Support org-wide GitHub App tokens via wildcard repositories

[Copilot]

Support for org-wide GitHub App tokens

This PR implements support for organization-wide GitHub App tokens by allowing users to specify "*" in the repositories field.

Implementation Plan

• Explore current implementation in pkg/workflow/safe_outputs_app.go
• Understand configuration schema and frontmatter usage
• Update buildGitHubAppTokenMintStep() to handle "*" wildcard
• Add unit tests for org-wide token configuration (safe-outputs)
• Add unit tests for org-wide token configuration (GitHub MCP)
• Test with example workflows to verify behavior
• Run validation checks (fmt, test)
• Code review and security scan
• Update documentation

Changes Made

Core Changes:

• Modified pkg/workflow/safe_outputs_app.go to detect repositories: ["*"] and omit the repositories field from the generated GitHub Action step, enabling org-wide access
• Preserved existing behavior: when repositories is not specified, it defaults to the current repository

Test Coverage:

• Added TestSafeOutputsAppTokenOrgWide to verify org-wide token generation for safe-outputs
• Added TestGitHubMCPAppTokenOrgWide to verify org-wide token generation for GitHub MCP server
• All existing tests continue to pass (15 tests total)

Documentation:

• Updated docs/src/content/docs/reference/safe-outputs.md with repository scoping options
• Updated docs/src/content/docs/reference/tools.md with repository scoping options
• Updated docs/src/content/docs/reference/frontmatter-full.md with accurate descriptions
• Added org-wide example to docs/src/content/docs/patterns/multirepoops.md

Usage Examples

Org-wide access (NEW):

safe-outputs:
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
    repositories:
      - "*"

Generated action step omits the repositories field for org-wide access.

Current repository (default):

safe-outputs:
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

Generated action step includes: repositories: ${{ github.event.repository.name }}

Specific repositories:

safe-outputs:
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
    repositories:
      - "repo1"
      - "repo2"

Generated action step includes: repositories: repo1,repo2

Security Summary

✅ No security vulnerabilities detected by CodeQL
✅ No issues found in code review
✅ All tests passing

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support for org-wide GitHub App tokens</issue_title>
<issue_description>Hi folks,

I have some agentic workflows that benefit from looking up information across my organization. I would love to be able to create a GitHub App token valid for all repos in an organization, but the current safe_outputs_app.go doesn't support that form, it always supplies a repositories field.

Is this an intentional omission, or would you be open to a PR to support this? I've been having a great time experimenting with Agentic Workflows lately, so I'd be very happy to provide a Copilot PR to implement this.

Thanks for your time!</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan /scout expand this bug report and provide mode details. @pelikhan Add support for * to allow all repositories. Keep current behavior of locking down to current repositories when omitted.

• Fixes Support for org-wide GitHub App tokens #16424

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot update docs

[Copilot]

@copilot update docs

Documentation updated in commit 25ad2f6. Added repository scoping options to:

• reference/safe-outputs.md - Safe outputs GitHub App configuration
• reference/tools.md - GitHub MCP server authentication
• reference/frontmatter-full.md - Complete schema reference
• patterns/multirepoops.md - Multi-repo operations pattern with org-wide example

All docs now document the three scoping modes:

• repositories: ["*"] for org-wide access
• repositories: ["repo1", "repo2"] for specific repos
• Omit field for current repo only (default)

[Copilot]

Pull request overview

Adds support for organization-wide GitHub App installation tokens by allowing repositories: ["*"] in config, which compiles to an actions/create-github-app-token step that omits the repositories input (enabling org-wide access in the installation).

Changes:

• Update GitHub App token step generation to treat repositories: ["*"] as a special case and omit the repositories field.
• Add unit tests covering org-wide token behavior for both safe-outputs and the GitHub MCP tool.
• Update reference docs and multi-repo patterns to document the three repository-scoping modes.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_app.go	Implements wildcard handling by omitting repositories when configured as ["*"].
pkg/workflow/safe_outputs_app_test.go	Adds a test ensuring wildcard config results in no repositories: emitted for safe-outputs token minting.
pkg/workflow/github_mcp_app_token_test.go	Adds a test ensuring wildcard config results in no repositories: emitted for GitHub MCP token minting.
docs/src/content/docs/reference/tools.md	Documents repositories scoping options for the GitHub tool’s app token config.
docs/src/content/docs/reference/safe-outputs.md	Documents repositories scoping options for safe-outputs app config.
docs/src/content/docs/reference/frontmatter-full.md	Updates schema documentation to reflect the three supported repository scoping modes.
docs/src/content/docs/patterns/multirepoops.md	Adds an org-wide GitHub App token example for multi-repo operations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

repositories treats "" specially only when it is the sole entry. If a user configures repositories: ["*", "repo1"], this will currently emit repositories: *,repo1 which is unlikely to be accepted by actions/create-github-app-token and won’t produce org-wide access. Consider validating that "" cannot be combined with other repository names (return a clear error) to avoid generating an invalid workflow.

Suggested change

	// - If repositories is specified with values, use those specific repos
	// - If repositories is empty/not specified, default to current repository
	if len(app.Repositories) == 1 && app.Repositories[0] == "*" {
	// Org-wide access: omit repositories field entirely
	safeOutputsAppLog.Print("Using org-wide GitHub App token (repositories: *)")
	// - If repositories contains "*" along with other entries, treat this as invalid,
	// log a clear message, and fall back to org-wide access (omit the field)
	// - If repositories is specified with values (and does not contain "*"), use those specific repos
	// - If repositories is empty/not specified, default to current repository
	hasStar := false
	for _, r := range app.Repositories {
	if r == "*" {
	hasStar = true
	break
	}
	}
	if hasStar {
	if len(app.Repositories) == 1 {
	// Org-wide access: omit repositories field entirely
	safeOutputsAppLog.Print("Using org-wide GitHub App token (repositories: *)")
	} else {
	// Invalid configuration: "*" combined with other repositories
	safeOutputsAppLog.Print("Invalid GitHub App repositories configuration: '*' cannot be combined with other repositories; using org-wide access instead")
	}