diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index 21b93c50d4a..8d2e470b952 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -1769,7 +1769,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 6429ac6b5d2..ef900c46a37 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1784,7 +1784,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 6a969dc0326..579ef4b997d 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -1619,7 +1619,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 3da65dcb111..22cbd030040 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1824,7 +1824,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 2461bb317d7..2d1f3611c9e 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -2091,7 +2091,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 7a6f90725bb..1916d50bc29 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1749,7 +1749,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 5ac39e8eca5..e75805a21c0 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -1772,7 +1772,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 90e8c812672..d6d4a2b3b8a 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1764,7 +1764,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 472c5c25b7b..4c7fd15dc49 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -1978,7 +1978,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 70e542c2af5..bc6e8a23440 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1854,7 +1854,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml index 4889b10f5c6..5f23344d2c1 100644 --- a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml +++ b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml @@ -1797,7 +1797,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index c07555f4338..85feebaaed1 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -1846,7 +1846,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index cd553210ebd..465c1cd2709 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1963,7 +1963,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index dfa578808c5..8fa8140fb04 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -1691,7 +1691,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 913996b380e..d94c64c11e0 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1955,7 +1955,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 26135e41eae..c005b6e9c46 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1751,7 +1751,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 7cc348e87e1..c8311ebbd17 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1961,7 +1961,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index d6189bfeb37..a88ba89f31d 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1729,7 +1729,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index 0e2c4a37c5a..9f53b21ddac 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -1883,7 +1883,6 @@ jobs: with: persist-credentials: true fetch-depth: 0 - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Fetch additional refs if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') || (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 727e19d4beb..c909011a503 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -1649,7 +1649,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/daily-yamllint-fixer.lock.yml b/.github/workflows/daily-yamllint-fixer.lock.yml index 7331ed859d9..16ce804bc7a 100644 --- a/.github/workflows/daily-yamllint-fixer.lock.yml +++ b/.github/workflows/daily-yamllint-fixer.lock.yml @@ -1781,7 +1781,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 1801b9945d2..fa5918ebd43 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1777,7 +1777,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 03210e73f5e..90287078a04 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1866,7 +1866,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index 97748cded22..d121b1bc432 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -1792,7 +1792,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index 27633312c2b..4aa19412d18 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -1920,7 +1920,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index c46e0e1b24f..d0c6a9ac078 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1994,7 +1994,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index cb50c8c40a2..1a4fe695242 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1645,7 +1645,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/eslint-miner.lock.yml b/.github/workflows/eslint-miner.lock.yml index f88dd11eba6..5e7a7cbe5b4 100644 --- a/.github/workflows/eslint-miner.lock.yml +++ b/.github/workflows/eslint-miner.lock.yml @@ -1666,7 +1666,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a7af873cd59..345e8b34965 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -1649,7 +1649,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 2bf95c0d244..2c4d19c5c23 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1786,7 +1786,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index bfb4ea1e396..01760edd718 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1896,7 +1896,6 @@ jobs: with: persist-credentials: true fetch-depth: 0 - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index ed32555a55a..f88f027e0e6 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1805,7 +1805,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 071192970bd..94c0987b38e 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1811,7 +1811,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index c89686830a2..ae2780237d1 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1781,7 +1781,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index a77e0ede23c..f079b43eaca 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1716,7 +1716,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index c95e56189e6..7218b4b9d00 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1696,7 +1696,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index ce02c24e0f3..7cf8e5dc14f 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -1741,7 +1741,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 7a413b8d251..567d5f17cf4 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1806,7 +1806,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index 4469087e459..771395b2f73 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -1881,7 +1881,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 02751b7f136..dbf87f56f6a 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -2008,7 +2008,6 @@ jobs: with: persist-credentials: true fetch-depth: 0 - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Fetch additional refs if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 816e8298fd1..f9bb4caf0e9 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1955,7 +1955,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 898444464eb..be9c257d4ab 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1826,7 +1826,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index afcecba0f32..1762fddd874 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -1919,7 +1919,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 3a35a1edd00..bd51b22cfdb 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -1754,7 +1754,6 @@ jobs: with: persist-credentials: true fetch-depth: 1 - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index b3871ccf8e1..7a35b2c74f6 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1843,7 +1843,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 7306a10ed31..6dae8288fed 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1885,7 +1885,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} - name: Checkout github/gh-aw-side-repo into gh-aw-side-repo if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -1906,6 +1905,7 @@ jobs: GIT_SERVER_URL_STRIPPED="${GITHUB_SERVER_URL#https://}" # Re-authenticate git for gh-aw-side-repo git -C "gh-aw-side-repo" remote set-url origin "https://x-access-token:${GIT_TOKEN}@${GIT_SERVER_URL_STRIPPED}/${GH_AW_SUBREPO_0}.git" + git -C "gh-aw-side-repo" config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader" 2>/dev/null || true echo "Git configured with standard GitHub Actions identity" - name: Configure GH_HOST for enterprise compatibility id: ghes-host-config diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index c74294c0d6c..a465a9d244e 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1835,7 +1835,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 6327227be7e..49114af269f 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -2094,7 +2094,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 558280577a8..e9bf7378349 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1919,7 +1919,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} - name: Checkout github/gh-aw-side-repo into gh-aw-side-repo if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -1948,6 +1947,7 @@ jobs: GIT_SERVER_URL_STRIPPED="${GITHUB_SERVER_URL#https://}" # Re-authenticate git for gh-aw-side-repo git -C "gh-aw-side-repo" remote set-url origin "https://x-access-token:${GIT_TOKEN}@${GIT_SERVER_URL_STRIPPED}/${GH_AW_SUBREPO_0}.git" + git -C "gh-aw-side-repo" config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader" 2>/dev/null || true echo "Git configured with standard GitHub Actions identity" - name: Configure GH_HOST for enterprise compatibility id: ghes-host-config diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 726ed788f2c..f3c8b8ed3ab 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -1674,7 +1674,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index 4c8c5f2b675..9d0293484d2 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -1775,7 +1775,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 6040e8c050f..3ae0a63af20 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1900,7 +1900,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 316fd72ffe1..906d597e017 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1709,7 +1709,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 31d9869165a..3bd2b597859 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1852,7 +1852,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') || (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch') env: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index c13a93d9b33..772ea68d37a 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1750,7 +1750,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 132b757c948..b22c00bb377 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1855,7 +1855,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 059ee846694..c8e25d87f7b 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -1771,7 +1771,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 1c3f76602ee..398bb54ecb5 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -2042,7 +2042,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 64b33d40ed3..af7510f3cdc 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1718,7 +1718,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index ca7d91978ff..31056eecb7b 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -1648,7 +1648,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: true - token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Configure Git credentials if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') env: diff --git a/actions/setup/sh/configure_git_credentials.sh b/actions/setup/sh/configure_git_credentials.sh index a2bb4075fd9..3722b95f7a5 100755 --- a/actions/setup/sh/configure_git_credentials.sh +++ b/actions/setup/sh/configure_git_credentials.sh @@ -94,6 +94,11 @@ TOKEN="${GITHUB_TOKEN:-${GIT_TOKEN:-}}" if [ -n "${REPO}" ] && [ -n "${URL}" ] && [ -n "${TOKEN}" ]; then URL_STRIPPED="${URL#https://}" git remote set-url origin "https://x-access-token:${TOKEN}@${URL_STRIPPED}/${REPO}.git" + # Remove the http.extraheader that actions/checkout persists with persist-credentials: true. + # Without this, git sends two conflicting Authorization headers (the checkout token via + # extraheader + the push token via the URL), which can fail in cross-org setups where + # the checkout token is scoped to a different org than the push target. + git config --unset-all "http.${URL}/.extraheader" 2>/dev/null || true fi echo "Git configured with standard GitHub Actions identity" >&2 diff --git a/pkg/workflow/checkout_manager_test.go b/pkg/workflow/checkout_manager_test.go index 4ca1970d228..5674c0eb38d 100644 --- a/pkg/workflow/checkout_manager_test.go +++ b/pkg/workflow/checkout_manager_test.go @@ -234,22 +234,22 @@ func TestGenerateDefaultCheckoutStep(t *testing.T) { }) } -// TestCheckoutPushTokenFallback verifies the safe_outputs push-token fallback that -// persists the resolved PR push token into the checkout when keepCredentialsForPush is -// enabled and no explicit checkout token (or app auth) already governs the checkout. -func TestCheckoutPushTokenFallback(t *testing.T) { +// TestCheckoutPushTokenIsolation verifies that the safe_outputs push token is NOT +// injected into checkout steps. Checkout auth must come only from checkout config +// (github-token/github-app) or the default GitHub token for the workflow repository. +func TestCheckoutPushTokenIsolation(t *testing.T) { getPin := func(action string) string { return action + "@v4" } const pushToken = "${{ secrets.PUSH_TOKEN }}" - t.Run("default checkout with no explicit token emits pushToken once", func(t *testing.T) { + t.Run("default checkout with no explicit token does not emit pushToken", func(t *testing.T) { cm := NewCheckoutManager(nil) cm.SetKeepCredentialsForPush(true) cm.SetPushToken(pushToken) lines := cm.GenerateDefaultCheckoutStep(false, "", getPin) combined := strings.Join(lines, "") assert.Contains(t, combined, "persist-credentials: true", "keepCredentialsForPush should retain credentials") - assert.Contains(t, combined, "token: "+pushToken, "should persist the push token") - assert.Equal(t, 1, strings.Count(combined, "token: "), "token must be emitted exactly once") + assert.NotContains(t, combined, "token: "+pushToken, "push token must not be used for checkout") + assert.Equal(t, 0, strings.Count(combined, "token: "), "default checkout should not emit a token line") }) t.Run("default checkout with explicit token does not override with pushToken", func(t *testing.T) { @@ -286,7 +286,7 @@ func TestCheckoutPushTokenFallback(t *testing.T) { assert.NotContains(t, combined, pushToken, "pushToken must not be persisted when credentials are not retained") }) - t.Run("additional checkout with no token uses pushToken", func(t *testing.T) { + t.Run("additional checkout with no token does not use pushToken", func(t *testing.T) { cm := NewCheckoutManager([]*CheckoutConfig{ {Repository: "owner/libs", Path: "./libs"}, }) @@ -295,8 +295,8 @@ func TestCheckoutPushTokenFallback(t *testing.T) { lines := cm.GenerateAdditionalCheckoutSteps(getPin) combined := strings.Join(lines, "") assert.Contains(t, combined, "persist-credentials: true", "keepCredentialsForPush should retain credentials") - assert.Contains(t, combined, "token: "+pushToken, "additional checkout should fall back to the push token") - assert.Equal(t, 1, strings.Count(combined, "token: "), "token must be emitted exactly once") + assert.NotContains(t, combined, "token: "+pushToken, "additional checkout must not fall back to the push token") + assert.Equal(t, 0, strings.Count(combined, "token: "), "additional checkout with no token should not emit a token line") }) t.Run("additional checkout with explicit token does not override with pushToken", func(t *testing.T) { @@ -311,6 +311,29 @@ func TestCheckoutPushTokenFallback(t *testing.T) { assert.NotContains(t, combined, pushToken, "pushToken must not override an explicit checkout token") assert.Equal(t, 1, strings.Count(combined, "token: "), "token must be emitted exactly once") }) + + t.Run("trial mode in safe_outputs job uses safe-output token chain not MCP token", func(t *testing.T) { + cm := NewCheckoutManager(nil) + cm.SetKeepCredentialsForPush(true) + cm.SetPushToken(pushToken) + lines := cm.GenerateDefaultCheckoutStep(true, "owner/trial-repo", getPin) + combined := strings.Join(lines, "") + // Trial checkout in safe_outputs must use the safe-output chain (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN). + assert.Contains(t, combined, "token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", "safe_outputs trial mode must use the safe-output token chain") + // The read-only MCP server token must never appear in a safe_outputs checkout. + assert.NotContains(t, combined, "GH_AW_GITHUB_MCP_SERVER_TOKEN", "MCP server token must not appear in a safe_outputs checkout") + // The push token must not appear in the checkout step. + assert.NotContains(t, combined, pushToken, "pushToken must not be injected in trial mode checkout") + }) + + t.Run("trial mode in agent job (not safe_outputs) uses full agent token chain", func(t *testing.T) { + cm := NewCheckoutManager(nil) + // keepCredentialsForPush is false for the agent job. + lines := cm.GenerateDefaultCheckoutStep(true, "owner/trial-repo", getPin) + combined := strings.Join(lines, "") + // Agent trial mode must use the full token chain including the MCP token. + assert.Contains(t, combined, "GH_AW_GITHUB_MCP_SERVER_TOKEN", "agent trial mode should use the full agent token chain") + }) } // TestGenerateAdditionalCheckoutSteps verifies that non-default checkouts are emitted correctly. @@ -1666,4 +1689,43 @@ func TestGenerateConfigureGitCredentialsSteps(t *testing.T) { assert.Contains(t, combined, `${GH_AW_SUBREPO_0}.git`) assert.Contains(t, combined, `${GH_AW_SUBREPO_1}.git`) }) + + // Regression: when persist-credentials: true is used in actions/checkout, it stores + // an http./.extraheader in .git/config. Without explicit cleanup, git sends + // two conflicting Authorization headers (checkout token via extraheader + push token + // via URL), causing failures in cross-org scenarios where the checkout token is + // scoped to a different org than the push target. + t.Run("multi-repo clears http extraheader after remote set-url for each sub-repo", func(t *testing.T) { + cm := NewCheckoutManager([]*CheckoutConfig{ + {Repository: "org/other-repo", Path: "./other-repo"}, + }) + steps := cm.GenerateConfigureGitCredentialsSteps(token, alwaysTrue) + combined := strings.Join(steps, "") + + assert.Contains(t, combined, `config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader"`, + "must clear the extraheader that actions/checkout persists with persist-credentials: true") + // The cleanup must be idempotent (2>/dev/null || true) so it doesn't fail when no extraheader was set. + assert.Contains(t, combined, "2>/dev/null || true", + "extraheader cleanup must be idempotent") + }) + + t.Run("cross-org push: sub-repo cleanup appears after remote set-url", func(t *testing.T) { + // Regression: in cross-org setups (checkout repo = workflow-org/workflow-repo, + // push target = target-org/target-repo), actions/checkout persists the workflow-org + // checkout token as an extraheader. GenerateConfigureGitCredentialsSteps must unset + // that extraheader after rewriting the remote URL to use the push token, so that + // the only credential used for push is the push token. + cm := NewCheckoutManager([]*CheckoutConfig{ + {Repository: "target-org/target-repo", Path: "./target-repo"}, + }) + steps := cm.GenerateConfigureGitCredentialsSteps(token, alwaysTrue) + combined := strings.Join(steps, "") + + remoteSetUrlIdx := strings.Index(combined, "remote set-url origin") + unsetExtraheaderIdx := strings.Index(combined, "config --unset-all") + require.Greater(t, remoteSetUrlIdx, -1, "remote set-url must be present") + require.Greater(t, unsetExtraheaderIdx, -1, "extraheader cleanup must be present") + assert.Greater(t, unsetExtraheaderIdx, remoteSetUrlIdx, + "extraheader cleanup must follow remote set-url so the push token is the sole credential") + }) } diff --git a/pkg/workflow/checkout_step_generator.go b/pkg/workflow/checkout_step_generator.go index e3af1e11ca8..36efce1dc3f 100644 --- a/pkg/workflow/checkout_step_generator.go +++ b/pkg/workflow/checkout_step_generator.go @@ -82,7 +82,7 @@ func (cm *CheckoutManager) GenerateAdditionalCheckoutSteps(getActionPin func(str if entry.key.path == "" && entry.key.repository == "" { continue } - lines = append(lines, generateCheckoutStepLines(entry, checkoutIndex, cm.keepCredentialsForPush, cm.pushToken, getActionPin)...) + lines = append(lines, generateCheckoutStepLines(entry, checkoutIndex, cm.keepCredentialsForPush, getActionPin)...) } checkoutManagerLog.Printf("Generated %d additional checkout step(s)", len(lines)) return lines @@ -337,6 +337,13 @@ func (cm *CheckoutManager) GenerateConfigureGitCredentialsSteps(gitRemoteToken s steps = append(steps, fmt.Sprintf(" # Re-authenticate git for %s\n", commentRef), fmt.Sprintf(" git -C %s remote set-url origin \"https://x-access-token:${GIT_TOKEN}@${GIT_SERVER_URL_STRIPPED}/${%s}.git\"\n", gitDir, repo.envVarName), + // Remove the http.extraheader that actions/checkout persists with persist-credentials: true. + // Without this, git sends two conflicting Authorization headers (checkout token via + // extraheader + push token via URL), which breaks cross-org push scenarios. + // Note: GITHUB_SERVER_URL (e.g. "https://github.com") is the full URL used as the + // git config key; GIT_SERVER_URL_STRIPPED (e.g. "github.com") is only used in the + // token-in-URL remote string above — these are intentionally different variables. + fmt.Sprintf(" git -C %s config --unset-all \"http.${GITHUB_SERVER_URL}/.extraheader\" 2>/dev/null || true\n", gitDir), ) } steps = append(steps, @@ -381,21 +388,32 @@ func (cm *CheckoutManager) GenerateDefaultCheckoutStep( sb.WriteString(" persist-credentials: false\n") } - // Track whether a token has been written to the checkout step so the safe_outputs - // push-token fallback below does not double-emit. - tokenEmitted := false - // Apply trial mode overrides if trialMode { if trialLogicalRepoSlug != "" { fmt.Fprintf(&sb, " repository: %s\n", trialLogicalRepoSlug) } - effectiveToken := getEffectiveGitHubToken("") + // In the safe_outputs job (keepCredentialsForPush=true) use the safe-outputs + // token chain (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN), which excludes the + // read-only GH_AW_GITHUB_MCP_SERVER_TOKEN that is scoped to the MCP server + // and is never appropriate for a push-capable checkout. + var effectiveToken string + if cm.keepCredentialsForPush { + effectiveToken = getEffectiveSafeOutputGitHubToken("") + } else { + effectiveToken = getEffectiveGitHubToken("") + } fmt.Fprintf(&sb, " token: %s\n", effectiveToken) - tokenEmitted = true } - // Apply user overrides (only when NOT in trial mode to avoid conflicts) + // Apply user overrides only when NOT in trial mode to avoid conflicting + // repository/token values in the same checkout step. Note that safe_outputs push + // auth is intentionally isolated from checkout auth: this step only emits tokens + // from checkout config (or trial mode). Push auth is applied later by + // CheckoutManager.GenerateConfigureGitCredentialsSteps, which also calls + // git config --unset-all http./.extraheader to remove the extraheader that + // actions/checkout persists with persist-credentials: true, preventing conflicting + // Authorization headers in cross-org push scenarios. if !trialMode && override != nil { if override.key.wiki { // Wiki checkout: use "{repository}.wiki" as the effective repository. @@ -433,7 +451,6 @@ func (cm *CheckoutManager) GenerateDefaultCheckoutStep( } if effectiveOverrideToken != "" { fmt.Fprintf(&sb, " token: %s\n", effectiveOverrideToken) - tokenEmitted = true } if override.fetchDepth != nil { fmt.Fprintf(&sb, " fetch-depth: %d\n", *override.fetchDepth) @@ -452,14 +469,6 @@ func (cm *CheckoutManager) GenerateDefaultCheckoutStep( } } - // safe_outputs job: when no explicit token was written above, persist the resolved - // push token so the credential retained in .git/config matches the token the - // safe-output handlers use to fetch/push (avoiding both a wrong-token push and the - // duplicate Authorization header that a separate per-command extraheader would add). - if !trialMode && !tokenEmitted && cm.keepCredentialsForPush && cm.pushToken != "" { - fmt.Fprintf(&sb, " token: %s\n", cm.pushToken) - } - steps := []string{sb.String()} if override != nil && len(override.sparsePatterns) > 0 { steps = append(steps, generateSparseCheckoutPartialCloneResetStep("")) @@ -489,8 +498,9 @@ func (cm *CheckoutManager) GenerateDefaultCheckoutStep( // reference the correct app token minting step when app authentication is configured. // When keepCredentialsForPush is true (safe_outputs job), credentials are retained // (persist-credentials: true) and the post-checkout cleanup step is suppressed so a later -// git fetch/push can authenticate. -func generateCheckoutStepLines(entry *resolvedCheckout, index int, keepCredentialsForPush bool, pushToken string, getActionPin func(string) string) []string { +// git fetch/push can authenticate after CheckoutManager.GenerateConfigureGitCredentialsSteps +// rewrites remotes with the resolved push token. +func generateCheckoutStepLines(entry *resolvedCheckout, index int, keepCredentialsForPush bool, getActionPin func(string) string) []string { checkoutManagerLog.Printf("Generating checkout step lines: index=%d, repo=%q, path=%q, ref=%q, appAuth=%v", index, entry.key.repository, entry.key.path, entry.ref, entry.githubApp != nil) name := "Checkout " + checkoutStepName(entry.key) @@ -523,12 +533,6 @@ func generateCheckoutStepLines(entry *resolvedCheckout, index int, keepCredentia } // Determine effective token: github-app-minted token takes precedence effectiveToken := resolveCheckoutTokenExpression(entry, index, false) - // safe_outputs job: when this checkout declares no token/app of its own, persist the - // resolved push token so the retained .git/config credential matches the token the - // safe-output handlers use to fetch/push. - if effectiveToken == "" && keepCredentialsForPush && pushToken != "" { - effectiveToken = pushToken - } if effectiveToken != "" { fmt.Fprintf(&sb, " token: %s\n", effectiveToken) } diff --git a/pkg/workflow/compiler_safe_outputs_steps_test.go b/pkg/workflow/compiler_safe_outputs_steps_test.go index 9ccdfa4f8e8..6bdb8444e05 100644 --- a/pkg/workflow/compiler_safe_outputs_steps_test.go +++ b/pkg/workflow/compiler_safe_outputs_steps_test.go @@ -87,6 +87,73 @@ func TestBuildSharedPRCheckoutSteps(t *testing.T) { "repository: org/trial-repo", }, }, + { + // Trial mode within safe_outputs must use the safe-outputs token chain + // (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) for the checkout, not the agent + // token chain that includes the read-only GH_AW_GITHUB_MCP_SERVER_TOKEN. + // The safe-outputs push token still reaches GIT_TOKEN in the "Configure Git + // credentials" step for push operations. + name: "trial mode does not inject safe-outputs token into checkout", + trialMode: true, + trialRepo: "org/trial-repo", + safeOutputs: &SafeOutputsConfig{ + GitHubToken: "${{ secrets.SAFE_OUTPUTS_TOKEN }}", + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + checkContains: []string{ + // The safe-outputs token must still reach the git-credentials step for push auth. + "GIT_TOKEN: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + // Trial mode checkout must use the safe-outputs token chain (no MCP token). + "token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}", + }, + checkNotContains: []string{ + // The safe-outputs token must NOT be used as the checkout with.token. + "token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + // The read-only MCP server token must never appear in a safe_outputs checkout. + "GH_AW_GITHUB_MCP_SERVER_TOKEN", + }, + }, + { + // Side repos (additional checkouts) must not inherit the safe-outputs push token. + // Only the "Configure Git credentials" step should use it; the checkout step itself + // must leave token: unset so actions/checkout uses the default GITHUB_TOKEN. + name: "side repo checkout does not inherit safe-outputs token", + safeOutputs: &SafeOutputsConfig{ + GitHubToken: "${{ secrets.SAFE_OUTPUTS_TOKEN }}", + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + checkoutConfigs: []*CheckoutConfig{ + {Repository: "org/sidelib", Path: "sidelib"}, + }, + checkContains: []string{ + // The safe-outputs token must reach the git-credentials step. + "GIT_TOKEN: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + }, + checkNotContains: []string{ + // The safe-outputs token must NOT appear in the side-repo checkout step. + "token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + }, + }, + { + // When a side repo declares its own checkout token, that token must be used + // for the checkout step and the safe-outputs push token must not override it. + name: "side repo checkout-specific token is not overridden by safe-outputs token", + safeOutputs: &SafeOutputsConfig{ + GitHubToken: "${{ secrets.SAFE_OUTPUTS_TOKEN }}", + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + checkoutConfigs: []*CheckoutConfig{ + {Repository: "org/sidelib", Path: "sidelib", GitHubToken: "${{ secrets.CHECKOUT_TOKEN }}"}, + }, + checkContains: []string{ + // The checkout-specific token must govern the side-repo checkout step. + "token: ${{ secrets.CHECKOUT_TOKEN }}", + }, + checkNotContains: []string{ + // The safe-outputs token must NOT appear as a checkout with.token. + "token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + }, + }, { name: "create-pr per-config github-token flows into git credentials", safeOutputs: &SafeOutputsConfig{ @@ -109,6 +176,34 @@ func TestBuildSharedPRCheckoutSteps(t *testing.T) { checkContains: []string{ "GIT_TOKEN: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", }, + checkNotContains: []string{ + "token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}", + }, + }, + { + // Regression guard: safe_outputs github-app push token must NOT override the + // checkout token. The checkout step must retain credentials (persist-credentials: true) + // for git operations, but the app token is only used for push auth via GIT_TOKEN — + // it must never appear as checkout with.token. + name: "safe-outputs github-app token is not used by checkout step", + safeOutputs: &SafeOutputsConfig{ + GitHubApp: &GitHubAppConfig{ + AppID: "${{ vars.APP_ID }}", + PrivateKey: "${{ secrets.APP_PRIVATE_KEY }}", + }, + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + checkContains: []string{ + "GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}", + // Regression: persist-credentials must be true so git operations work; + // the app token is NOT what drives checkout auth. + "persist-credentials: true", + }, + checkNotContains: []string{ + "token: ${{ steps.safe-outputs-app-token.outputs.token }}", + // Credentials must NOT be stripped in the safe_outputs job. + "persist-credentials: false", + }, }, { name: "push-to-pull-request-branch per-config token flows into git credentials", @@ -172,6 +267,40 @@ func TestBuildSharedPRCheckoutSteps(t *testing.T) { "name: Checkout repository", // Subdirectory checkout is re-authenticated so the handler can push to it. `git -C "a" remote set-url origin`, + // Regression: extraheader from actions/checkout (persist-credentials: true) must + // be cleared so the push token (not the checkout token) is the sole credential. + `git -C "a" config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader"`, + }, + }, + { + // Regression for cross-org push failure: when a safe_outputs github-app is + // configured to push to a target org, actions/checkout stores the workflow-org + // checkout token as an http.extraheader. Without explicit cleanup, git pushes to + // the target org send two conflicting Authorization headers, failing the push. + // The "Configure Git credentials" step must clear the extraheader for sub-repos. + name: "safe-outputs github-app cross-org: extraheader cleared for sub-repo checkout", + safeOutputs: &SafeOutputsConfig{ + GitHubApp: &GitHubAppConfig{ + AppID: "${{ vars.APP_ID }}", + PrivateKey: "${{ secrets.APP_PRIVATE_KEY }}", + }, + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + checkoutConfigs: []*CheckoutConfig{ + {Repository: "target-org/target-repo", Path: "target-repo"}, + }, + checkContains: []string{ + // The app token must reach the git-credentials step for push auth. + "GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}", + // The sub-repo remote must be rewritten to use the push token. + `git -C "target-repo" remote set-url origin`, + // The extraheader from the default GITHUB_TOKEN checkout must be cleared + // to prevent conflicting auth headers in the cross-org push. + `git -C "target-repo" config --unset-all "http.${GITHUB_SERVER_URL}/.extraheader"`, + }, + checkNotContains: []string{ + // The app token must NOT appear as a checkout with.token. + "token: ${{ steps.safe-outputs-app-token.outputs.token }}", }, }, { diff --git a/pkg/workflow/git_config_test.go b/pkg/workflow/git_config_test.go index 30d07048a4c..951cbab3718 100644 --- a/pkg/workflow/git_config_test.go +++ b/pkg/workflow/git_config_test.go @@ -218,7 +218,35 @@ func TestCredentialsCleanerStepsHelper(t *testing.T) { }) } -// TestGitConfigurationSkippedWhenCheckoutDisabled verifies that git credential steps +// TestConfigureGitCredentialsShellScript verifies that the configure_git_credentials.sh +// shell script clears the http.extraheader that actions/checkout persists when +// persist-credentials: true is used. Without this, cross-org push scenarios fail because +// git sends two conflicting Authorization headers: the checkout token (via extraheader) +// and the push token (via URL). This is a regression guard for the safe-outputs push-token +// isolation fix. +func TestConfigureGitCredentialsShellScript(t *testing.T) { + scriptPath := filepath.Join("..", "..", "actions", "setup", "sh", "configure_git_credentials.sh") + content, err := os.ReadFile(scriptPath) + if err != nil { + t.Fatalf("Failed to read configure_git_credentials.sh: %v", err) + } + scriptContent := string(content) + + // Regression: the script must unset the http.extraheader that actions/checkout + // persists with persist-credentials: true to prevent conflicting Authorization + // headers in cross-org push scenarios. Check for both tokens together in a single + // git config command so the test can't be satisfied by unrelated uses of either token. + const unsetExtraheaderCmd = `config --unset-all "http.` + if !strings.Contains(scriptContent, unsetExtraheaderCmd) || !strings.Contains(scriptContent, `/.extraheader"`) { + t.Error(`configure_git_credentials.sh must contain: git config --unset-all "http./.extraheader"`) + } + // The cleanup must be idempotent (2>/dev/null || true) so it doesn't fail when no + // extraheader was set (e.g. when persist-credentials: false was used). + if !strings.Contains(scriptContent, "2>/dev/null || true") { + t.Error("configure_git_credentials.sh extraheader cleanup must be idempotent (2>/dev/null || true)") + } +} + // are not emitted when checkout: false is set in the workflow frontmatter. func TestGitConfigurationSkippedWhenCheckoutDisabled(t *testing.T) { tmpDir := testutil.TempDir(t, "git-config-checkout-false-test")