Skip to content

Commit 931eb83

Browse files
rolfbjarneCopilot
andauthored
[gh-aw] Eliminate magic GH_AW_* secret references from lock files (#25765)
The dotnet/macios secret-audit report flags every secret name that appears in a compiled agentic workflow, including the "magic" fallback secrets that gh-aw emits as the tail of its token-resolution chains (`GH_AW_GITHUB_TOKEN` and `GH_AW_GITHUB_MCP_SERVER_TOKEN`). Those names showed up in all three `*.lock.yml` files even though we never configure them, because gh-aw bakes the full fallback expression into every safe-output handler, into the GitHub MCP server wiring, and into the checkout "Fetch additional refs" step. Set explicit `github-token: ${{ secrets.GITHUB_TOKEN }}` overrides so the compiler short-circuits each fallback chain before it references the magic names: - `tools.github.github-token` → replaces the `GH_AW_GITHUB_MCP_SERVER_TOKEN` → `GH_AW_GITHUB_TOKEN` → `GITHUB_TOKEN` chain used by the GitHub MCP server container. - `safe-outputs.github-token` → replaces the `GH_AW_GITHUB_TOKEN` → `GITHUB_TOKEN` chain used by the safe-output handlers. - `checkout.github-token` (code-radiator only) → replaces the `GH_AW_GITHUB_MCP_SERVER_TOKEN` → `GH_AW_GITHUB_TOKEN` → `GITHUB_TOKEN` chain used by the "Fetch additional refs" step that `checkout.fetch: ["*"]` generates. `GITHUB_TOKEN` is sufficient to fetch refs from the same repository, so there is no functional change. `GH_AW_CI_TRIGGER_TOKEN` is intentionally left in place in code-radiator. Unlike the chains above it is **not** a magic fallback: it is the documented secret gh-aw uses to push an empty commit after `create-pull-request` / `push-to-pull-request-branch` so that CI runs on the auto-created merge PRs (pushes made with `GITHUB_TOKEN` do not trigger workflow runs — a GitHub Actions security feature). Overriding it with `GITHUB_TOKEN` would silently stop CI from triggering on those PRs. This branch also recompiles all three workflows with the locally installed gh-aw compiler (v0.79.8), which refreshes the generated lock files, the `agentics-maintenance.yml` maintenance workflow, `actions-lock.json`, and the gh-aw dependabot ignore entry. After recompiling, the `# Secrets used:` block in each lock file lists only secrets that are actually configured: | Workflow | Secrets | |----------|---------| | `ci-postmortem.lock.yml` | `COPILOT_GITHUB_TOKEN`, `GITHUB_TOKEN` | | `code-radiator.lock.yml` | `COPILOT_GITHUB_TOKEN`, `GH_AW_CI_TRIGGER_TOKEN`, `GITHUB_TOKEN` | | `macios-reviewer.lock.yml` | `COPILOT_GITHUB_TOKEN`, `GITHUB_TOKEN` | `gh aw compile` reports 0 errors on all three workflows. Inspired by dotnet/android#11685 (commit `dbd72dd`). 🤖 Pull request created by Copilot --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent ed2342f commit 931eb83

10 files changed

Lines changed: 1226 additions & 286 deletions

.github/aw/actions-lock.json

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,10 +25,15 @@
2525
"version": "v7.0.1",
2626
"sha": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
2727
},
28-
"github/gh-aw-actions/setup@v0.77.5": {
28+
"github/gh-aw-actions/setup-cli@v0.79.8": {
29+
"repo": "github/gh-aw-actions/setup-cli",
30+
"version": "v0.79.8",
31+
"sha": "c0338fef4749d08c21f8f975fb0e37efa17dda47"
32+
},
33+
"github/gh-aw-actions/setup@v0.79.8": {
2934
"repo": "github/gh-aw-actions/setup",
30-
"version": "v0.77.5",
31-
"sha": "3ea13c02d765410340d533515cb31a7eef2baaf0"
35+
"version": "v0.79.8",
36+
"sha": "c0338fef4749d08c21f8f975fb0e37efa17dda47"
3237
}
3338
},
3439
"containers": {

.github/dependabot.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ updates:
33
default-days: 7
44
directory: /
55
ignore:
6-
- dependency-name: "github/gh-aw-actions/**" # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump.
6+
- dependency-name: "github/gh-aw-actions/**"
7+
- dependency-name: "github/gh-aw-actions" # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump.
78
package-ecosystem: github-actions
89
schedule:
910
interval: weekly

.github/workflows/agentics-maintenance.yml

Lines changed: 608 additions & 0 deletions
Large diffs are not rendered by default.

.github/workflows/ci-postmortem.lock.yml

Lines changed: 188 additions & 87 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/ci-postmortem.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,11 @@ network:
1919
- "vsassets.io"
2020
tools:
2121
github:
22+
github-token: ${{ secrets.GITHUB_TOKEN }}
2223
toolsets: [issues, repos]
2324
min-integrity: none
2425
safe-outputs:
26+
github-token: ${{ secrets.GITHUB_TOKEN }}
2527
create-issue:
2628
max: 20
2729
add-comment:

.github/workflows/code-radiator.lock.yml

Lines changed: 211 additions & 100 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/code-radiator.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,16 @@ network:
1818
- github
1919
tools:
2020
github:
21+
github-token: ${{ secrets.GITHUB_TOKEN }}
2122
toolsets: [pull_requests, repos]
2223
min-integrity: approved
2324
bash: true
2425
checkout:
26+
github-token: ${{ secrets.GITHUB_TOKEN }}
2527
fetch: ["*"]
2628
fetch-depth: 0
2729
safe-outputs:
30+
github-token: ${{ secrets.GITHUB_TOKEN }}
2831
max-patch-files: 1000
2932
max-patch-size: 10240
3033
create-pull-request:

.github/workflows/macios-reviewer.lock.yml

Lines changed: 201 additions & 94 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/macios-reviewer.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,11 @@ network:
2424
- "vsassets.io"
2525
tools:
2626
github:
27+
github-token: ${{ secrets.GITHUB_TOKEN }}
2728
toolsets: [pull_requests, repos]
2829
min-integrity: approved
2930
safe-outputs:
31+
github-token: ${{ secrets.GITHUB_TOKEN }}
3032
create-pull-request-review-comment:
3133
max: 50
3234
submit-pull-request-review:

.github/workflows/zizmor.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
- name: Find workflow files
2626
id: find-files
2727
run: |
28-
files=$(find .github/workflows -name '*.yml' ! -name '*.lock.yml' | sort | tr '\n' ' ')
28+
files=$(find .github/workflows -name '*.yml' ! -name '*.lock.yml' ! -name 'agentics-maintenance.yml' | sort | tr '\n' ' ')
2929
echo "files=$files" >> "$GITHUB_OUTPUT"
3030
3131
- name: Run zizmor

0 commit comments

Comments
 (0)