Skip to content

Add configuration for activation GitHub token#19427

Draft
Copilot wants to merge 5 commits intomainfrom
copilot/configure-github-token-activation
Draft

Add configuration for activation GitHub token#19427
Copilot wants to merge 5 commits intomainfrom
copilot/configure-github-token-activation

Conversation

Copy link
Contributor

Copilot AI commented Mar 3, 2026
edited
Loading

Adds support for configuring a custom GitHub token or GitHub App in the on: section of workflow frontmatter. The token is used in the activation job for both reactions and status comments.

New fields

on:
  github-token: ${{ secrets.MY_TOKEN }}   # use a custom PAT for reactions/comments
  # OR
  github-app:
    app-id: ${{ vars.APP_ID }}            # mint a short-lived app token instead
    private-key: ${{ secrets.APP_KEY }}

Changes

  • Schema (main_workflow_schema.json): added github-token (string) and github-app (object with app-id, private-key, owner, repositories) to the on: object
  • Extraction (role_checks.go): extractActivationGitHubToken / extractActivationGitHubApp pull the new fields from the on: map; wired into the orchestrator alongside extractRoles/extractBots
  • Reaction step moved to activation job (compiler_activation_job.go): the reaction step is now in the activation job alongside the status comment step, so both use the same configured token. A single Generate GitHub App token for activation step (id: activation-app-token) is minted once before both steps when on.github-app is set.
  • Pre-activation job simplified (compiler_pre_activation_job.go): removed the reaction step and the issues/pull-requests/discussions: write permissions that were there solely for reactions
  • Token resolution (safe_outputs_app.go): buildActivationAppTokenMintStep and resolveActivationToken encapsulate token-minting and resolution logic (app token → custom token → GITHUB_TOKEN)
  • YAML generation (compiler_safe_outputs.go, frontmatter_extraction_yaml.go): github-token and github-app are filtered/commented out from the emitted on: block, matching the treatment of reaction, stop-after, etc.
  • smoke-copilot (.github/workflows/smoke-copilot.md): added github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} to exercise the new feature end-to-end; the compiled lock file now uses this token for both the reaction and status-comment steps in the activation job

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@pelikhan pelikhan mentioned this pull request Mar 3, 2026
Open
@pelikhan
Add on.github-token and on.github-app support for activation reaction…
6bac187 
…s and status comments

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
pelikhan
pelikhan reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

@pelikhan pelikhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot move the add reaction step and the add status comment step into the activation step so that it uses the token. Update the pre-activation/activation permissions accordingly

@pelikhan
Move reaction step to activation job to use configured github-token/g…
f55d268 
…ithub-app

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 3, 2026
edited
Loading

@copilot move the add reaction step and the add status comment step into the activation step so that it uses the token. Update the pre-activation/activation permissions accordingly

Done in f55d268. The reaction step is now in the activation job alongside the status comment step. Key changes:

  • Removed reaction step and its write permissions (issues/pull-requests/discussions: write) from the pre-activation job
  • Added reaction step early in the activation job (right after setup/checkout, before the timestamp check)
  • A single app token mint step (id: activation-app-token) is now generated once in the activation job if on.github-app is configured and either reaction or status-comment is enabled — both steps share the same token

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw main -lang=go1.25 git rev-�� --show-toplevel -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw github.com/githu/tmp/gh-aw/aw-feature-branch.patch -lang=go1.25 git rev-�� --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel TH&#34;; [ -n &#34;$GOROOT&#34; ] &amp;&amp; export /usr/bin/git --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha e/git git /opt/hostedtoolcache/node/24.13.1/x64/bin/node --show-toplevel e/git /usr/bin/git node js/f�� /git/ref/tags/v8 git /opt/hostedtoolcache/uv/0.10.7/x86_64/bash --show-toplevel git /usr/bin/git bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel /opt/hostedtoolc--jq 1/x64/bin/node -unreachable=falgit /tmp/go-build249rev-parse /opt/hostedtoolc--show-toplevel git js --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/gcc git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha kflow.test bash de/node/bin/bash --noprofile git /usr/bin/git b_X62NaPAWuT-uQjzc/RT9S_AZSgK49qhEX-7Ss/xj8RnZbI-test.timeout=10m0s _har�� --show-toplevel git 08f493349a337975f0e73b4194ec4fa7dd27d91c8f195f81c8fe2eab331977fb-d --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build2493562985/b188/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 3562985/b190/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 3562985/b195/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha --show-toplevel git /usr/bin/git get --local ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 3562985/b078/vetrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 3562985/b164/vetrev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3562985/b192/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3562985/b198/vet.cfg 08f493349a337975f0e73b4194ec4fa7dd27d91c8f195f81c8fe2eab331977fb-d (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha se 3562985/b193/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/node/24.13.1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git cal/bin/bash --show-toplevel git /usr/bin/git node js/f�� /usr/bin/git git ache/go/1.25.0/x64/pkg/tool/linux_amd64/asm --show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha se 3562985/b187/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/node/24.13.1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git k/_temp/ghcca-node/node/bin/bash --show-toplevel git /usr/bin/git node js/f�� /usr/bin/git git ache/go/1.25.0/x64/bin/go --show-toplevel git /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 1/x64/bin/node -unreachable=falgit /tmp/go-build249rev-parse 3562985/b282/vet--show-toplevel sed ance�� (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel node 1/x64/bin/node x_amd64/vet git /opt/hostedtoolc--show-toplevel git cjs --show-toplevel node ache/node/24.13.1/x64/bin/node x_amd64/vet git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha rt/yaml/yaml_def-errorsas (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha ctivation^{commit} (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha b136a0101c461533GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env 8558327/b418/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc--norc 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc--norc /usr/bin/git git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha 8558327/b369/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/tmp GOMODCACHE go env f-GF/qbxfFo4g7fPGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 8558327/b369/imp-f (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc--norc 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc--norc /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Add configuration for activation GitHub token Add configuration for activation GitHub token Mar 3, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Mar 3, 2026

@copilot enable status-comment on smoke-copilot

@pelikhan
Enable github-token for reaction and status-comment on smoke-copilot
0e5f738 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 3, 2026

@copilot enable status-comment on smoke-copilot

Done in 0e5f738. Added github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} to the on: section of smoke-copilot.md. The compiled lock file now uses that token for both the reaction step and the add-comment (status-comment) step in the activation job.

@github-actions github-actions bot mentioned this pull request Mar 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @dsyme