Skip to content

Fix duplicate GitHub App token step in safe-outputs job#16135

Merged
pelikhan merged 5 commits intomainfrom
copilot/fix-app-token-safe-outputs
Feb 16, 2026
Merged

Fix duplicate GitHub App token step in safe-outputs job#16135
pelikhan merged 5 commits intomainfrom
copilot/fix-app-token-safe-outputs

Conversation

Copy link
Contributor

Copilot AI commented Feb 16, 2026
edited
Loading

Fix duplicate GitHub App token step in safe-outputs job

Root Cause

The bug was in pkg/workflow/compiler_safe_outputs_job.go:

  1. Lines 39-44: Added app token step at the beginning
  2. Lines 244-280: Inserted app token step again (duplicate)
  3. Insertion logic was missing accounting for shared checkout steps

Fix Applied

  • Removed duplicate addition at lines 39-44
  • Fixed insertion logic to position token step correctly (before checkout, after setup/downloads)
  • Added regression test TestGitHubAppWithPushToPRBranch
  • Verified fix with exact issue configuration
  • Address code review feedback
  • Merged main branch
  • Recompiled workflows

Testing

  • Unit test passes (TestGitHubAppWithPushToPRBranch)
  • All safe-outputs tests pass (608ms)
  • Compiled 154 workflows successfully with 0 errors
  • Manual verification with issue configuration
  • Code review complete
  • Merged with main (commits 5878d89, a0065c6)

Changes

Modified files:

  • pkg/workflow/compiler_safe_outputs_job.go: Remove duplicate app token step addition
  • pkg/workflow/compiler_safe_outputs_job_test.go: Add regression test

Key insight: GitHub App token step must be inserted AFTER setup/artifact downloads but BEFORE shared checkout steps, as checkout steps reference steps.safe-outputs-app-token.outputs.token

Original prompt

This section details on the original issue you should resolve

<issue_title>App token for safe-outputs doesn't work</issue_title>
<issue_description>config:

cat .github/workflows/update-github-org-variables.md
---
name: Update GitHub Organization Variables
description: Automatically update GitHub organizational variables documentation when locals.tf is edited
on:
  pull_request:
    paths:
      - organization/locals.tf
  skip-bots:
    - actions[bot]

safe-outputs:
  app:
    app-id: ${{ vars.ACTIONS_APP_ID }}
    private-key: ${{ secrets.ACTIONS_PRIVATE_KEY }}
  push-to-pull-request-branch: {}
---
...

From my understanding, this should be able to work according to docs

compiler output:

gh aw compile
✗ Compiled 1 workflow(s): 1 error(s), 0 warning(s)

✗ Failed workflows:
  ✗ update-github-org-variables.md

.github/workflows/update-github-org-variables.md:1:1: error: failed to generate YAML: failed to build and validate jobs: duplicate step validation failed: compiler bug: duplicate step 'Generate GitHub App token' found in job 'safe_outputs' (positions 0 and 21)
: failed to build and validate jobs: duplicate step validation failed: compiler bug: duplicate step 'Generate GitHub App token' found in job 'safe_outputs' (positions 0 and 21)
✗ compilation failed

gh aw --version
gh aw version v0.45.0
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits February 16, 2026 15:51
@pelikhan
Fix duplicate GitHub App token step in safe-outputs job
1ebb201 
- Remove duplicate addition of app token minting step (lines 39-44)
- Fix insertion logic to position token step BEFORE shared checkout steps
- Add regression test TestGitHubAppWithPushToPRBranch
- Fixes compilation error when app and push-to-pull-request-branch are both configured

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Verified fix with comprehensive testing
5cfef4e 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Address code review feedback - fix test comment
9291a7c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix app token issue for safe-outputs Fix duplicate GitHub App token step in safe-outputs job Feb 16, 2026
Copilot AI requested a review from pelikhan February 16, 2026 15:55
@pelikhan
Copy link
Contributor

pelikhan commented Feb 16, 2026

@copilot merge main and recompile

Merge remote-tracking branch 'origin/main' into copilot/fix-app-token…
d5eb066 
…-safe-outputs

# Please enter a commit message to explain why this merge is necessary,
# especially if it merges an updated upstream into a topic branch.
#
# Lines starting with '#' will be ignored, and an empty message aborts
# the commit.
Copy link
Contributor Author

Copilot AI commented Feb 16, 2026
edited
Loading

@copilot merge main and recompile

Merged main branch (commits 5878d89, a0065c6) and recompiled all workflows. All 154 workflows compiled successfully. Merge commit: d5eb066

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw WlIDXCH/Bi8gJOoOapi (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ho &#34;Error: Node.-f (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha logs/command.sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha data/action_pins.json...&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha &#34; -o gh-aw ./cmd/gh-aw (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha logs/user.env (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review February 16, 2026 16:07
Copilot AI review requested due to automatic review settings February 16, 2026 16:07
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a compiler bug where the GitHub App token minting step was duplicated when both app and push-to-pull-request-branch were configured in safe-outputs, causing compilation to fail with "duplicate step 'Generate GitHub App token' found in job 'safe_outputs'".

Changes:

  • Removed duplicate GitHub App token step addition at the beginning of the function
  • Updated comments to clarify the insertion logic and ordering constraints
  • Added comprehensive regression test to prevent future duplication

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
pkg/workflow/compiler_safe_outputs_job.go Removed duplicate app token step addition (lines 39-44 replaced with comment); updated comment at line 242 to clarify insertion happens before checkout steps
pkg/workflow/compiler_safe_outputs_job_test.go Added TestGitHubAppWithPushToPRBranch regression test that validates token step appears exactly once and in correct order

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit 2c2bbb3 into main Feb 16, 2026
92 checks passed
@pelikhan pelikhan deleted the copilot/fix-app-token-safe-outputs branch February 16, 2026 16:12
@github-actions github-actions bot mentioned this pull request Feb 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

App token for safe-outputs doesn't work

2 participants

@pelikhan