Scope gh-aw GitHub tokens to suppress magic fallback secret names#391
Merged
Merged
Conversation
Add explicit `github-token: ${{ secrets.GITHUB_TOKEN }}` under both
`tools.github` and `safe-outputs` in the gh-aw frontmatter. This
eliminates `GH_AW_GITHUB_TOKEN` and `GH_AW_GITHUB_MCP_SERVER_TOKEN`
from the compiled lock file's `Secrets used:` block, which a repo
secret-audit was flagging by name reference.
Matches the change merged in dotnet/java-interop#1475 and dotnet/android
(same gh-aw compiler version v0.79.8).
Recompiled with `gh aw compile` (0 errors, 0 warnings).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the gh-aw workflow frontmatter so the compiler resolves the GitHub token explicitly and stops emitting optional “magic fallback” secret names (GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN) into the generated lock file’s Secrets used: block, avoiding false positives in secret-audit tooling.
Changes:
- Added explicit
github-token: ${{ secrets.GITHUB_TOKEN }}configuration to the workflow’stools.githubandsafe-outputsfrontmatter. - Regenerated the
.lock.ymlso token expressions no longer include the fallback secret chain and the manifestsecretslist only includesCOPILOT_GITHUB_TOKENandGITHUB_TOKEN.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/android-tools-reviewer.md |
Adds explicit github-token entries so gh-aw doesn’t rely on/emit fallback secret names. |
.github/workflows/android-tools-reviewer.lock.yml |
Regenerated output reflecting the explicit token configuration; removes fallback secret references from manifest/comments and runtime env/inputs. |
simonrozsival
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scopes the gh-aw GitHub tokens for
.github/workflows/android-tools-reviewer.mdso the compiled lock file no longer references the gh-aw "magic" fallback secret namesGH_AW_GITHUB_TOKENandGH_AW_GITHUB_MCP_SERVER_TOKEN. A repo secret-audit was flagging those names purely by their appearance in the lock file'sSecrets used:comment block — they were optional fallback chain entries, not actually required.Two small frontmatter additions (one
github-tokenundertools.github, one undersafe-outputs, both pointing at${{ secrets.GITHUB_TOKEN }}) make the gh-aw compiler resolve the token explicitly and stop emitting the fallback names.This matches the change merged in dotnet/java-interop#1475 and the equivalent dotnet/android branch — same gh-aw compiler version (v0.79.8).
Before / after —
Secrets used:blockBefore:
After:
Verification
gh aw compileran clean:0 error(s), 0 warning(s).GH_AW_GITHUB_TOKENorGH_AW_GITHUB_MCP_SERVER_TOKEN..md+.lock.yml); no whitespace-only churn.