fix: support github-app checkout token minting in upload job and fix tests

Copilot · pelikhan · web-flow · commit e64db0e90f26 · 2026-04-03T19:57:52.000Z
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a1bd4b1-943a-420a-95a3-69ef317b4ef5 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
diff --git a/pkg/workflow/compiler_safe_outputs_job_test.go b/pkg/workflow/compiler_safe_outputs_job_test.go
@@ -774,25 +774,30 @@ func TestCallWorkflowOnly_UsesHandlerManagerStep(t *testing.T) {
 // TestCreateCodeScanningAlertUploadJob verifies that when create-code-scanning-alert is configured,
 // a dedicated upload_code_scanning_sarif job is created (separate from safe_outputs) and that
 // the safe_outputs job:
-//   - exports sarif_file and checkout_token outputs for the upload job
+//   - exports sarif_file output for the upload job
 //   - uploads the SARIF file as a GitHub Actions artifact so the upload job
 //     (which runs in a fresh workspace) can download it
+//
+// Token handling: the upload job computes tokens directly (static PAT or minted GitHub App token)
+// rather than reading from safe_outputs job outputs, because GitHub Actions masks secret references
+// in job outputs — "Skip output 'x' since it may contain secret".
 func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 	tests := []struct {
 		name                   string
 		config                 *CreateCodeScanningAlertsConfig
+		checkoutConfigs        []*CheckoutConfig
 		expectUploadJob        bool
-		expectCustomToken      string
-		expectTokenFromOutputs bool // expect needs.safe_outputs.outputs.checkout_token
+		expectTokenInSteps     string // expected token expression in upload job steps
+		expectAppTokenMintStep bool   // expect a GitHub App token minting step in upload job
 		safeOutputsGitHubToken string
 	}{
 		{
-			name: "default config creates separate upload job using checkout_token from outputs",
+			name: "default config creates separate upload job with static token computed directly",
 			config: &CreateCodeScanningAlertsConfig{
 				BaseSafeOutputConfig: BaseSafeOutputConfig{},
 			},
-			expectUploadJob:        true,
-			expectTokenFromOutputs: true,
+			expectUploadJob:    true,
+			expectTokenInSteps: "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
 		},
 		{
 			name: "custom per-config github-token is used in upload step token",
@@ -801,20 +806,48 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 					GitHubToken: "${{ secrets.GHAS_TOKEN }}",
 				},
 			},
-			expectUploadJob:        true,
-			expectCustomToken:      "${{ secrets.GHAS_TOKEN }}",
-			expectTokenFromOutputs: true,
+			expectUploadJob:    true,
+			expectTokenInSteps: "${{ secrets.GHAS_TOKEN }}",
 		},
 		{
 			name: "safe-outputs-level github-token is used in upload step token",
 			config: &CreateCodeScanningAlertsConfig{
 				BaseSafeOutputConfig: BaseSafeOutputConfig{},
 			},
 			expectUploadJob:        true,
-			expectCustomToken:      "${{ secrets.SO_TOKEN }}",
-			expectTokenFromOutputs: true,
+			expectTokenInSteps:     "${{ secrets.SO_TOKEN }}",
 			safeOutputsGitHubToken: "${{ secrets.SO_TOKEN }}",
 		},
+		{
+			name: "checkout with github-app mints a fresh app token in the upload job",
+			config: &CreateCodeScanningAlertsConfig{
+				BaseSafeOutputConfig: BaseSafeOutputConfig{},
+			},
+			checkoutConfigs: []*CheckoutConfig{
+				{
+					GitHubApp: &GitHubAppConfig{
+						AppID:      "${{ vars.APP_ID }}",
+						PrivateKey: "${{ secrets.APP_PRIVATE_KEY }}",
+					},
+				},
+			},
+			expectUploadJob:        true,
+			expectTokenInSteps:     "${{ steps.checkout-restore-app-token.outputs.token }}",
+			expectAppTokenMintStep: true,
+		},
+		{
+			name: "checkout with github-token PAT uses that PAT directly in upload job",
+			config: &CreateCodeScanningAlertsConfig{
+				BaseSafeOutputConfig: BaseSafeOutputConfig{},
+			},
+			checkoutConfigs: []*CheckoutConfig{
+				{
+					GitHubToken: "${{ secrets.MY_CHECKOUT_PAT }}",
+				},
+			},
+			expectUploadJob:    true,
+			expectTokenInSteps: "${{ secrets.MY_CHECKOUT_PAT }}",
+		},
 		{
 			name: "staged mode does not create upload job",
 			config: &CreateCodeScanningAlertsConfig{
@@ -837,9 +870,10 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 					CreateCodeScanningAlerts: tt.config,
 					GitHubToken:              tt.safeOutputsGitHubToken,
 				},
+				CheckoutConfigs: tt.checkoutConfigs,
 			}
 
-			// 1. Verify safe_outputs job exports sarif_file and checkout_token, and uploads artifact
+			// 1. Verify safe_outputs job exports sarif_file and uploads the artifact
 			safeOutputsJob, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, string(constants.AgentJobName), "test-workflow.md")
 			require.NoError(t, err, "safe_outputs job should build without error")
 			require.NotNil(t, safeOutputsJob, "safe_outputs job should be generated")
@@ -853,9 +887,10 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 				assert.Contains(t, safeOutputsJob.Outputs["sarif_file"], "steps.process_safe_outputs.outputs.sarif_file",
 					"sarif_file output must reference process_safe_outputs step")
 
-				// safe_outputs must export checkout_token for the upload job to use
-				assert.Contains(t, safeOutputsJob.Outputs, "checkout_token",
-					"safe_outputs job must export checkout_token output for the upload job")
+				// safe_outputs must NOT export checkout_token — GitHub Actions masks secret
+				// references in job outputs, making them arrive empty in downstream jobs.
+				assert.NotContains(t, safeOutputsJob.Outputs, "checkout_token",
+					"safe_outputs job must NOT export checkout_token (secret refs are masked in job outputs)")
 
 				// safe_outputs must upload the SARIF file as an artifact so the upload job
 				// (running in a fresh workspace) can download it
@@ -888,6 +923,11 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 
 				uploadSteps := strings.Join(uploadJob.Steps, "")
 
+				// The upload job must NOT use needs.safe_outputs.outputs.checkout_token — it
+				// would arrive empty because GitHub Actions masks secret refs in job outputs.
+				assert.NotContains(t, uploadSteps, "needs.safe_outputs.outputs.checkout_token",
+					"Upload job must NOT read checkout_token from safe_outputs outputs (would be masked)")
+
 				// Restore checkout step must be present in the upload job
 				assert.Contains(t, uploadSteps, "Restore checkout to triggering commit",
 					"Upload job must restore workspace to triggering commit")
@@ -898,9 +938,17 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 				assert.NotContains(t, uploadSteps, "git checkout ${{ github.sha }}",
 					"Must use actions/checkout, not a raw git command")
 
-				// The restore checkout step must always use the checkout_token from safe_outputs outputs
-				assert.Contains(t, uploadSteps, "needs.safe_outputs.outputs.checkout_token",
-					"Restore checkout step must use checkout_token from safe_outputs outputs")
+				if tt.expectAppTokenMintStep {
+					// GitHub App checkout: a token minting step must appear before the restore checkout
+					assert.Contains(t, uploadSteps, "checkout-restore-app-token",
+						"Upload job must mint a GitHub App token before restoring checkout")
+					mintPos := strings.Index(uploadSteps, "checkout-restore-app-token")
+					restoreCheckoutPos := strings.Index(uploadSteps, "Restore checkout to triggering commit")
+					require.NotEqual(t, -1, mintPos, "App token minting step must be present in upload job steps")
+					require.NotEqual(t, -1, restoreCheckoutPos, "Restore checkout step must be present in upload job steps")
+					assert.Less(t, mintPos, restoreCheckoutPos,
+						"App token minting step must appear before the restore checkout step")
+				}
 
 				// Download SARIF artifact step must be present in the upload job
 				assert.Contains(t, uploadSteps, "Download SARIF artifact",
@@ -946,16 +994,13 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 				assert.Less(t, downloadPos, uploadPos,
 					"SARIF download must appear before SARIF upload in the job steps")
 
-				if tt.expectCustomToken != "" {
-					assert.Contains(t, uploadSteps, tt.expectCustomToken,
-						"Upload SARIF token must use the per-config or safe-outputs github-token")
-				}
-				if tt.expectTokenFromOutputs {
-					assert.Contains(t, uploadSteps, "needs.safe_outputs.outputs.checkout_token",
-						"Upload job should use checkout_token from safe_outputs outputs")
+				// Verify the expected token expression appears in the upload job steps
+				if tt.expectTokenInSteps != "" {
+					assert.Contains(t, uploadSteps, tt.expectTokenInSteps,
+						"Upload job must use the expected token in its steps")
 				}
 			} else {
-				// staged: safe_outputs should NOT export sarif_file or checkout_token
+				// staged: safe_outputs should NOT export sarif_file
 				assert.NotContains(t, safeOutputsJob.Outputs, "sarif_file",
 					"staged mode: safe_outputs must not export sarif_file")
 				assert.NotContains(t, safeOutputsJob.Outputs, "checkout_token",
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
@@ -3,6 +3,7 @@ package workflow
 import (
 	"fmt"
 	"path"
+	"strings"
 
 	"github.com/github/gh-aw/pkg/constants"
 	"github.com/github/gh-aw/pkg/logger"
@@ -79,22 +80,41 @@ func (c *Compiler) parseCodeScanningAlertsConfig(outputMap map[string]any) *Crea
 func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error) {
 	createCodeScanningAlertLog.Print("Building upload_code_scanning_sarif job")
 
-	// Compute the restore token directly in this job rather than reading it from the
-	// safe_outputs job's outputs. GitHub Actions masks job outputs that contain secret
-	// references (e.g. "${{ secrets.GITHUB_TOKEN }}"), so passing the token through
-	// safe_outputs.outputs.checkout_token would result in an empty string here.
-	// Since computeStaticCheckoutToken returns a plain static secret-reference expression
-	// (e.g. "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}") it is safe to
-	// evaluate directly in any job, including this one.
+	// Compute the effective token for checkout/upload in this job.
+	// We cannot pass tokens through job outputs (GitHub Actions masks secret references).
+	// We must either compute the static token directly or mint a fresh GitHub App token.
 	checkoutMgr := NewCheckoutManager(data.CheckoutConfigs)
-	restoreToken := computeStaticCheckoutToken(data.SafeOutputs, checkoutMgr)
+
+	var restoreToken string
+	var tokenMintSteps []string
+
+	// Check if the default checkout uses GitHub App auth. If so, mint a fresh token
+	// in this job — activation/safe_outputs app tokens have expired by this point.
+	defaultOverride := checkoutMgr.GetDefaultCheckoutOverride()
+	if defaultOverride != nil && defaultOverride.githubApp != nil {
+		permissions := NewPermissionsContentsReadSecurityEventsWrite()
+		for _, step := range c.buildGitHubAppTokenMintStep(defaultOverride.githubApp, permissions, "") {
+			tokenMintSteps = append(tokenMintSteps,
+				strings.ReplaceAll(step, "id: safe-outputs-app-token", "id: checkout-restore-app-token"))
+		}
+		//nolint:gosec // G101: False positive - this is a GitHub Actions expression template, not a hardcoded credential
+		restoreToken = "${{ steps.checkout-restore-app-token.outputs.token }}"
+	} else {
+		// No GitHub App configured for checkout — compute a static secret reference
+		// directly. This is safe because secret references are evaluated in the job's own
+		// context (not through job outputs which would be masked by GitHub Actions).
+		restoreToken = computeStaticCheckoutToken(data.SafeOutputs, checkoutMgr)
+	}
 
 	// Artifact prefix for workflow_call context (so the download name matches the upload name).
 	agentArtifactPrefix := artifactPrefixExprForDownstreamJob(data)
 
 	var steps []string
 
-	// Step 1: Restore workspace to the triggering commit.
+	// Prepend any token minting steps (needed when checkout uses GitHub App auth).
+	steps = append(steps, tokenMintSteps...)
+
+	// Step: Restore workspace to the triggering commit.
 	// The safe_outputs job may have checked out a different branch (e.g., the base branch for
 	// a PR) which would leave HEAD pointing at a different commit. The SARIF upload action
 	// requires HEAD to match the commit being scanned, otherwise it fails with "commit not found".
@@ -106,7 +126,7 @@ func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error)
 	steps = append(steps, "          persist-credentials: false\n")
 	steps = append(steps, "          fetch-depth: 1\n")
 
-	// Step 2: Download the SARIF artifact produced by safe_outputs.
+	// Step: Download the SARIF artifact produced by safe_outputs.
 	// The SARIF file was written to the safe_outputs job workspace and uploaded as an artifact.
 	// This job runs in a fresh workspace so we must download the artifact before uploading
 	// to GitHub Code Scanning.
@@ -120,13 +140,14 @@ func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error)
 	// The local SARIF file path after the artifact download completes.
 	localSarifPath := path.Join(constants.SarifArtifactDownloadPath, constants.SarifFileName)
 
-	// Step 3: Upload SARIF file to GitHub Code Scanning.
+	// Step: Upload SARIF file to GitHub Code Scanning.
 	steps = append(steps, "      - name: Upload SARIF to GitHub Code Scanning\n")
 	steps = append(steps, fmt.Sprintf("        id: %s\n", constants.UploadCodeScanningJobName))
 	steps = append(steps, fmt.Sprintf("        uses: %s\n", GetActionPin("github/codeql-action/upload-sarif")))
 	steps = append(steps, "        with:\n")
 	// NOTE: github/codeql-action/upload-sarif uses 'token' as the input name, not 'github-token'
-	c.addUploadSARIFToken(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken)
+	// Pass restoreToken as the fallback so GitHub App-minted tokens flow through consistently.
+	c.addUploadSARIFToken(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken, restoreToken)
 	// sarif_file now references the locally-downloaded artifact, not the path from safe_outputs
 	steps = append(steps, fmt.Sprintf("          sarif_file: %s\n", localSarifPath))
 	// ref and sha pin the upload to the exact triggering commit regardless of local git state
@@ -158,9 +179,14 @@ func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error)
 // addUploadSARIFToken adds the 'token' input for github/codeql-action/upload-sarif.
 // This action uses 'token' as the input name (not 'github-token' like other GitHub Actions).
 // This runs inside the upload_code_scanning_sarif job (a separate job from safe_outputs), so
-// the token must be computed directly in this job from static secret references.
-// Uses precedence: config token > safe-outputs global github-token > default fallback
-func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, configToken string) {
+// the token must be computed directly in this job from static secret references or a freshly
+// minted GitHub App token.
+//
+// Token precedence:
+//  1. Per-config github-token (configToken)
+//  2. Safe-outputs level github-token
+//  3. fallbackToken (either computeStaticCheckoutToken result or a minted app token)
+func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, configToken string, fallbackToken string) {
 	var safeOutputsToken string
 	if data.SafeOutputs != nil {
 		safeOutputsToken = data.SafeOutputs.GitHubToken
@@ -185,12 +211,9 @@ func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, conf
 		return
 	}
 
-	// No per-config or safe-outputs token — compute the static checkout token directly.
-	// This is the same logic as computeStaticCheckoutToken, which returns a plain static
-	// secret-reference expression. We cannot pass it through job outputs because GitHub Actions
-	// masks output values that contain secret references.
-	checkoutMgr := NewCheckoutManager(data.CheckoutConfigs)
-	defaultToken := computeStaticCheckoutToken(data.SafeOutputs, checkoutMgr)
-	createCodeScanningAlertLog.Printf("Using computed static checkout token for SARIF upload token")
-	*steps = append(*steps, fmt.Sprintf("          token: %s\n", defaultToken))
+	// No per-config or safe-outputs token — use the fallback token (static secret reference
+	// or minted GitHub App token) computed by the caller. This avoids the GitHub Actions
+	// behaviour of masking secret references when they are passed through job outputs.
+	createCodeScanningAlertLog.Printf("Using fallback token for SARIF upload token")
+	*steps = append(*steps, fmt.Sprintf("          token: %s\n", fallbackToken))
 }
