Fix: Use token precedence chain for cross-repo create-pull-request and push-to-pull-request-branch checkout

[Copilot]

Cross-repo create-pull-request and push-to-pull-request-branch operations hardcoded ${{ github.token }} for checkout and git credential steps, ignoring configured PATs. This caused authentication failures since default GITHUB_TOKEN is scoped to the source repository.

Changes

Replaced hardcoded tokens with precedence chain in:

• buildSharedPRCheckoutSteps() - consolidated safe-outputs checkout path (supports both create-pull-request and push-to-pull-request-branch)
• buildCreateOutputPullRequestJob() - legacy create-pull-request job path
• buildCheckoutRepository() - updated to accept and use custom token for checkout step

Token precedence (aligned with main branch API):

1. Per-config: create-pull-request.github-token or push-to-pull-request-branch.github-token
2. Safe-outputs: safe-outputs.github-token
3. Fallback: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

For the shared checkout path, the precedence is: create-pull-request token > push-to-pull-request-branch token > safe-outputs token > fallback.

Example

Before (hardcoded):

checkoutToken = "${{ github.token }}"
gitRemoteToken = "${{ github.token }}"

After (respects configuration):

var createPRToken string
if data.SafeOutputs.CreatePullRequests != nil {
    createPRToken = data.SafeOutputs.CreatePullRequests.GitHubToken
}
var pushToPRBranchToken string
if data.SafeOutputs.PushToPullRequestBranch != nil {
    pushToPRBranchToken = data.SafeOutputs.PushToPullRequestBranch.GitHubToken
}
var safeOutputsToken string
if data.SafeOutputs != nil {
    safeOutputsToken = data.SafeOutputs.GitHubToken
}
// Choose the first non-empty custom token for precedence
effectiveCustomToken := createPRToken
if effectiveCustomToken == "" {
    effectiveCustomToken = pushToPRBranchToken
}
if effectiveCustomToken == "" {
    effectiveCustomToken = safeOutputsToken
}
// Get effective token (handles fallback to GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)
effectiveToken := getEffectiveSafeOutputGitHubToken(effectiveCustomToken)
checkoutToken = effectiveToken
gitRemoteToken = effectiveToken

Test Coverage

Added test cases for token precedence:

• Per-config token override (create-pull-request)
• Per-config token override (push-to-pull-request-branch)
• Safe-outputs level token
• Cross-repo with custom token
• Both operations with create-pr token taking precedence

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Bug: Cross-repo create-pull-request checkout uses hardcoded github.token instead of safe-outputs token</issue_title>
<issue_description>## Summary

When create-pull-request is configured with target-repo and a custom github-token (PAT) in safe-outputs, the compiled safe_outputs job's checkout and git credential steps use the hardcoded ${{ github.token }} instead of the configured token. This causes Not Found errors because the default GITHUB_TOKEN is scoped to the source repository and cannot access the target repository.

This is a remaining bug from #15500, which fixed the repository: and REPO_NAME parameters but did not address the token used for authentication.

Reproduction

Workflow in org/source-repo targeting org/target-repo:

safe-outputs:
  github-token: ${{ secrets.CROSS_REPO_PAT }}
  create-pull-request:
    target-repo: "org/target-repo"
    base-branch: main
    draft: true

Result: The compiled .lock.yml produces:

- name: Checkout repository
  uses: actions/checkout@...
  with:
    repository: org/target-repo    # correct (fixed in github/gh-aw#15500)
    token: ${{ github.token }}     # BUG: ignores safe-outputs github-token
    persist-credentials: false
    fetch-depth: 1

- name: Configure Git credentials
  env:
    REPO_NAME: "org/target-repo"   # correct (fixed in github/gh-aw#15500)
    SERVER_URL: ${{ github.server_url }}
    GIT_TOKEN: ${{ github.token }} # BUG: same hardcoded token

The checkout fails with: Not Found - https://docs.github.com/rest/repos/repos#get-a-repository

Note: The PAT itself is valid — the same token successfully creates issues in the target repo via the create_issue safe-output fallback path, which correctly uses addSafeOutputGitHubTokenForConfig for token resolution.

Root Cause

In pkg/workflow/compiler_safe_outputs_steps.go, the buildSharedPRCheckoutSteps function (consolidated path) hardcodes ${{ github.token }} when GitHub App auth is not configured:

// Line 86-91 (current code)
} else {
    checkoutToken = "${{ github.token }}"
    gitRemoteToken = "${{ github.token }}"
}

This bypasses the token precedence chain that every other safe-output operation respects:

1. Per-config github-token (e.g., create-pull-request.github-token)
2. Safe-outputs level github-token
3. Top-level github-token
4. ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

The same bug exists in the non-consolidated path in pkg/workflow/create_pull_request.go line 71:

gitToken := "${{ github.token }}"

Proposed Fix

Replace the hardcoded ${{ github.token }} with the existing getEffectiveSafeOutputGitHubToken chain, matching how addSafeOutputGitHubTokenForConfig resolves tokens for all other safe-output operations.

In compiler_safe_outputs_steps.go (buildSharedPRCheckoutSteps):

} else {
    var configToken string
    if data.SafeOutputs.CreatePullRequests != nil {
        configToken = data.SafeOutputs.CreatePullRequests.GitHubToken
    }
    var safeOutputsToken string
    if data.SafeOutputs != nil {
        safeOutputsToken = data.SafeOutputs.GitHubToken
    }
    effectiveToken := getEffectiveSafeOutputGitHubToken(configToken,
        getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))
    checkoutToken = effectiveToken
    gitRemoteToken = effectiveToken
}

In create_pull_request.go (buildCreateOutputPullRequestJob):

var safeOutputsToken string
if data.SafeOutputs != nil {
    safeOutputsToken = data.SafeOutputs.GitHubToken
}
gitToken := getEffectiveSafeOutputGitHubToken(
    data.SafeOutputs.CreatePullRequests.GitHubToken,
    getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))

Tests to add/update:

• Update TestBuildSharedPRCheckoutSteps "create pull request only" case to expect ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} instead of ${{ github.token }}
• Add cases: cross-repo with safe-outputs.github-token, with per-config token, with top-level token, without any custom token
• Add integration tests: TestCreatePullRequestCrossRepoWithCustomToken and TestCreatePullRequestCrossRepoWithoutCustomToken
• Add changeset: patch-fix-cross-repo-checkout-token.md

Environment

• gh-aw CLI: v0.43.22
• Compiler output at commit d00dc822f (current main)
• Verified locally: all unit tests and integration tests pass with the proposed fix

Related

• Bug: create-pull-request target-repo is ignored by git operations in safe_outputs job #15500 — Fixed repository: and REPO_NAME for cross-repo, but left token hardcoded
• Fix: Use target repository for git operations in create-pull-request #15501 — The PR that implemented the Bug: create-pull-request target-repo is ignored by git operations in safe_outputs job #15500 fix (note its "After (correct)" example still shows token: ${{ github.token }})
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Bug: Cross-repo create-pull-request checkout uses hardcoded github.token instead of safe-outputs token #16426

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot merge main and remove top level github token

[Copilot]

@copilot merge main and remove top level github token

Done. Merged main and removed the top-level github-token test case. The implementation now uses the updated token API from main where getEffectiveSafeOutputGitHubToken() takes a single parameter. Token precedence is: per-config token > safe-outputs token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN.

Commit: 71c7ec4

[Copilot]

Pull request overview

This PR updates the workflow compiler so cross-repo create-pull-request (and the consolidated safe-outputs PR checkout path) no longer hardcode ${{ github.token }} and instead use the safe-outputs token precedence chain, preventing auth failures when a PAT is configured.

Changes:

• Updated consolidated safe-outputs shared PR checkout/git-credential steps to use getEffectiveSafeOutputGitHubToken(...)-based precedence.
• Updated the legacy buildCreateOutputPullRequestJob() path to resolve a token via the same precedence for git remote configuration.
• Expanded unit coverage for token precedence in shared PR checkout steps and regenerated affected workflow .lock.yml outputs.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/workflow/create_pull_request.go	Resolves an effective token for git credential configuration in the legacy create-pull-request job.
pkg/workflow/compiler_safe_outputs_steps.go	Uses safe-outputs token precedence for consolidated shared PR checkout + git credential steps.
pkg/workflow/compiler_safe_outputs_steps_test.go	Adds/updates tests validating token selection in shared PR checkout steps.
.github/workflows/workflow-generator.lock.yml	Regenerated locked workflow artifacts (includes safe-outputs tools schema and token fallback updates).
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/unbloat-docs.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/ubuntu-image-analyzer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/tidy.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/test-create-pr-error-handling.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/technical-doc-writer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/smoke-project.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/smoke-claude.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/slide-deck-maintainer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/refiner.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/q.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/poem-bot.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/mergefest.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/layout-spec-maintainer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/jsweep.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/issue-monster.lock.yml	Regenerated locked workflow artifacts (includes safe-outputs tools schema and token fallback updates).
.github/workflows/instructions-janitor.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/hourly-ci-cleaner.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/go-logger.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/glossary-maintainer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/github-mcp-tools-report.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/functional-pragmatist.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/dictation-prompt.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/developer-docs-consolidator.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/daily-workflow-updater.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/daily-doc-updater.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/craft.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/code-simplifier.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/code-scanning-fixer.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/cloclo.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/ci-coach.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.
.github/workflows/changeset.lock.yml	Updates locked checkout/git token usage to the secrets fallback chain.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the shared checkout/token selection, only CreatePullRequests.GitHubToken is considered as the per-config override. This function is also used for push-to-pull-request-branch, so a workflow that sets safe-outputs.push-to-pull-request-branch.github-token (but not create-pull-request) will have that token ignored and fall back to the safe-outputs/global token chain, potentially breaking cross-repo pushes. Consider selecting the first non-empty token from (create-pull-request token, push-to-pull-request-branch token, safe-outputs token) before calling getEffectiveSafeOutputGitHubToken.

[Copilot]

Fixed. buildSharedPRCheckoutSteps now considers both CreatePullRequests.GitHubToken and PushToPullRequestBranch.GitHubToken with precedence: create-pr token > push-to-pr-branch token > safe-outputs token > fallback.

Commit: b044b88

[Copilot]

This change resolves the token used for the git remote configuration step, but the preceding checkout step is still built via buildCheckoutRepository(...), which hardcodes the checkout token to the default safe-outputs fallback (secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN) and does not use the per-config create-pull-request.github-token / safe-outputs.github-token precedence you just computed. For cross-repo PRs where users set create-pull-request.github-token: ${{ secrets.CROSS_REPO_PAT }}, checkout can still fail before git config runs. Consider updating the checkout builder to accept and use the same resolved effective token for actions/checkout when target-repo (or trial mode) is in play.

[Copilot]

Fixed. Updated buildCheckoutRepository() to accept a customToken parameter and pass the resolved token from create_pull_request to the checkout step. The checkout now uses the same token precedence chain as git config.

Commit: b044b88

[Copilot]

TestBuildSharedPRCheckoutSteps adds coverage for create-pull-request token precedence, but there’s no case asserting that push-to-pull-request-branch.github-token is honored when create-pull-request is disabled. Given buildSharedPRCheckoutSteps() is shared between both operations, adding a push-only per-config token test would catch regressions like ignoring PushToPullRequestBranch.GitHubToken.

[Copilot]

Added test coverage for push-to-pull-request-branch token precedence:

• "push-to-pull-request-branch with per-config token" - validates push-only config token is honored
• "both operations with create-pr token takes precedence" - validates create-pr token has priority when both are configured

Commit: b044b88

[pelikhan]

@copilot review comments

[Copilot]

@copilot review comments

Addressed all review comments:

1. ✅ Support for push-to-pull-request-branch.github-token in shared checkout steps
2. ✅ Fixed buildCheckoutRepository() to use custom token for checkout
3. ✅ Added test coverage for push-to-pr-branch token precedence

All tests pass. Commit: b044b88

[pelikhan]

@copilot Recompile

[Copilot]

@copilot Recompile

Recompile completed successfully. All 155 workflows compiled with no changes to lock files - they were already up to date with the code changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha paginator/paginator.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha .go go x_amd64/compile (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha progress/progresremote.origin.url (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b340/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/crypto@v0.48.0/nacl/secretbox/secretbox.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b336/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/crypto@v0.48.0/nacl/box/box.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha /tmp/go-build2062725194/b343/symabis -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b343/importcfg -pack -asmhdr (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b277/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b320/importcfg -embedcfg /tmp/go-build2062725194/b320/embedcfg -pack (http block)
• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha t/format.go t/parser.go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha /common.go /message.go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha nal.go .go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha e2bAVX2_amd64.s e2b_amd64.s x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha g.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha to pkg/workflow/data/action_pins-p .go r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha lp.go (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha r/common.go r/decimal.go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha roup.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha a/salsa20_amd64.s (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -c=4 -nolocalimports -importcfg /tmp/go-build2062725194/b306/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.34.0/message/catalog.go /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.34.0/message/doc.go (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)