update formula to v0.7.5
c23c594 
- Formula: update to v0.7.5 with correct SHA256 checksums
- Workflow: replace github.token with secrets.CREATE_PR_PAT for PR creation

The default GITHUB_TOKEN cannot push branches or create PRs in Microsoft
org repos due to org-level policy restrictions. This is the same fix
applied to the apm repo itself (microsoft/apm#144).
@danielmeppiel danielmeppiel mentioned this pull request Mar 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sergio-sisternes-epam sergio-sisternes-epam sergio-sisternes-epam approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aw] Daily Test Improver failed

3 participants

@danielmeppiel @sergio-sisternes-epam