Security: replace token-in-URL with credential helper in security-review.lock.yml

[Copilot]

Summary

security-review.lock.yml (auto-generated by gh aw compile) embeds ${{ github.token }} directly in the git remote URL, writing the token into .git/config where it can be read via git remote -v. Replaces both occurrences with the inline credential helper pattern already established in monorepo-release.yml and python-release.yml.

Before (token persisted in .git/config):

env:
  REPO_NAME: ${{ github.repository }}
  SERVER_URL: ${{ github.server_url }}
run: |
  SERVER_URL_STRIPPED="${SERVER_URL#https://}"
  git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"

After (token used transiently, never written to config or URL):

env:
  GH_TOKEN: ${{ github.token }}
run: |
  git config --global credential.helper '!f() { printf "username=x-access-token\npassword=%s\n" "$GH_TOKEN"; }; f'

Both Configure Git credentials steps are updated (present in the activation and activation_retry jobs). Note: this file is auto-generated — an upstream fix to gh-aw is the proper long-term resolution.

Testing

• Other: CodeQL scan (0 alerts), automated code review (no findings)

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

• The root cause lives upstream in gh aw compile (v0.46.3). Consider opening an issue/PR against the gh-aw project to adopt the credential helper approach so compiled lock files are safe by default.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Security: GitHub token embedded in git remote URL in auto-generated lock file</issue_title>
<issue_description>## Summary

The auto-generated file .github/workflows/security-review.lock.yml embeds the GitHub token directly in the git remote URL:

git remote set-url origin "(x-access-token/redacted):${{ github.token }}@${SERVER_URL_STRIPPED}/…"

GitHub Actions masks known secrets in step log output, but the token is written into the git remote configuration (.git/config or the equivalent in-memory config), meaning it can be read via git remote -v output within the same job, which may or may not be masked depending on context.

Suggested Fix

Adopt the safer inline credential helper pattern (already used in the hand-authored monorepo-release.yml and python-release.yml workflows) that never persists the token:

git -c "credential.helper=!f() { printf 'username=x-access-token\npassword=%s\n' \"${GH_TOKEN}\"; }; f" \
  push "$REMOTE" "$TAG"

Root Cause

This file is auto-generated by gh aw compile. The fix should be made upstream in the gh-aw tooling. Consider opening an upstream issue/PR with the gh-aw project to adopt the credential helper approach.

Location

• File: .github/workflows/security-review.lock.yml
• Line: 305

Context

• Category: Authentication and Authorization / Secrets and Credentials
• Severity: Low (informational)
• Review comment:

  The GitHub token is embedded directly in the remote URL. GitHub Actions masks known secrets in step log output, but the token is written into the git remote configuration.

Related PR: #51

Generated by PR Review Comment Handler for issue #51

Comments on the Issue (you are @copilot in this section)

• Fixes Security: GitHub token embedded in git remote URL in auto-generated lock file #57

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.