Fix codeowner-update auth: add github-token for PR creation#871
Fix codeowner-update auth: add github-token for PR creation#871aaronpowell merged 1 commit intostagedfrom
Conversation
The default GITHUB_TOKEN cannot push branches in this org. Add explicit github-token using GH_AW_GITHUB_TOKEN secret to the create-pull-request safe output. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Codeowner Update agentic workflow to use an explicit write-capable token when creating pull requests, addressing Git auth failures caused by this org’s default GITHUB_TOKEN being unable to push branches.
Changes:
- Add
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}to thecreate-pull-requestsafe output configuration. - Regenerate the compiled workflow so the safe-outputs PR-creation path uses
GH_AW_GITHUB_TOKENfor checkout and git remote authentication.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/codeowner-update.md | Configures the create-pull-request safe output to use GH_AW_GITHUB_TOKEN. |
| .github/workflows/codeowner-update.lock.yml | Compiled workflow updates checkout + git auth to use GH_AW_GITHUB_TOKEN during PR creation. |
You can also share your feedback on Copilot code review. Take the survey.
| base-branch: staged | ||
| title-prefix: "[codeowner] " | ||
| draft: false | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }} |
There was a problem hiding this comment.
github-token is now required for PR creation, but the workflow doesn’t appear to validate that secrets.GH_AW_GITHUB_TOKEN is set/non-empty. If it’s missing, failures later in the run can be hard to diagnose. Consider adding an explicit validation step (similar to the existing COPILOT_GITHUB_TOKEN validation) to fail fast with a clear message.
| with: | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN }} | ||
| persist-credentials: false |
There was a problem hiding this comment.
actions/checkout now uses token: ${{ secrets.GH_AW_GITHUB_TOKEN }} without a fallback. If the secret is missing/empty in a new environment, checkout/push will fail with an auth error. A small fail-fast validation for GH_AW_GITHUB_TOKEN earlier in the workflow would make this easier to troubleshoot.
The
create-pull-requestsafe output was failing with:The default
GITHUB_TOKENcannot push branches in this org. This addsgithub-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}to thecreate-pull-requestsafe output so the compiled lock file uses a token with write permissions.Note: The
GH_AW_GITHUB_TOKENsecret must be configured in the repo withcontents: writeandpull-requests: writepermissions.