Scope gh-aw workflow secrets to GITHUB_TOKEN#1475
Merged
Merged
Conversation
Add explicit github-token entries under tools.github and safe-outputs in
.github/workflows/java-interop-reviewer.md so the compiled lock file no
longer references the gh-aw fallback secret names GH_AW_GITHUB_TOKEN and
GH_AW_GITHUB_MCP_SERVER_TOKEN.
These names appear in the lock file purely as fallback chain entries that
are never set in this repo. A secret-audit report flags by name reference
in the YAML, so suppressing them satisfies the audit with no behavior change.
Before/after of the 'Secrets used:' header in the lock file:
Before: COPILOT_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN,
GH_AW_GITHUB_TOKEN, GITHUB_TOKEN
After: COPILOT_GITHUB_TOKEN, GITHUB_TOKEN
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Scopes gh-aw workflow token configuration explicitly to GITHUB_TOKEN so the compiled lock workflow no longer references the unused fallback secret names (GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN). This aligns with the repo’s actual runtime behavior while satisfying secret-audit tooling that flags secret name references.
Changes:
- Added explicit
github-token: ${{ secrets.GITHUB_TOKEN }}configuration undertools.githubandsafe-outputsin the gh-aw source workflow (.md). - Regenerated the compiled workflow (
.lock.yml) so all token usages and the “Secrets used” manifest drop theGH_AW_*fallback names and reference onlyGITHUB_TOKEN(plusCOPILOT_GITHUB_TOKEN).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/java-interop-reviewer.md |
Adds explicit github-token entries so gh-aw compilation doesn’t emit fallback secret name chains. |
.github/workflows/java-interop-reviewer.lock.yml |
Regenerated output removing GH_AW_* secret-name references and using only secrets.GITHUB_TOKEN where applicable. |
simonrozsival
approved these changes
Jun 17, 2026
jonathanpeppers
added a commit
to dotnet/android-tools
that referenced
this pull request
Jun 17, 2026
Add explicit `github-token: ${{ secrets.GITHUB_TOKEN }}` under both
`tools.github` and `safe-outputs` in the gh-aw frontmatter. This
eliminates `GH_AW_GITHUB_TOKEN` and `GH_AW_GITHUB_MCP_SERVER_TOKEN`
from the compiled lock file's `Secrets used:` block, which a repo
secret-audit was flagging by name reference.
Matches the change merged in dotnet/java-interop#1475 and dotnet/android
(same gh-aw compiler version v0.79.8).
Recompiled with `gh aw compile` (0 errors, 0 warnings).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds explicit
github-tokenentries undertools.githubandsafe-outputsin.github/workflows/java-interop-reviewer.mdso the compiled lock file no longer references the gh-aw fallback secret namesGH_AW_GITHUB_TOKENandGH_AW_GITHUB_MCP_SERVER_TOKEN.Why
A secret-audit report flags secrets by name reference in workflow YAML. The two
GH_AW_*names appear in the lock file purely as optional fallback chain entries that are never set in this repo, but the audit doesn't know that — it sees the name. Suppressing them satisfies the audit with no behavior change:GITHUB_TOKENis the actual token used in both cases, before and after.Before / after
Secrets used:block at the top of.github/workflows/java-interop-reviewer.lock.yml:Before
After
Both
GH_AW_GITHUB_TOKENandGH_AW_GITHUB_MCP_SERVER_TOKENare fully removed from the lock file (verified by grepping the full body, not just the comment header).Changes
.github/workflows/java-interop-reviewer.md— twogithub-token: ${{ secrets.GITHUB_TOKEN }}lines added (one undertools.github, one undersafe-outputs)..github/workflows/java-interop-reviewer.lock.yml— regenerated viagh aw compile(v0.79.8). Zero errors, zero warnings.Same fix that just landed in
dotnet/androidfor its two gh-aw workflows.