Add configuration for activation GitHub token#19427
Conversation
…s and status comments Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ithub-app Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in f55d268. The reaction step is now in the activation job alongside the status comment step. Key changes:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot enable status-comment on smoke-copilot |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in 0e5f738. Added |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Commit pushed:
|
|
Smoke Test Results (run §22653237411)
Overall:
|
There was a problem hiding this comment.
Smoke test code review for PR #19427. The reaction step relocation to the activation job is a clean improvement — it consolidates token usage and simplifies the pre-activation job permissions. The resolveActivationToken priority chain is well-structured. Minor suggestion: add a runtime debug log in resolveActivationToken to ease future troubleshooting.
📰 BREAKING: Report filed by Smoke Copilot
| sparse-checkout-cone-mode: true | ||
| fetch-depth: 1 | ||
| persist-credentials: false | ||
| - name: Add eyes reaction for immediate feedback |
There was a problem hiding this comment.
The reaction step has been moved here from the pre-activation job, which is a good improvement — it now fires earlier in the workflow execution before heavy activation checks, giving users faster visual feedback on their issues/PRs.
| return "${{ steps.activation-app-token.outputs.token }}" | ||
| } | ||
| if data.ActivationGitHubToken != "" { | ||
| return data.ActivationGitHubToken |
There was a problem hiding this comment.
The resolveActivationToken priority chain (App token → custom token → GITHUB_TOKEN) is clean. The comment clarifying that callers must ensure buildActivationAppTokenMintStep was called first is helpful — consider also adding a runtime assertion or debug log to catch misconfiguration early.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
@copilot do a deep code review of the updates make sure all looks good |
Smoke Test Results — Run §22653237386Overall: PARTIAL (2 skipped, all others ✅)
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
Deep review complete — all tests pass, lint is clean, no CodeQL findings. Key findings:
One intentional asymmetry worth noting: the reaction step always emits |
There was a problem hiding this comment.
Pull request overview
Adds support for configuring a dedicated GitHub credential (custom token or GitHub App) for the activation job so both reactions and status comments use the same auth, and moves the reaction step into the activation job.
Changes:
- Added
on.github-tokenandon.github-appto the workflow schema and frontmatter extraction, wiring them into compilation. - Moved the reaction step (and related permissions) from pre-activation to activation; added activation-token resolution + optional GitHub App token minting.
- Updated YAML emission to comment/filter the new
on:fields, and refreshed lockfiles/tests to reflect the new job structure.
Reviewed changes
Copilot reviewed 44 out of 44 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/task_and_reaction_permissions_test.go | Updates permission/reaction assertions to reflect reaction now living in activation job |
| pkg/workflow/safe_outputs_app.go | Adds activation token mint step builder + token resolution helper |
| pkg/workflow/role_checks.go | Extracts on.github-token / on.github-app into workflow data |
| pkg/workflow/reaction_none_test.go | Updates reaction/permission expectations for activation vs pre-activation jobs |
| pkg/workflow/frontmatter_extraction_yaml.go | Comments out github-token / github-app (including nested fields) in emitted on: YAML |
| pkg/workflow/compiler_types.go | Adds workflow data fields for activation GitHub token/app config |
| pkg/workflow/compiler_safe_outputs.go | Filters github-token / github-app out of “other events” when regenerating on: |
| pkg/workflow/compiler_pre_activation_job.go | Removes reaction step and reaction-related permissions from pre-activation job |
| pkg/workflow/compiler_orchestrator_workflow.go | Wires activation token/app extraction into orchestrator configuration extraction |
| pkg/workflow/compiler_activation_jobs_test.go | Updates tests to assert reaction removed from pre-activation and present in activation |
| pkg/workflow/compiler_activation_job.go | Adds app-token minting + reaction step to activation job; ensures permissions cover reaction/comments |
| pkg/workflow/activation_github_token_test.go | New unit/integration-style tests for extraction + compilation behavior of activation token/app |
| pkg/parser/schemas/main_workflow_schema.json | Adds schema for on.github-token and on.github-app fields |
| .github/workflows/workflow-generator.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/unbloat-docs.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/tidy.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Regenerated lockfile reflecting activation job permission needs |
| .github/workflows/smoke-test-tools.lock.yml | Regenerated lockfile reflecting activation job permission needs |
| .github/workflows/smoke-temporary-id.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-project.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-multi-pr.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-gemini.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Regenerated lockfile reflecting activation job permission needs |
| .github/workflows/smoke-copilot.md | Adds on.github-token to exercise new feature end-to-end |
| .github/workflows/smoke-copilot.lock.yml | Regenerated lockfile showing configured token used for both reaction and status comment |
| .github/workflows/smoke-copilot-arm.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-codex.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-claude.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/smoke-agent.lock.yml | Regenerated lockfile reflecting activation job permission needs |
| .github/workflows/security-review.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/scout.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/q.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/poem-bot.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/plan.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/pdf-summary.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/mergefest.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/grumpy-reviewer.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/craft.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/cloclo.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/changeset.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/brave.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .github/workflows/archie.lock.yml | Regenerated lockfile reflecting reaction now in activation job |
| .changeset/patch-activation-github-token-config.md | Adds changeset entry documenting the patch feature |
Comments suppressed due to low confidence (1)
pkg/parser/schemas/main_workflow_schema.json:1456
- Schema docs for
on.github-tokenstill say it is used for “pre-activation reactions”, but reactions were moved into the activation job in this PR. Update the description to avoid misleading users about where the token is used.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| "github-app": { | ||
| "type": "object", | ||
| "description": "GitHub App configuration for minting a token used in pre-activation reactions and activation status comments. When configured, a GitHub App installation access token is minted and used instead of the default GITHUB_TOKEN.", | ||
| "properties": { |
There was a problem hiding this comment.
Schema docs for on.github-app mention “pre-activation reactions”, but reactions now run in the activation job. Adjust the description so it reflects the current behavior and doesn’t imply a pre-activation job dependency.
This issue also appears on line 1453 of the same file.
| // extractActivationGitHubToken extracts the 'github-token' field from the 'on:' section of frontmatter. | ||
| // This token is used for pre-activation reactions and activation status comments. | ||
| func (c *Compiler) extractActivationGitHubToken(frontmatter map[string]any) string { |
There was a problem hiding this comment.
The comment on extractActivationGitHubToken says the token is used for “pre-activation reactions”, but reactions are now emitted in the activation job. Update the comment to match the current job placement (activation reactions + activation status comments).
| // buildActivationAppTokenMintStep generates the step to mint a GitHub App installation access token | ||
| // for use in the pre-activation (reaction) and activation (status comment) jobs. | ||
| func (c *Compiler) buildActivationAppTokenMintStep(app *GitHubAppConfig, permissions *Permissions) []string { |
There was a problem hiding this comment.
buildActivationAppTokenMintStep comment says the minted token is used in “pre-activation (reaction) and activation (status comment) jobs”, but reactions are now generated in the activation job. Update the comment so it matches current behavior and avoids implying the pre-activation job uses this token.
| // Default to current repository | ||
| steps = append(steps, " repositories: ${{ github.event.repository.name }}\n") | ||
|
|
There was a problem hiding this comment.
buildActivationAppTokenMintStep always sets repositories to the current repository (${{ github.event.repository.name }}), ignoring app.Repositories parsed from on.github-app.repositories. This makes the new repositories field in the schema ineffective (and prevents repositories: ['*'] org-wide installs). Consider reusing the repository-selection logic from buildGitHubAppTokenMintStep (single repo, multi repo block scalar, * => omit field, default current repo).
| // Check if we're entering github-app object | ||
| if !inPullRequest && !inIssues && !inDiscussion && !inIssueComment && !inGitHubApp { | ||
| // Check both uncommented and commented forms | ||
| if (strings.HasPrefix(trimmedLine, "github-app:") && trimmedLine == "github-app:") || | ||
| (strings.HasPrefix(trimmedLine, "# github-app:") && strings.Contains(trimmedLine, "pre-activation job")) { | ||
| inGitHubApp = true | ||
| } |
There was a problem hiding this comment.
The inGitHubApp detection for an already-commented # github-app: line is keyed on strings.Contains(..., "pre-activation job"), but the comment reason added for github-app mentions “activation” (and users may also comment github-app themselves). This prevents nested app-id / private-key / etc lines from being commented out when the parent is already commented, leaving confusing partially-commented YAML. Detect # github-app: regardless of the comment text (or match the new comment reason).
Documents the new `on.github-token` and `on.github-app` fields added in #19427 that allow configuring a custom GitHub token or GitHub App for the activation job's reactions and status comments. - frontmatter.md: mention the two new on: fields in the Trigger Events section - triggers.md: add dedicated "Activation Token" reference section with examples - frontmatter-full.md: add github-token and github-app entries to the on: block Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds support for configuring a custom GitHub token or GitHub App in the
on:section of workflow frontmatter. The token is used in the activation job for both reactions and status comments.New fields
Changes
main_workflow_schema.json): addedgithub-token(string) andgithub-app(object withapp-id,private-key,owner,repositories) to theon:objectrole_checks.go):extractActivationGitHubToken/extractActivationGitHubApppull the new fields from theon:map; wired into the orchestrator alongsideextractRoles/extractBotscompiler_activation_job.go): the reaction step is now in the activation job alongside the status comment step, so both use the same configured token. A singleGenerate GitHub App token for activationstep (id: activation-app-token) is minted once before both steps whenon.github-appis set.compiler_pre_activation_job.go): removed the reaction step and theissues/pull-requests/discussions: writepermissions that were there solely for reactionssafe_outputs_app.go):buildActivationAppTokenMintStepandresolveActivationTokenencapsulate token-minting and resolution logic (app token → custom token →GITHUB_TOKEN)compiler_safe_outputs.go,frontmatter_extraction_yaml.go):github-tokenandgithub-appare filtered/commented out from the emittedon:block, matching the treatment ofreaction,stop-after, etc..github/workflows/smoke-copilot.md): addedgithub-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}to exercise the new feature end-to-end; the compiled lock file now uses this token for both the reaction and status-comment steps in the activation job🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.
Add configuration for activation GitHub token
Adds support for configuring a custom GitHub token or GitHub App in the
on:section of workflow frontmatter. The token is used in the activation job for both reactions and status comments.New fields
Changes
main_workflow_schema.json): addedgithub-token(string) andgithub-app(object withapp-id,private-key,owner,repositories) to theon:objectrole_checks.go):extractActivationGitHubToken/extractActivationGitHubApppull the new fields from theon:map; wired into the orchestrator alongsideextractRoles/extractBotscompiler_activation_job.go): the reaction step is now in the activation job alongside the status comment step, so both use the same configured token. A singleGenerate GitHub App token for activationstep (id: activation-app-token) is minted once before both steps whenon.github-appis set.compiler_pre_activation_job.go): removed the reaction step and theissues/pull-requests/discussions: writepermissions that were there solely for reactionssafe_outputs_app.go):buildActivationAppTokenMintStepandresolveActivationTokenencapsulate token-minting and resolution logic (app token → custom token →GITHUB_TOKEN)compiler_safe_outputs.go,frontmatter_extraction_yaml.go):github-tokenandgithub-appare filtered/commented out from the emittedon:block, matching the treatment ofreaction,stop-after, etc..github/workflows/smoke-copilot.md): addedgithub-token: $\{\{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}to exercise the new feature end-to-end; the compiled lock file now uses this token for both the reaction and status-comment steps in the activation job🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.]((gh.io/redacted)
Changeset
on:.Warning
The following domain was blocked by the firewall during workflow execution:
github.comTo allow these domains, add them to the
network.allowedlist in your workflow frontmatter:See Network Configuration for more information.
✨ PR Review Safe Output Test - Run 22653237386