github
diff --git a/‎pkg/workflow/checkout_step_generator.go‎
Lines changed: 3 additions & 3 deletions b/‎pkg/workflow/checkout_step_generator.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎pkg/workflow/compiler_activation_job.go‎
Lines changed: 0 additions & 18 deletions b/‎pkg/workflow/compiler_activation_job.go‎
Lines changed: 0 additions & 18 deletions
diff --git a/‎pkg/workflow/compiler_github_mcp_steps.go‎
Lines changed: 15 additions & 4 deletions b/‎pkg/workflow/compiler_github_mcp_steps.go‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎pkg/workflow/compiler_safe_outputs_job.go‎
Lines changed: 50 additions & 9 deletions b/‎pkg/workflow/compiler_safe_outputs_job.go‎
Lines changed: 50 additions & 9 deletions
diff --git a/‎pkg/workflow/compiler_safe_outputs_job_test.go‎
Lines changed: 36 additions & 40 deletions b/‎pkg/workflow/compiler_safe_outputs_job_test.go‎
Lines changed: 36 additions & 40 deletions
diff --git a/‎pkg/workflow/compiler_safe_outputs_steps.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/workflow/compiler_safe_outputs_steps.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/workflow/compiler_safe_outputs_steps_test.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/workflow/compiler_safe_outputs_steps_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/workflow/create_code_scanning_alert.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/workflow/create_code_scanning_alert.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/workflow/create_pull_request_ci_trigger_token_test.go‎
Lines changed: 3 additions & 3 deletions b/‎pkg/workflow/create_pull_request_ci_trigger_token_test.go‎
Lines changed: 3 additions & 3 deletions
@@ -40,12 +40,12 @@ func (cm *CheckoutManager) GenerateCheckoutAppTokenInvalidationSteps(c *Compiler
 			continue
 		}
 		checkoutManagerLog.Printf("Generating app token invalidation step for checkout index=%d", i)
+		rawSteps := c.buildGitHubAppTokenInvalidationStep()
 		stepID := fmt.Sprintf("checkout-app-token-%d", i)
-		tokenExpr := fmt.Sprintf("steps.%s.outputs.token", stepID)
-		rawSteps := c.buildGitHubAppTokenInvalidationStep(tokenExpr)
 		for _, step := range rawSteps {
+			modified := strings.ReplaceAll(step, "steps.safe-outputs-app-token.outputs.token", "steps."+stepID+".outputs.token")
 			// Update step name to indicate it's for checkout
-			modified := strings.ReplaceAll(step, "Invalidate GitHub App token", fmt.Sprintf("Invalidate checkout app token (%d)", i))
+			modified = strings.ReplaceAll(modified, "Invalidate GitHub App token", fmt.Sprintf("Invalidate checkout app token (%d)", i))
 			steps = append(steps, modified)
 		}
 	}
 
@@ -128,24 +128,6 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
 		outputs["github_mcp_app_token"] = "${{ steps.github-mcp-app-token.outputs.token }}"
 	}
 
-	// Mint the safe-outputs app token in the activation job so that the safe_outputs and
-	// conclusion jobs never receive the app-id / private-key secrets. The minted token is
-	// exposed as a job output and consumed by downstream jobs via
-	// needs.activation.outputs.safe_outputs_app_token.
-	if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {
-		safeOutputsPermissions := ComputePermissionsForSafeOutputs(data.SafeOutputs)
-		// In workflow_call scenarios, scope the token to the platform (host) repo name.
-		// The resolve-host-repo step already ran above and its output is available.
-		var safeOutputsFallbackRepo string
-		if hasWorkflowCallTrigger(data.On) {
-			safeOutputsFallbackRepo = "${{ steps.resolve-host-repo.outputs.target_repo_name }}"
-		}
-		safeOutputsTokenSteps := c.buildGitHubAppTokenMintStep(data.SafeOutputs.GitHubApp, safeOutputsPermissions, safeOutputsFallbackRepo)
-		steps = append(steps, safeOutputsTokenSteps...)
-		outputs["safe_outputs_app_token"] = "${{ steps.safe-outputs-app-token.outputs.token }}"
-		outputs["safe_outputs_app_token_minting_failed"] = "${{ steps.safe-outputs-app-token.outcome == 'failure' }}"
-	}
-
 	// Add reaction step right after generate_aw_info so it is shown to the user as fast as
 	// possible. generate_aw_info runs first so its data is captured even if the reaction fails.
 	// This runs in the activation job so it can use any configured github-token or github-app.
 
@@ -152,10 +152,21 @@ func (c *Compiler) generateGitHubMCPAppTokenInvalidationStep(yaml *strings.Build
 	githubConfigLog.Print("Generating GitHub App token invalidation step for GitHub MCP server")
 
 	// The token was minted in the activation job; reference it via needs.activation.outputs.
-	steps := c.buildGitHubAppTokenInvalidationStep("needs.activation.outputs.github_mcp_app_token")
-	for _, step := range steps {
-		yaml.WriteString(step)
-	}
+	const tokenExpr = "needs.activation.outputs.github_mcp_app_token"
+
+	yaml.WriteString("      - name: Invalidate GitHub App token\n")
+	fmt.Fprintf(yaml, "        if: always() && %s != ''\n", tokenExpr)
+	yaml.WriteString("        env:\n")
+	fmt.Fprintf(yaml, "          TOKEN: ${{ %s }}\n", tokenExpr)
+	yaml.WriteString("        run: |\n")
+	yaml.WriteString("          echo \"Revoking GitHub App installation token...\"\n")
+	yaml.WriteString("          # GitHub CLI will auth with the token being revoked.\n")
+	yaml.WriteString("          gh api \\\n")
+	yaml.WriteString("            --method DELETE \\\n")
+	yaml.WriteString("            -H \"Authorization: token $TOKEN\" \\\n")
+	yaml.WriteString("            /installation/token || echo \"Token revoke may already be expired.\"\n")
+	yaml.WriteString("          \n")
+	yaml.WriteString("          echo \"Token invalidation step complete.\"\n")
 }
 
 // generateParseGuardVarsStep generates a step that parses the blocked-users, trusted-users, and
 
@@ -308,17 +308,59 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa
 		return nil, nil, nil
 	}
 
-	// Token minting for safe-outputs.github-app has been moved to the activation job
-	// so that app-id / private-key never reach the safe_outputs job.
-	// Track the minting outcome via the activation output (requires activation in needs).
+	// Add GitHub App token minting step at the beginning if app is configured
 	if data.SafeOutputs.GitHubApp != nil {
-		outputs["app_token_minting_failed"] = fmt.Sprintf("${{ needs.%s.outputs.safe_outputs_app_token_minting_failed }}", constants.ActivationJobName)
+		// Track whether the app token minting succeeded so the conclusion job can surface
+		// authentication errors in the failure issue.
+		outputs["app_token_minting_failed"] = "${{ steps.safe-outputs-app-token.outcome == 'failure' }}"
+
+		// For workflow_call relay workflows, scope the token to the platform repo name only
+		// (not the full slug) because actions/create-github-app-token expects repo names
+		// without the owner prefix when `owner` is also set.
+		var appTokenFallbackRepo string
+		if hasWorkflowCallTrigger(data.On) {
+			appTokenFallbackRepo = "${{ needs.activation.outputs.target_repo_name }}"
+		}
+		appTokenSteps := c.buildGitHubAppTokenMintStep(data.SafeOutputs.GitHubApp, permissions, appTokenFallbackRepo)
+		// Calculate insertion index: after setup action (if present) and artifact downloads, but before checkout and safe output steps
+		insertIndex := 0
+
+		// Count setup action steps (checkout + setup if in dev mode without action-tag, or just setup)
+		setupActionRef := c.resolveActionReference("./actions/setup", data)
+		if setupActionRef != "" {
+			insertIndex += len(c.generateCheckoutActionsFolder(data))
+			insertIndex += len(c.generateSetupStep(setupActionRef, SetupActionDestination, c.hasCustomTokenSafeOutputs(data.SafeOutputs)))
+		}
+
+		// Add artifact download steps count
+		insertIndex += len(buildAgentOutputDownloadSteps(agentArtifactPrefix))
+
+		// Add patch download steps if present
+		// Download from unified agent artifact (prefixed in workflow_call context)
+		if usesPatchesAndCheckouts(data.SafeOutputs) {
+			patchDownloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{
+				ArtifactName: agentArtifactPrefix + constants.AgentArtifactName,
+				DownloadPath: "/tmp/gh-aw/",
+				SetupEnvStep: false,
+				StepName:     "Download patch artifact",
+			})
+			insertIndex += len(patchDownloadSteps)
+		}
+
+		// Note: App token step must be inserted BEFORE shared checkout steps
+		// because those steps reference steps.safe-outputs-app-token.outputs.token
+
+		// Insert app token steps
+		var newSteps []string
+		newSteps = append(newSteps, steps[:insertIndex]...)
+		newSteps = append(newSteps, appTokenSteps...)
+		newSteps = append(newSteps, steps[insertIndex:]...)
+		steps = newSteps
 	}
 
-	// Add GitHub App token invalidation step at the end if app is configured.
-	// The token was minted in the activation job and is referenced via needs.activation.outputs.
+	// Add GitHub App token invalidation step at the end if app is configured
 	if data.SafeOutputs.GitHubApp != nil {
-		steps = append(steps, c.buildGitHubAppTokenInvalidationStep(fmt.Sprintf("needs.%s.outputs.safe_outputs_app_token", constants.ActivationJobName))...)
+		steps = append(steps, c.buildGitHubAppTokenInvalidationStep()...)
 	}
 
 	// Upload the safe output items manifest as an artifact (non-staged mode only).
@@ -369,8 +411,7 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa
 	// - create_pull_request or push_to_pull_request_branch (need the activation artifact)
 	// - lock-for-agent (need the activation lock)
 	// - workflow_call trigger (need needs.activation.outputs.target_repo for cross-repo token/dispatch)
-	// - safe-outputs github-app is configured (token was minted in activation job)
-	if usesPatchesAndCheckouts(data.SafeOutputs) || data.LockForAgent || hasWorkflowCallTrigger(data.On) || data.SafeOutputs.GitHubApp != nil {
+	if usesPatchesAndCheckouts(data.SafeOutputs) || data.LockForAgent || hasWorkflowCallTrigger(data.On) {
 		needs = append(needs, string(constants.ActivationJobName))
 	}
 	// Add unlock job dependency if lock-for-agent is enabled
 
@@ -423,16 +423,11 @@ func TestJobWithGitHubApp(t *testing.T) {
 
 	stepsContent := strings.Join(job.Steps, "")
 
-	// Token minting has moved to the activation job; the safe_outputs job should NOT
-	// contain "Generate GitHub App token" anymore.
-	assert.NotContains(t, stepsContent, "Generate GitHub App token", "Token minting step should be in activation job, not safe_outputs job")
+	// Should include app token minting step
+	assert.Contains(t, stepsContent, "Generate GitHub App token")
 
-	// The safe_outputs job should reference the activation output token
-	assert.Contains(t, stepsContent, "needs.activation.outputs.safe_outputs_app_token",
-		"Safe_outputs job should reference the token minted in the activation job")
-
-	// Should include app token invalidation step (using the activation output)
-	assert.Contains(t, stepsContent, "Invalidate GitHub App token", "Token invalidation step should still be present in safe_outputs job")
+	// Should include app token invalidation step
+	assert.Contains(t, stepsContent, "Invalidate GitHub App token")
 }
 
 // TestAssignToAgentWithGitHubAppUsesAgentToken tests that when github-app: is configured,
@@ -462,9 +457,8 @@ func TestAssignToAgentWithGitHubAppUsesAgentToken(t *testing.T) {
 
 	stepsContent := strings.Join(job.Steps, "")
 
-	// Token minting has moved to the activation job; the safe_outputs job should NOT
-	// contain "Generate GitHub App token" anymore.
-	assert.NotContains(t, stepsContent, "Generate GitHub App token", "Token minting step should be in activation job, not safe_outputs job")
+	// App token minting step should be present (github-app: is configured)
+	assert.Contains(t, stepsContent, "Generate GitHub App token", "App token minting step should be present")
 
 	// Find the assign_to_agent step section
 	assignToAgentStart := strings.Index(stepsContent, "id: assign_to_agent")
@@ -655,23 +649,27 @@ func TestGitHubAppWithPushToPRBranch(t *testing.T) {
 
 	stepsContent := strings.Join(job.Steps, "")
 
-	// Token minting has moved to the activation job; safe_outputs job should NOT contain it.
+	// Should include app token minting step exactly once
 	tokenMintCount := strings.Count(stepsContent, "Generate GitHub App token")
-	assert.Equal(t, 0, tokenMintCount, "App token minting step should be in activation job, not safe_outputs job (found %d times)", tokenMintCount)
+	assert.Equal(t, 1, tokenMintCount, "App token minting step should appear exactly once, found %d times", tokenMintCount)
 
-	// Should include app token invalidation step exactly once (invalidation stays in agent job)
+	// Should include app token invalidation step exactly once
 	tokenInvalidateCount := strings.Count(stepsContent, "Invalidate GitHub App token")
 	assert.Equal(t, 1, tokenInvalidateCount, "App token invalidation step should appear exactly once, found %d times", tokenInvalidateCount)
 
-	// Invalidation step should reference the token from activation outputs
-	assert.Contains(t, stepsContent, "needs.activation.outputs.safe_outputs_app_token",
-		"Invalidation step should reference the activation job's safe_outputs_app_token output")
+	// Token step should come before checkout step (checkout references the token)
+	tokenIndex := strings.Index(stepsContent, "Generate GitHub App token")
+	checkoutIndex := strings.Index(stepsContent, "Checkout repository")
+	assert.Less(t, tokenIndex, checkoutIndex, "Token minting step should come before checkout step")
+
+	// Verify step ID is set correctly
+	assert.Contains(t, stepsContent, "id: safe-outputs-app-token")
 }
 
 // TestJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback is a regression test verifying that
-// the activation job (which now mints the safe-outputs app token) uses
-// steps.resolve-host-repo.outputs.target_repo_name (repo name only, no owner prefix) as the
-// repositories fallback for the GitHub App token mint step, instead of the full target_repo slug.
+// a safe-output job compiled for a workflow_call trigger uses
+// needs.activation.outputs.target_repo_name (repo name only, no owner prefix) as the repositories
+// fallback for the GitHub App token mint step, instead of the full target_repo slug.
 // This prevents actions/create-github-app-token from receiving an invalid owner/repo slug
 // in the repositories field when owner is also set.
 func TestJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback(t *testing.T) {
@@ -693,25 +691,24 @@ func TestJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback(t *testing.T) {
 		},
 	}
 
-	// Token minting has moved to the activation job.
-	activationJob, err := compiler.buildActivationJob(workflowData, false, "", "test.lock.yml")
+	job, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, string(constants.AgentJobName), "test.md")
 
-	require.NoError(t, err, "Should successfully build activation job")
-	require.NotNil(t, activationJob, "Activation job should not be nil")
+	require.NoError(t, err, "Should successfully build job")
+	require.NotNil(t, job, "Job should not be nil")
 
-	activationStepsContent := strings.Join(activationJob.Steps, "")
+	stepsContent := strings.Join(job.Steps, "")
 
-	// The activation job must use the step-level output (it runs the resolve-host-repo step itself),
-	// NOT the full slug from target_repo.
-	assert.Contains(t, activationStepsContent, "repositories: ${{ steps.resolve-host-repo.outputs.target_repo_name }}",
-		"Activation job GitHub App token step must use target_repo_name (repo name only) for workflow_call workflows")
-	assert.NotContains(t, activationStepsContent, "repositories: ${{ needs.activation.outputs.target_repo_name }}",
-		"Activation job GitHub App token step must not use needs.activation (it IS the activation job)")
+	// Must use the repo-name-only output, NOT the full slug
+	assert.Contains(t, stepsContent, "repositories: ${{ needs.activation.outputs.target_repo_name }}",
+		"GitHub App token step must use target_repo_name (repo name only) for workflow_call workflows")
+	assert.NotContains(t, stepsContent, "repositories: ${{ needs.activation.outputs.target_repo }}",
+		"GitHub App token step must not use target_repo (full slug) for workflow_call workflows")
 }
 
 // TestConclusionJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback is a regression test
-// verifying that the conclusion job no longer mints a token itself (token minting moved to
-// the activation job), and that the conclusion job references the activation output token.
+// verifying that the conclusion job compiled for a workflow_call trigger uses
+// needs.activation.outputs.target_repo_name (repo name only) as the repositories fallback
+// for the GitHub App token mint step.
 func TestConclusionJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback(t *testing.T) {
 	compiler := NewCompiler()
 	compiler.jobManager = NewJobManager()
@@ -737,12 +734,11 @@ func TestConclusionJobWithGitHubAppWorkflowCallUsesTargetRepoNameFallback(t *tes
 
 	stepsContent := strings.Join(job.Steps, "")
 
-	// Token minting moved to activation; conclusion job must NOT mint a token.
-	assert.NotContains(t, stepsContent, "actions/create-github-app-token",
-		"Conclusion job must not mint a GitHub App token (minting moved to activation job)")
-	// Conclusion job should still invalidate the token via the activation output.
-	assert.Contains(t, stepsContent, "needs.activation.outputs.safe_outputs_app_token",
-		"Conclusion job should reference the safe_outputs_app_token from the activation job")
+	// Must use the repo-name-only output, NOT the full slug
+	assert.Contains(t, stepsContent, "repositories: ${{ needs.activation.outputs.target_repo_name }}",
+		"Conclusion job GitHub App token step must use target_repo_name (repo name only) for workflow_call workflows")
+	assert.NotContains(t, stepsContent, "repositories: ${{ needs.activation.outputs.target_repo }}",
+		"Conclusion job GitHub App token step must not use target_repo (full slug) for workflow_call workflows")
 }
 
 // TestCallWorkflowOnly_UsesHandlerManagerStep asserts that a workflow configured with only
 
@@ -276,7 +276,7 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string {
 
 		switch ciTriggerToken {
 		case "app":
-			steps = append(steps, "          GH_AW_CI_TRIGGER_TOKEN: ${{ needs.activation.outputs.safe_outputs_app_token || '' }}\n")
+			steps = append(steps, "          GH_AW_CI_TRIGGER_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token || '' }}\n")
 			consolidatedSafeOutputsStepsLog.Print("Extra empty commit using GitHub App token")
 		default:
 			// Use the magic GH_AW_CI_TRIGGER_TOKEN secret (default behavior when not explicitly configured)
 
@@ -194,7 +194,7 @@ func TestBuildSharedPRCheckoutSteps(t *testing.T) {
 				CreatePullRequests: &CreatePullRequestsConfig{},
 			},
 			checkContains: []string{
-				"token: ${{ needs.activation.outputs.safe_outputs_app_token }}",
+				"token: ${{ steps.safe-outputs-app-token.outputs.token }}",
 			},
 		},
 		{
 
@@ -95,9 +95,9 @@ func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, conf
 		safeOutputsToken = data.SafeOutputs.GitHubToken
 	}
 
-	// If app is configured, use app token minted in the activation job
+	// If app is configured, use app token
 	if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {
-		*steps = append(*steps, "          token: ${{ needs.activation.outputs.safe_outputs_app_token }}\n")
+		*steps = append(*steps, "          token: ${{ steps.safe-outputs-app-token.outputs.token }}\n")
 		return
 	}
 
 
@@ -17,7 +17,7 @@ import (
 // TestCreatePullRequestCITriggerToken verifies the GH_AW_CI_TRIGGER_TOKEN env var
 // is correctly generated in the safe_outputs job for different configurations:
 // - unset/empty: uses secrets.GH_AW_CI_TRIGGER_TOKEN
-// - "app": uses needs.activation.outputs.safe_outputs_app_token
+// - "app": uses steps.safe-outputs-app-token.outputs.token
 // - explicit token: uses the specified token value
 func TestCreatePullRequestCITriggerToken(t *testing.T) {
 	tests := []struct {
@@ -35,7 +35,7 @@ func TestCreatePullRequestCITriggerToken(t *testing.T) {
 		{
 			name:             "app config uses app token step output",
 			tokenConfig:      "app",
-			expectedContains: "${{ needs.activation.outputs.safe_outputs_app_token || '' }}",
+			expectedContains: "${{ steps.safe-outputs-app-token.outputs.token || '' }}",
 			notExpected:      "secrets.GH_AW_CI_TRIGGER_TOKEN",
 		},
 		{
@@ -135,7 +135,7 @@ func TestPushToPullRequestBranchCITriggerToken(t *testing.T) {
 		{
 			name:             "app config uses app token step output",
 			tokenConfig:      "app",
-			expectedContains: "${{ needs.activation.outputs.safe_outputs_app_token || '' }}",
+			expectedContains: "${{ steps.safe-outputs-app-token.outputs.token || '' }}",
 		},
 		{
 			name:             "explicit token uses provided value",
Original file line number	Diff line number	Diff line change
`@@ -40,12 +40,12 @@ func (cm CheckoutManager) GenerateCheckoutAppTokenInvalidationSteps(c Compiler`
`40`	`40`	`continue`
`41`	`41`	`}`
`42`	`42`	`checkoutManagerLog.Printf("Generating app token invalidation step for checkout index=%d", i)`
	`43`	`+ rawSteps := c.buildGitHubAppTokenInvalidationStep()`
`43`	`44`	`stepID := fmt.Sprintf("checkout-app-token-%d", i)`
`44`		`- tokenExpr := fmt.Sprintf("steps.%s.outputs.token", stepID)`
`45`		`- rawSteps := c.buildGitHubAppTokenInvalidationStep(tokenExpr)`
`46`	`45`	`for _, step := range rawSteps {`
	`46`	`+ modified := strings.ReplaceAll(step, "steps.safe-outputs-app-token.outputs.token", "steps."+stepID+".outputs.token")`
`47`	`47`	`// Update step name to indicate it's for checkout`
`48`		`- modified := strings.ReplaceAll(step, "Invalidate GitHub App token", fmt.Sprintf("Invalidate checkout app token (%d)", i))`
	`48`	`+ modified = strings.ReplaceAll(modified, "Invalidate GitHub App token", fmt.Sprintf("Invalidate checkout app token (%d)", i))`
`49`	`49`	`steps = append(steps, modified)`
`50`	`50`	`}`
`51`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ func TestBuildSharedPRCheckoutSteps(t *testing.T) {`
`194`	`194`	`CreatePullRequests: &CreatePullRequestsConfig{},`
`195`	`195`	`},`
`196`	`196`	`checkContains: []string{`
`197`		`- "token: ${{ needs.activation.outputs.safe_outputs_app_token }}",`
	`197`	`+ "token: ${{ steps.safe-outputs-app-token.outputs.token }}",`
`198`	`198`	`},`
`199`	`199`	`},`
`200`	`200`	`{`
Original file line number	Diff line number	Diff line change
`@@ -95,9 +95,9 @@ func (c Compiler) addUploadSARIFToken(steps []string, data *WorkflowData, conf`
`95`	`95`	`safeOutputsToken = data.SafeOutputs.GitHubToken`
`96`	`96`	`}`
`97`	`97`
`98`		`- // If app is configured, use app token minted in the activation job`
	`98`	`+ // If app is configured, use app token`
`99`	`99`	`if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {`
`100`		`- steps = append(steps, " token: ${{ needs.activation.outputs.safe_outputs_app_token }}\n")`
	`100`	`+ steps = append(steps, " token: ${{ steps.safe-outputs-app-token.outputs.token }}\n")`
`101`	`101`	`return`
`102`	`102`	`}`
`103`	`103`