Fix checkout frontmatter: emit token (not github-token) for actions/checkout
Bug summary
When checkout frontmatter includes a custom github-token, the compiler emits an actions/checkout step with a github-token input. The actions/checkout action expects the input name token, so custom tokens do not work and checkout can fail or use the wrong credentials.
Analysis
Root cause: In pkg/workflow/checkout_manager.go, the YAML for the actions/checkout step is built with the literal key github-token in two places:
- Line 234 in
GenerateDefaultCheckoutStep: when applying user overrides (non–trial mode), it emits fmt.Fprintf(&sb, " github-token: %s\n", override.token).
- Line 277 in
generateCheckoutStepLines: for additional checkout steps it emits fmt.Fprintf(&sb, " github-token: %s\n", entry.token).
The actions/checkout action only accepts the input token. The same file already uses token correctly for trial mode at line 222: fmt.Fprintf(&sb, " token: %s\n", effectiveToken). The fix is to emit token (not github-token) wherever the token is passed to actions/checkout. The frontmatter key can remain github-token (user-facing); only the emitted YAML key for the action input must be token.
Implementation plan
Please implement the following so an agent can execute it step by step.
1. Fix YAML emission in pkg/workflow/checkout_manager.go
-
In GenerateDefaultCheckoutStep (around line 233–235): when override.token != "", emit the input as token, not github-token.
Change:
fmt.Fprintf(&sb, " github-token: %s\n", override.token)
to:
fmt.Fprintf(&sb, " token: %s\n", override.token).
-
In generateCheckoutStepLines (around line 276–278): when entry.token != "", emit the input as token, not github-token.
Change:
fmt.Fprintf(&sb, " github-token: %s\n", entry.token)
to:
fmt.Fprintf(&sb, " token: %s\n", entry.token).
No other changes in this file are required: struct fields and parsing can keep the name GitHubToken / github-token for frontmatter/schema; only the generated action input name must be token.
2. Update tests that assert on github-token in checkout steps
-
pkg/workflow/checkout_manager_test.go
- Replace assertions that expect
github-token: in the generated checkout step YAML with expectations of token: (same value, different key).
- Example (around line 127): change the expected string from
"github-token: ${{ secrets.MY_TOKEN }}" to "token: ${{ secrets.MY_TOKEN }}" (and similar cases in that file).
-
pkg/workflow/checkout_optimization_test.go
- It already expects
token: ${{ secrets.CUSTOM_TOKEN }} (line 94). Ensure no remaining expectations use github-token for the checkout step; if any do, update them to token.
-
pkg/workflow/trial_mode_test.go
- Tests that look for “github-token in checkout step” (e.g. around lines 77–88, 136–208, 321–324) should be updated to look for
token in the checkout step’s with: block (since the correct input name is token). Adjust comments and assertions accordingly.
-
pkg/workflow/pr_checkout_test.go
- Around lines 406–408 the test expects
github-token in the “Checkout PR branch” step. That step uses actions/github-script, not actions/checkout. The actions/github-script action uses the input github-token. So leave this test unchanged; only the actions/checkout steps should use token.
3. Optional: add a regression test
- In
pkg/workflow/checkout_manager_test.go (or a dedicated test), add a case that:
- Builds a checkout config with a custom token (e.g.
GitHubToken: "${{ secrets.MY_TOKEN }}").
- Calls
GenerateDefaultCheckoutStep or the helper that produces the additional checkout steps.
- Asserts that the generated YAML contains
token: ${{ secrets.MY_TOKEN }} and does not contain github-token: in the same step (to avoid regressing to the wrong input name).
4. Documentation
- In
pkg/workflow/checkout_manager.go, the comment around lines 19–21 shows an example with github-token: in the YAML. Update that example so it shows the emitted format: use token: in the example of the generated step (or add a short note that the frontmatter key github-token is emitted as the token input for actions/checkout).
- If
docs/ or pkg/parser/schemas document the checkout step output format, ensure they state that the compiler emits token for the token input of actions/checkout (and that frontmatter still uses github-token).
5. Follow project guidelines
- Use console formatting from
pkg/console for any new CLI output.
- Run
make agent-finish (or at least make build, make test, make recompile, make fmt, make lint) before considering the change done.
- Error messages (if any) should follow the project style: [what’s wrong]. [what’s expected]. [example].
Verification
After the change:
- A workflow with frontmatter like:
checkout:
- repository: my-repo
path: my-repo
ref: dev
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}
should compile to an actions/checkout step whose with: block includes token: ${{ secrets.GH_AW_GITHUB_TOKEN }}, and must not include github-token: for that step.
Fix checkout frontmatter: emit
token(notgithub-token) for actions/checkoutBug summary
When
checkoutfrontmatter includes a customgithub-token, the compiler emits anactions/checkoutstep with agithub-tokeninput. The actions/checkout action expects the input nametoken, so custom tokens do not work and checkout can fail or use the wrong credentials.Analysis
Root cause: In
pkg/workflow/checkout_manager.go, the YAML for theactions/checkoutstep is built with the literal keygithub-tokenin two places:GenerateDefaultCheckoutStep: when applying user overrides (non–trial mode), it emitsfmt.Fprintf(&sb, " github-token: %s\n", override.token).generateCheckoutStepLines: for additional checkout steps it emitsfmt.Fprintf(&sb, " github-token: %s\n", entry.token).The actions/checkout action only accepts the input
token. The same file already usestokencorrectly for trial mode at line 222:fmt.Fprintf(&sb, " token: %s\n", effectiveToken). The fix is to emittoken(notgithub-token) wherever the token is passed toactions/checkout. The frontmatter key can remaingithub-token(user-facing); only the emitted YAML key for the action input must betoken.Implementation plan
Please implement the following so an agent can execute it step by step.
1. Fix YAML emission in
pkg/workflow/checkout_manager.goIn
GenerateDefaultCheckoutStep(around line 233–235): whenoverride.token != "", emit the input astoken, notgithub-token.Change:
fmt.Fprintf(&sb, " github-token: %s\n", override.token)to:
fmt.Fprintf(&sb, " token: %s\n", override.token).In
generateCheckoutStepLines(around line 276–278): whenentry.token != "", emit the input astoken, notgithub-token.Change:
fmt.Fprintf(&sb, " github-token: %s\n", entry.token)to:
fmt.Fprintf(&sb, " token: %s\n", entry.token).No other changes in this file are required: struct fields and parsing can keep the name
GitHubToken/github-tokenfor frontmatter/schema; only the generated action input name must betoken.2. Update tests that assert on
github-tokenin checkout stepspkg/workflow/checkout_manager_test.gogithub-token:in the generated checkout step YAML with expectations oftoken:(same value, different key)."github-token: ${{ secrets.MY_TOKEN }}"to"token: ${{ secrets.MY_TOKEN }}"(and similar cases in that file).pkg/workflow/checkout_optimization_test.gotoken: ${{ secrets.CUSTOM_TOKEN }}(line 94). Ensure no remaining expectations usegithub-tokenfor the checkout step; if any do, update them totoken.pkg/workflow/trial_mode_test.gotokenin the checkout step’swith:block (since the correct input name istoken). Adjust comments and assertions accordingly.pkg/workflow/pr_checkout_test.gogithub-tokenin the “Checkout PR branch” step. That step usesactions/github-script, notactions/checkout. The actions/github-script action uses the inputgithub-token. So leave this test unchanged; only theactions/checkoutsteps should usetoken.3. Optional: add a regression test
pkg/workflow/checkout_manager_test.go(or a dedicated test), add a case that:GitHubToken: "${{ secrets.MY_TOKEN }}").GenerateDefaultCheckoutStepor the helper that produces the additional checkout steps.token: ${{ secrets.MY_TOKEN }}and does not containgithub-token:in the same step (to avoid regressing to the wrong input name).4. Documentation
pkg/workflow/checkout_manager.go, the comment around lines 19–21 shows an example withgithub-token:in the YAML. Update that example so it shows the emitted format: usetoken:in the example of the generated step (or add a short note that the frontmatter keygithub-tokenis emitted as thetokeninput foractions/checkout).docs/orpkg/parser/schemasdocument the checkout step output format, ensure they state that the compiler emitstokenfor the token input ofactions/checkout(and that frontmatter still usesgithub-token).5. Follow project guidelines
pkg/consolefor any new CLI output.make agent-finish(or at leastmake build,make test,make recompile,make fmt,make lint) before considering the change done.Verification
After the change:
checkout:
path: my-repo
ref: dev
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}
should compile to an actions/checkout step whose with: block includes token: ${{ secrets.GH_AW_GITHUB_TOKEN }}, and must not include github-token: for that step.