Skip to content

Isolate safe_outputs checkout auth from safe-outputs app/token credentials#43005

Open
pelikhan with Copilot wants to merge 12 commits into
mainfrom
copilot/fix-safe-outputs-token-issue
Open

Isolate safe_outputs checkout auth from safe-outputs app/token credentials#43005
pelikhan with Copilot wants to merge 12 commits into
mainfrom
copilot/fix-safe-outputs-token-issue

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

safe_outputs was applying its resolved push/auth token to checkout steps, causing the default workflow-repo checkout to use safe-outputs.github-app/safe-outputs.github-token. In cross-org setups, that token can be scoped to the target org and fail when checking out the workflow repo.

  • Auth flow correction (checkout vs push)

    • Removed push-token fallback injection from checkout generation in checkout_step_generator.go (both default and additional checkouts).
    • Checkout with.token is now emitted only from checkout-specific config (checkout.github-token / checkout.github-app) or normal default behavior.
    • Safe output push auth remains handled by CheckoutManager.GenerateConfigureGitCredentialsSteps, keeping push credentials separate from checkout credentials.
  • Regression coverage

    • Reworked checkout manager tests to assert token isolation (push token must not appear in checkout steps when credentials are retained for push).
    • Added safe_outputs step tests ensuring:
      • safe_outputs token/app token is still used for git credential configuration (GIT_TOKEN)
      • those tokens are not emitted as checkout with.token.
  • Code clarity

    • Updated inline comments to explicitly document that checkout auth and push auth are intentionally decoupled.
# Before (safe_outputs could leak into checkout auth)
- name: Checkout repository
  uses: actions/checkout@...
  with:
    token: ${{ steps.safe-outputs-app-token.outputs.token }}

# After (checkout auth isolated; push auth configured separately)
- name: Checkout repository
  uses: actions/checkout@...
  with:
    persist-credentials: true
# token only present if checkout config explicitly sets one

Copilot AI and others added 2 commits July 2, 2026 16:09
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix safe_outputs default checkout token for cross-org workflows Isolate safe_outputs checkout auth from safe-outputs app/token credentials Jul 2, 2026
Copilot AI requested a review from pelikhan July 2, 2026 16:17
@pelikhan pelikhan marked this pull request as ready for review July 2, 2026 20:23
Copilot AI review requested due to automatic review settings July 2, 2026 20:23
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (38 additions in 3 files, none in default business logic directories).

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the workflow compiler so that safe_outputs push credentials are no longer injected into generated actions/checkout steps, preventing cross-org failures where a safe-outputs token/app token cannot read the workflow repository. It also adjusts tests to assert that the safe_outputs push token remains available for later git credential configuration while being excluded from checkout with.token.

Changes:

  • Removed the safe_outputs push-token fallback from default and additional checkout step generation so checkout auth comes only from checkout config (or default GITHUB_TOKEN behavior).
  • Updated checkout manager tests to assert push-token isolation (no push token in checkout YAML).
  • Added safe_outputs step tests asserting push tokens flow into GIT_TOKEN env but are not emitted as checkout with.token.
Show a summary per file
File Description
pkg/workflow/compiler_safe_outputs_steps_test.go Adds assertions that safe_outputs tokens/apps are used for GIT_TOKEN but not emitted as checkout with.token.
pkg/workflow/checkout_step_generator.go Removes push-token fallback injection into checkout steps and documents intended separation between checkout vs push auth.
pkg/workflow/checkout_manager_test.go Reworks tests to validate push-token isolation for both default and additional checkouts.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread pkg/workflow/checkout_step_generator.go Outdated
Comment on lines +393 to +397
// Apply user overrides only when NOT in trial mode to avoid conflicting
// repository/token values in the same checkout step. Note that safe_outputs push
// auth is intentionally isolated from checkout auth: this step only emits tokens
// from checkout config (or trial mode), while push auth is applied later by
// CheckoutManager.GenerateConfigureGitCredentialsSteps.
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100 — Excellent

Analyzed 4 test(s): 4 design, 0 implementation, 0 violation(s).

📊 Metrics (4 tests)
Metric Value
Analyzed 4 (Go: 4, JS: 0)
✅ Design 4 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 4 (100%)
Duplicate clusters 0
Inflation No
🚨 Violations 0
Test File Classification Issues
"default checkout with no explicit token does not emit pushToken" checkout_manager_test.go:244 design_test / high_value None
"additional checkout with no token does not use pushToken" checkout_manager_test.go:289 design_test / high_value None
"safe-outputs github-token flows into git credentials" (+ checkNotContains) compiler_safe_outputs_steps_test.go:104 design_test / high_value None
"safe-outputs github-app token is not used by checkout step" compiler_safe_outputs_steps_test.go:117 design_test / high_value None

Verdict

Passed. 0% implementation tests (threshold: 30%). All 4 test scenarios enforce the credential isolation contract — both modified subtests in TestCheckoutPushTokenIsolation correctly invert the prior (wrong) assertions to match the fix, and the two new table rows in TestBuildSharedPRCheckoutSteps cover both github-token and github-app variants of the safe_outputs token isolation. Build tags present on both files. No mocking violations.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 43.5 AIC · ⌖ 11.9 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. 0% implementation tests (threshold: 30%). All modified/added tests enforce the credential isolation design contract with correct assertions, build tags present, no mocking violations.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Isolate safe_outputs checkout auth from safe-outputs app/token credentials

This PR correctly fixes a security boundary issue: the safe_outputs push token was leaking into actions/checkout with.token, which could cause cross-org failures and unnecessarily exposes the push token to the checkout phase.

Security assessment: The fix is correct and tightens the security boundary. Checkout now only receives credentials from checkout-specific config, while push auth is separately wired by GenerateConfigureGitCredentialsSteps.

Correctness: The two-phase auth model is sound: (1) checkout uses only its own credentials or the default workflow token; (2) push auth is configured separately after checkout.

Test coverage: Both regressions are well-covered. TestCheckoutPushTokenIsolation now asserts token absence. New compiler test cases assert safe-outputs token/app token appears in GIT_TOKEN but not in checkout with.token.

Code clarity: The inline comment on GenerateDefaultCheckoutStep explicitly documents the intentional decoupling, helping future maintainers avoid re-introducing the bug.

No blocking issues found. The change is minimal, targeted, and well-tested. ✅

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 57.1 AIC · ⌖ 6.45 AIC · ⊞ 4.9K

@pelikhan

pelikhan commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

@copilot review changes for side repo and trial modes.

  • safe output tokens should NOT OVERRIDE the checkout tokens

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs, /tdd, and /codebase-design — overall solid fix with two small test-coverage gaps worth addressing.

📋 Key Themes & Highlights

Key Themes

  • Missing regression guard for persist-credentials: The new safe-outputs github-app test case (compiler_safe_outputs_steps_test.go:117) verifies the token is absent from with.token, but doesn't assert persist-credentials: true is still emitted. A future regression breaking push-auth would slip through.
  • Cross-org failure mode not encoded as a test: The PR description motivates the fix with a specific scenario (checkout token scoped to workflow-org vs push token scoped to target-org), but no sub-test in TestCheckoutPushTokenIsolation directly exercises that combination.
  • Signature simplification opportunity noted: generateCheckoutStepLines now only uses keepCredentialsForPush for persist-credentials — the removed pushToken was the other consumer. The updated doc comment handles this well.

Positive Highlights

  • ✅ Clean deletion of the push-token fallback — net negative LoC, no dead code left behind.
  • ✅ Test rename from TestCheckoutPushTokenFallbackTestCheckoutPushTokenIsolation precisely captures the new invariant.
  • ✅ Dual coverage path: unit test in checkout_manager_test.go and integration-style assertions in compiler_safe_outputs_steps_test.go.
  • ✅ Updated GenerateConfigureGitCredentialsSteps reference in the function doc makes the two-phase auth model explicit.
  • ✅ PR description includes before/after YAML — great for reviewers.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 83.6 AIC · ⌖ 7.31 AIC · ⊞ 6.6K
Comment /matt to run again

},
},
{
name: "safe-outputs github-app token is not used by checkout step",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/diagnosing-bugs] This test verifies the app token is absent from with.token, but does not assert that persist-credentials: true is still present — which is the mechanism that keeps credentials available for GenerateConfigureGitCredentialsSteps.

💡 Suggested addition

Add to checkContains:

"persist-credentials: true", // must retain creds for the git-credential step to work

Without this guard, a future regression silently setting persist-credentials: false in the safe_outputs job path would not be caught here, potentially breaking push auth without a failing test.

@copilot please address this.

const pushToken = "${{ secrets.PUSH_TOKEN }}"

t.Run("default checkout with no explicit token emits pushToken once", func(t *testing.T) {
t.Run("default checkout with no explicit token does not emit pushToken", func(t *testing.T) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The test covers the case where no checkout token is set, but there is no sub-test for the actual cross-org failure mode the PR describes: a checkout.github-token scoped to org-A while pushToken is scoped to org-B.

💡 Suggested sub-test
t.Run("default checkout with its own token uses that token, not pushToken", func(t *testing.T) {
    cm := NewCheckoutManager([]*CheckoutConfig{
        {GitHubToken: "${{ secrets.CHECKOUT_TOKEN }}"},
    })
    cm.SetKeepCredentialsForPush(true)
    cm.SetPushToken(pushToken)
    lines := cm.GenerateDefaultCheckoutStep(false, "", getPin)
    combined := strings.Join(lines, "")
    assert.Contains(t, combined, "token: ${{ secrets.CHECKOUT_TOKEN }}", "explicit checkout token must be used")
    assert.NotContains(t, combined, pushToken, "push token must not override checkout token")
})

This sub-test directly encodes the cross-org failure scenario as a regression guard.

@copilot please address this.

func generateCheckoutStepLines(entry *resolvedCheckout, index int, keepCredentialsForPush bool, pushToken string, getActionPin func(string) string) []string {
// git fetch/push can authenticate after CheckoutManager.GenerateConfigureGitCredentialsSteps
// rewrites remotes with the resolved push token.
func generateCheckoutStepLines(entry *resolvedCheckout, index int, keepCredentialsForPush bool, getActionPin func(string) string) []string {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/codebase-design] generateCheckoutStepLines still accepts keepCredentialsForPush bool and uses it only to decide persist-credentials:. The removed pushToken string parameter was its only other consumer. This is fine as-is, but the function signature now partially describes checkout persistence policy, not just step generation — worth noting if this function grows. No change required; just a flag to keep the interface cohesion in mind.

📝 Context

If keepCredentialsForPush ever needs to influence more than persist-credentials, the call-site in GenerateAdditionalCheckoutSteps will need to be audited again. Keeping the comment in the function doc mentioning that push auth is handled downstream by GenerateConfigureGitCredentialsSteps (as done here) is the right mitigation.

Copilot AI and others added 2 commits July 2, 2026 20:45
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…dSharedPRCheckoutSteps

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@copilot review changes for side repo and trial modes.

  • safe output tokens should NOT OVERRIDE the checkout tokens

Reviewed and confirmed — the existing fix already isolates safe-outputs tokens from checkout steps in both trial mode and side-repo (additional checkout) scenarios:

  • Trial mode: GenerateDefaultCheckoutStep emits token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} (standard fallback), never the safe-outputs push token.
  • Side repos: generateCheckoutStepLines uses resolveCheckoutTokenExpression(entry, index, false) which reads only from the checkout config entry, not from cm.pushToken. With no checkout-specific token configured, no token: field is emitted; with one configured, that token wins.

In both cases the safe-outputs token only reaches GIT_TOKEN in the subsequent "Configure Git credentials" step for push auth — it is never injected into with.token on any checkout step.

Added explicit regression tests in commit test: add token isolation tests for trial mode and side repos in buildSharedPRCheckoutSteps covering:

  1. Trial mode + safe-outputs token → token NOT in checkout with.token, IS in GIT_TOKEN
  2. Side repo + safe-outputs token → safe-outputs token NOT in additional checkout
  3. Side repo with its own checkout token + safe-outputs token → checkout-specific token wins, safe-outputs token absent from checkout

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Great work on the safe_outputs auth isolation fix! 👏 This is a well-scoped, correctly targeted change — the auth leakage from push credentials into checkout steps is a real cross-org correctness issue, and the fix is clean.

The PR looks ready for review:

  • ✅ Clear bug description with a before/after YAML illustration
  • ✅ Focused change — checkout_step_generator.go surgically removes the push-token fallback, and the credential configuration path is left untouched
  • ✅ Good regression coverage — reworked checkout_manager_test.go token-isolation assertions plus 82 lines of new compiler_safe_outputs_steps_test.go covering both the GIT_TOKEN usage and the absence of with.token in checkout steps
  • ✅ No new dependencies introduced

This looks ready for a maintainer pass! 🚀

Generated by ✅ Contribution Check · 184.6 AIC · ⌖ 12.9 AIC · ⊞ 6.3K ·

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address the remaining review feedback before rerunning checks. Priorities:

  • add the missing regression guard for persist-credentials in the safe-outputs...

Addressed in the latest two commits. Here's what was done:

Root cause fix — http.extraheader cleanup

actions/checkout with persist-credentials: true stores an http.<server>/.extraheader auth header in .git/config. Without clearing it, git sends two conflicting Authorization headers (checkout token via extraheader + push token via URL), causing failures in cross-org push scenarios.

  • configure_git_credentials.sh (single/root-repo path): adds git config --unset-all "http.${URL}/.extraheader" 2>/dev/null || true immediately after git remote set-url origin, so the token-in-URL push credential is the sole auth source.
  • checkout_step_generator.go (multi-repo inline path): adds the same git -C <subdir> config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader" 2>/dev/null || true after each sub-repo's remote set-url. Note: GITHUB_SERVER_URL (full URL, e.g. https://github.com) is the correct key prefix for the extraheader config; GIT_SERVER_URL_STRIPPED (no protocol) is only used in the token-in-URL remote string — these are intentionally different.

Regression tests added

  • TestGenerateConfigureGitCredentialsSteps/multi-repo_clears_http_extraheader_after_remote_set-url_for_each_sub-repo — asserts the cleanup is present and idempotent
  • TestGenerateConfigureGitCredentialsSteps/cross-org_push:_sub-repo_cleanup_appears_after_remote_set-url — encodes the cross-org failure mode, asserting cleanup follows remote set-url so the push token is the sole credential
  • TestBuildSharedPRCheckoutSteps/safe-outputs_github-app_cross-org:_extraheader_cleared_for_sub-repo_checkout — regression guard for the safe-outputs github-app path specifically
  • TestConfigureGitCredentialsShellScript — verifies the shell script itself contains the combined config --unset-all "http. + /.extraheader" cleanup (strengthened assertions so both tokens must appear together in the same command)

Copilot AI requested a review from gh-aw-bot July 2, 2026 22:29
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, then do one final pass on the remaining unresolved review feedback before rerunning checks.

Priorities:

  • github-actions[bot]: add or confirm the persist-credentials: true regression guard in the safe-outputs github-app path (pkg/workflow/compiler_safe_outputs_steps_test.go) if it is not already covered on the latest head
  • github-actions[bot]: keep the focused cross-org checkout-token-vs-push-token regression test in pkg/workflow/checkout_manager_test.go
  • Copilot reviewer: make sure the http.<server>/.extraheader cleanup path remains covered for both root and sub-repo credential setup
  • once done, summarize what changed and whether any blocking feedback remains for maintainers

Run: https://github.com/github/gh-aw/actions/runs/28628188522

Generated by 👨‍🍳 PR Sous Chef · 11.9 AIC · ⌖ 21.7 AIC · ⊞ 6.4K ·

… github-app checkout path

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, then do one final pass on the remaining unresolved review feedback before rerunning checks.

Priorities:...

Done. Here's a final status summary:

persist-credentials: true regression guard in safe-outputs github-app path — added persist-credentials: true to checkContains and persist-credentials: false to checkNotContains in the "safe-outputs github-app token is not used by checkout step" test in pkg/workflow/compiler_safe_outputs_steps_test.go (commit test: add persist-credentials: true regression guard for safe-outputs github-app checkout path).

Cross-org checkout-token-vs-push-token regression tests — already present in checkout_manager_test.go:

  • "multi-repo clears http extraheader after remote set-url for each sub-repo" — asserts cleanup present and idempotent
  • "cross-org push: sub-repo cleanup appears after remote set-url" — asserts ordering (unset-all follows remote set-url)

http./.extraheader cleanup coverage — confirmed for both paths:

  • Root-repo: TestConfigureGitCredentialsShellScript in git_config_test.go tests the shell script directly
  • Sub-repo: TestGenerateConfigureGitCredentialsSteps multi-repo cases in checkout_manager_test.go
  • Safe-outputs github-app specifically: "safe-outputs github-app cross-org: extraheader cleared for sub-repo checkout" in compiler_safe_outputs_steps_test.go

All make fmt, make agent-report-progress, and targeted tests pass locally. CI re-trigger needed from a maintainer to confirm green on the PR head.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Triage Result

Field Value
Category bug
Risk High
Priority Score 79/100
Score Breakdown Impact: 42 · Urgency: 25 · Quality: 12
Recommended Action fast_track

Rationale: Auth isolation bug causing cross-org checkout failures when safe_outputs applies its push/app token to the workflow-repo checkout. Large diff (65 files, +266/-96) but targeted fix. Currently blocked — expedited human review recommended given auth/security scope.

Generated by 🔧 PR Triage Agent · 98.6 AIC · ⌖ 9.89 AIC · ⊞ 5.5K ·

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run make merge-main to resolve this branch's merge conflict with the latest main branch, then run the pr-finisher skill and push the refreshed branch.

Run: https://github.com/github/gh-aw/actions/runs/28632917404

Generated by 👨‍🍳 PR Sous Chef · 25 AIC · ⌖ 9.73 AIC · ⊞ 6.4K ·

…uts-token-issue

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run make merge-main to resolve this branch's merge conflict with the latest main branch, then run the pr-finisher skill and push the refreshed branch.

Run: https://github.com/gith...

Done — make merge-main completed (auto-merge, no conflicts), build passed, 258 workflows recompiled, make fmt clean. Merge commit: ad6cbba. CI re-trigger needed from a maintainer before merge.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.07 AIC · ⌖ 7.49 AIC · ⊞ 6.4K ·

…uts-token-issue

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

...

Done. Merged the latest origin/main (10 commits, including the compiler_types.goworkflow_data.go/safe_outputs_config.go split), rebuilt, recompiled 258 workflows, and validated locally. All review threads were already addressed in prior commits. Merge commit: d587c67. CI re-trigger needed from a maintainer before merge.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run make merge-main to resolve this branch's merge conflict with the latest main branch, then run the pr-finisher skill and push the refreshed branch.

Run: https://github.com/github/gh-aw/actions/runs/28641705440

Generated by 👨‍🍳 PR Sous Chef · 12.9 AIC · ⌖ 3.68 AIC · ⊞ 3.1K ·

…uts-token-issue

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run make merge-main to resolve this branch's merge conflict with the latest main branch, then run the pr-finisher skill and push the refreshed branch.

Run: https://github.com/gith...

Done — make merge-main completed successfully (auto-merge, no conflicts, 258 workflows recompiled). Local validation (make fmt, lint, unit tests) all pass. Branch pushed at 5c5841e. CI re-trigger needed from a maintainer before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

safe_outputs default checkout of workflow repo uses safe-outputs.github-app token, breaking cross-org workflows

4 participants