Add runtime if condition for custom token check in determination step

Copilot · pelikhan · Copilot · commit c79b157ff69e · 2026-01-04T00:36:37.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/workflow/github_lockdown_autodetect_test.go b/pkg/workflow/github_lockdown_autodetect_test.go
@@ -13,46 +13,28 @@ func TestGitHubLockdownAutodetection(t *testing.T) {
 		workflow           string
 		expectedDetectStep bool
 		expectedLockdown   string // "auto" means use step output expression, "true" means hardcoded true, "false" means not present
+		expectIfCondition  bool   // true if step should have if: condition
 		description        string
 	}{
 		{
-			name: "Auto-determination enabled when lockdown not specified and custom token defined",
+			name: "Auto-determination enabled when lockdown not specified",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: local
-    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test automatic lockdown determination with custom token.
+Test automatic lockdown determination.
 `,
 			expectedDetectStep: true,
 			expectedLockdown:   "auto",
-			description:        "When lockdown is not specified and custom token is defined, determination step should be added",
-		},
-		{
-			name: "No auto-determination when no custom token",
-			workflow: `---
-on: issues
-engine: copilot
-tools:
-  github:
-    mode: local
-    toolsets: [default]
----
-
-# Test Workflow
-
-Test without custom token - should not add determination step.
-`,
-			expectedDetectStep: false,
-			expectedLockdown:   "false",
-			description:        "When no custom token is defined, no determination step should be added",
+			expectIfCondition:  true,
+			description:        "When lockdown is not specified, determination step should be added with if condition",
 		},
 		{
 			name: "No auto-determination when lockdown explicitly set to true",
@@ -63,7 +45,6 @@ tools:
   github:
     mode: local
     lockdown: true
-    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
@@ -73,6 +54,7 @@ Test with explicit lockdown enabled.
 `,
 			expectedDetectStep: false,
 			expectedLockdown:   "true",
+			expectIfCondition:  false,
 			description:        "When lockdown is explicitly true, no determination step and lockdown should be hardcoded",
 		},
 		{
@@ -84,7 +66,6 @@ tools:
   github:
     mode: local
     lockdown: false
-    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
@@ -94,27 +75,28 @@ Test with explicit lockdown disabled.
 `,
 			expectedDetectStep: false,
 			expectedLockdown:   "false",
+			expectIfCondition:  false,
 			description:        "When lockdown is explicitly false, no determination step and no lockdown setting",
 		},
 		{
-			name: "Auto-determination with remote mode and custom token",
+			name: "Auto-determination with remote mode",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: remote
-    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test auto-determination with remote GitHub MCP and custom token.
+Test auto-determination with remote GitHub MCP.
 `,
 			expectedDetectStep: true,
 			expectedLockdown:   "auto",
-			description:        "Auto-determination should work with remote mode when custom token is defined",
+			expectIfCondition:  true,
+			description:        "Auto-determination should work with remote mode",
 		},
 	}
 
@@ -156,6 +138,13 @@ Test auto-determination with remote GitHub MCP and custom token.
 				t.Errorf("%s: Detection step presence = %v, want %v", tt.description, detectStepPresent, tt.expectedDetectStep)
 			}
 
+			// Check if the step has the if condition when expected
+			if tt.expectIfCondition && detectStepPresent {
+				if !strings.Contains(yaml, "if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''") {
+					t.Errorf("%s: Expected if condition for GH_AW_GITHUB_MCP_SERVER_TOKEN", tt.description)
+				}
+			}
+
 			// Check lockdown configuration based on expected value
 			switch tt.expectedLockdown {
 			case "auto":
@@ -187,13 +176,12 @@ engine: claude
 tools:
   github:
     mode: local
-    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test automatic lockdown determination with Claude and custom token.
+Test automatic lockdown determination with Claude.
 `
 
 	// Create temporary directory for test
@@ -228,7 +216,12 @@ Test automatic lockdown determination with Claude and custom token.
 		strings.Contains(yaml, "determine-automatic-lockdown")
 
 	if !detectStepPresent {
-		t.Error("Determination step should be present for Claude engine with custom token")
+		t.Error("Determination step should be present for Claude engine")
+	}
+
+	// Check if the step has the if condition
+	if !strings.Contains(yaml, "if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''") {
+		t.Error("Expected if condition for GH_AW_GITHUB_MCP_SERVER_TOKEN in determination step")
 	}
 
 	// Check if lockdown uses step output expression
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
@@ -47,14 +47,8 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
 	lockdown := getGitHubLockdown(githubTool)
 
 	// Check if automatic lockdown determination step will be generated
-	// This requires: lockdown not explicitly set AND custom token configured
-	customGitHubToken := getGitHubToken(githubTool)
-	var toplevelToken string
-	if workflowData != nil {
-		toplevelToken = workflowData.GitHubToken
-	}
-	hasCustomToken := customGitHubToken != "" || toplevelToken != ""
-	shouldUseStepOutput := !hasGitHubLockdownExplicitlySet(githubTool) && hasCustomToken
+	// The step is always generated when lockdown is not explicitly set
+	shouldUseStepOutput := !hasGitHubLockdownExplicitlySet(githubTool)
 
 	if shouldUseStepOutput {
 		// Use the detected lockdown value from the step output
@@ -64,8 +58,8 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
 
 	toolsets := getGitHubToolsets(githubTool)
 
-	mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t, custom_token=%t, use_step=%t), toolsets=%v, format=%s",
-		githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), hasCustomToken, shouldUseStepOutput, toolsets, r.options.Format)
+	mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t, use_step=%t), toolsets=%v, format=%s",
+		githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), shouldUseStepOutput, toolsets, r.options.Format)
 
 	if r.options.Format == "toml" {
 		r.renderGitHubTOML(yaml, githubTool, workflowData)
diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go
@@ -771,11 +771,10 @@ func replaceExpressionsInPlaywrightArgs(args []string, expressions map[string]st
 }
 
 // generateGitHubMCPLockdownDetectionStep generates a step to determine automatic lockdown mode
-// for GitHub MCP server based on repository visibility. This step is only added when:
+// for GitHub MCP server based on repository visibility. This step is added when:
 // - GitHub tool is enabled AND
-// - lockdown field is not explicitly specified in the workflow configuration AND
-// - A custom GitHub MCP server token is defined (GH_AW_GITHUB_MCP_SERVER_TOKEN exists) AND
-// - Repository is public
+// - lockdown field is not explicitly specified in the workflow configuration
+// The step includes a runtime condition that only executes if GH_AW_GITHUB_MCP_SERVER_TOKEN is defined
 func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, data *WorkflowData) {
 	// Check if GitHub tool is present
 	githubTool, hasGitHub := data.Tools["github"]
@@ -789,19 +788,6 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder,
 		return
 	}
 
-	// Check if custom GitHub MCP server token is defined
-	// The step only applies when GH_AW_GITHUB_MCP_SERVER_TOKEN is explicitly configured
-	customGitHubToken := getGitHubToken(githubTool)
-	toplevelToken := data.GitHubToken
-
-	// Determine if a custom token is being used (not the default fallback)
-	hasCustomToken := customGitHubToken != "" || toplevelToken != ""
-
-	if !hasCustomToken {
-		mcpServersLog.Print("No custom GitHub MCP server token defined, skipping automatic lockdown determination")
-		return
-	}
-
 	mcpServersLog.Print("Generating automatic lockdown determination step for GitHub MCP server")
 
 	// Resolve the latest version of actions/github-script
@@ -816,8 +802,10 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder,
 	}
 
 	// Generate the step using the determine_automatic_lockdown.cjs action
+	// The step only runs if GH_AW_GITHUB_MCP_SERVER_TOKEN secret is defined
 	yaml.WriteString("      - name: Determine automatic lockdown mode for GitHub MCP server\n")
 	yaml.WriteString("        id: determine-automatic-lockdown\n")
+	yaml.WriteString("        if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''\n")
 	fmt.Fprintf(yaml, "        uses: %s\n", pinnedAction)
 	yaml.WriteString("        with:\n")
 	yaml.WriteString("          script: |\n")
