Skip to content

Commit 7d4bb46

Browse files
Scope gh-aw workflow secrets to GITHUB_TOKEN (#1475)
Add explicit github-token entries under tools.github and safe-outputs in .github/workflows/java-interop-reviewer.md so the compiled lock file no longer references the gh-aw fallback secret names GH_AW_GITHUB_TOKEN and GH_AW_GITHUB_MCP_SERVER_TOKEN. These names appear in the lock file purely as fallback chain entries that are never set in this repo. A secret-audit report flags by name reference in the YAML, so suppressing them satisfies the audit with no behavior change. Before/after of the 'Secrets used:' header in the lock file: Before: COPILOT_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, GH_AW_GITHUB_TOKEN, GITHUB_TOKEN After: COPILOT_GITHUB_TOKEN, GITHUB_TOKEN Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent f63eab9 commit 7d4bb46

2 files changed

Lines changed: 16 additions & 18 deletions

File tree

external/Java.Interop/.github/workflows/java-interop-reviewer.lock.yml

Lines changed: 14 additions & 18 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

external/Java.Interop/.github/workflows/java-interop-reviewer.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,13 @@ network:
2222
- "microsoft.com"
2323
tools:
2424
github:
25+
github-token: ${{ secrets.GITHUB_TOKEN }}
2526
toolsets: [pull_requests, repos]
2627
# Allow reading PR content from external/first-time contributors.
2728
# The /review command is gated to maintainers, so only trusted users can trigger it.
2829
min-integrity: none
2930
safe-outputs:
31+
github-token: ${{ secrets.GITHUB_TOKEN }}
3032
create-pull-request-review-comment:
3133
max: 50
3234
submit-pull-request-review:

0 commit comments

Comments
 (0)