[gh-aw] Eliminate magic GH_AW_* secret references from lock files#11685
Merged
Conversation
The dotnet/android secret-audit report flags every secret name that appears
in a compiled workflow, including the "magic" fallback secrets that gh-aw
emits as the tail of its token-resolution chain (`GH_AW_GITHUB_TOKEN` and
`GH_AW_GITHUB_MCP_SERVER_TOKEN`). Those names showed up in both
`*.lock.yml` files even though we never set those secrets in the
`copilot-pr-reviewer` environment, because gh-aw bakes the full fallback
expression into every safe-output handler and into the GitHub MCP server
wiring.
Set explicit `github-token: ${{ secrets.GITHUB_TOKEN }}` overrides at two
levels so the compiler short-circuits both fallback chains before they
reference the magic names:
- `safe-outputs.github-token` -> replaces the
`safe-output.github-token` -> `GH_AW_AGENT_TOKEN` ->
`GH_AW_GITHUB_TOKEN` -> `GITHUB_TOKEN` chain that safe-output handlers
(`create-issue`, `create-pull-request-review-comment`,
`submit-pull-request-review`) use.
- `tools.github.github-token` -> replaces the
`GH_AW_GITHUB_MCP_SERVER_TOKEN` -> `GH_AW_GITHUB_TOKEN` ->
`GITHUB_TOKEN` chain that the GitHub MCP server container uses.
The existing `assign-to-agent.github-token: ${{ secrets.ANDROID_TEAM_PAT }}`
override is left alone -- the Copilot assignment API requires a user-owned
fine-grained PAT and rejects `GITHUB_TOKEN`.
`GITHUB_TOKEN` is the correct choice (not `COPILOT_GITHUB_TOKEN`) for these
overrides because `COPILOT_GITHUB_TOKEN` is scoped to "Copilot Requests:
Read" only -- it has no `issues: write` / `pull-requests: write` scopes and
would 403 on every safe-output write. The safe-output processing jobs that
gh-aw generates run with their own elevated `permissions:` block, so the
default `GITHUB_TOKEN` already has the scopes they need.
After recompiling, the `# Secrets used:` block (and the machine-readable
`gh-aw-manifest:` JSON) in each lock file lists only secrets that are
actually configured:
nightly-fix-finder.lock.yml: ANDROID_TEAM_PAT, COPILOT_GITHUB_TOKEN,
GITHUB_TOKEN
android-reviewer.lock.yml: COPILOT_GITHUB_TOKEN, GITHUB_TOKEN
`gh aw compile` reports 0 errors / 0 warnings on both workflows.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
temporarily deployed
to
copilot-pr-reviewer
GitHub Actions
Inactive
jonathanpeppers
temporarily deployed
to
copilot-pr-reviewer
GitHub Actions
Inactive
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the gh-aw workflow source files so the generated lock workflows no longer contain references to gh-aw’s “magic” fallback secret names (GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN). This reduces false positives in secret-audit output while keeping the workflows functionally equivalent (they were already falling back to GITHUB_TOKEN when the magic secrets were unset).
Changes:
- Add explicit
github-token: ${{ secrets.GITHUB_TOKEN }}overrides tosafe-outputsand totools.githubin both workflows. - Regenerate both
*.lock.ymlfiles so compiled output (and the# Secrets used:manifest) no longer includes the gh-aw magic secret names.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/nightly-fix-finder.md | Sets explicit safe-outputs.github-token and tools.github.github-token to short-circuit gh-aw fallback chains. |
| .github/workflows/nightly-fix-finder.lock.yml | Regenerated compiled workflow; removes GH_AW_* secret-name references from expressions and manifest. |
| .github/workflows/android-reviewer.md | Sets explicit tools.github.github-token and safe-outputs.github-token to avoid magic secret-name fallbacks. |
| .github/workflows/android-reviewer.lock.yml | Regenerated compiled workflow; removes GH_AW_* secret-name references from expressions and manifest. |
jonathanpeppers
temporarily deployed
to
copilot-pr-reviewer
GitHub Actions
Inactive
jonathanpeppers
temporarily deployed
to
copilot-pr-reviewer
GitHub Actions
Inactive
6 tasks
simonrozsival
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
title and
description
should follow the
commit-messages.mdworkflow documentation, and in particular should include:gh aw compilewhich reports 0 errors / 0 warnings)Why
The dotnet/android secret-audit report flags every secret name that appears in a compiled gh-aw workflow, including the "magic" fallback secrets that gh-aw bakes into every token-resolution chain (
GH_AW_GITHUB_TOKENandGH_AW_GITHUB_MCP_SERVER_TOKEN). Those names showed up in both*.lock.ymlfiles even though we never set those secrets in thecopilot-pr-reviewerenvironment, because gh-aw emits the full fallback expression as the default in every safe-output handler and in the GitHub MCP server wiring.Approach
Set explicit
github-token: ${{ secrets.GITHUB_TOKEN }}overrides at two levels in bothnightly-fix-finder.mdandandroid-reviewer.mdso the compiler short-circuits both fallback chains before they reference the magic names:safe-outputs.github-tokenreplaces thesafe-output.github-token→GH_AW_AGENT_TOKEN→GH_AW_GITHUB_TOKEN→GITHUB_TOKENchain used by safe-output handlers (create-issue,create-pull-request-review-comment,submit-pull-request-review).tools.github.github-tokenreplaces theGH_AW_GITHUB_MCP_SERVER_TOKEN→GH_AW_GITHUB_TOKEN→GITHUB_TOKENchain used by the GitHub MCP server container.The existing
assign-to-agent.github-token: ${{ secrets.ANDROID_TEAM_PAT }}override in the nightly workflow is left alone — the Copilot assignment API requires a user-owned fine-grained PAT and rejectsGITHUB_TOKEN.Why
GITHUB_TOKEN(notCOPILOT_GITHUB_TOKEN)COPILOT_GITHUB_TOKENis scoped to "Copilot Requests: Read" only — it has noissues: write/pull-requests: writescopes and would 403 on every safe-output write. The safe-output processing jobs that gh-aw generates run with their own elevatedpermissions:block, so the built-inGITHUB_TOKENalready has exactly the scopes they need.Result
After recompiling, the
# Secrets used:block (and the machine-readablegh-aw-manifest:JSON) in each lock file lists only secrets that are actually configured in thecopilot-pr-reviewerenvironment:nightly-fix-finder.lock.ymlANDROID_TEAM_PAT,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKENANDROID_TEAM_PAT,COPILOT_GITHUB_TOKEN,GITHUB_TOKENandroid-reviewer.lock.ymlCOPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKENCOPILOT_GITHUB_TOKEN,GITHUB_TOKENNo stray
GH_AW_GITHUB_TOKENorGH_AW_GITHUB_MCP_SERVER_TOKENstrings remain anywhere in the lock-file bodies.gh aw compilereports 0 errors / 0 warnings on both workflows.