environment: frontmatter field not propagated to safe_outputs job — breaks environment-level secrets
Describe the feature
When using the environment: frontmatter field, the compiler only applies it to the agent job in the compiled .lock.yml. The safe_outputs job does not receive the environment: field, which means any secrets scoped exclusively to GitHub deployment environments (e.g., dev, prod) are inaccessible in the safe_outputs job.
This is a problem when using GitHub App authentication via safe-outputs.app: with environment-level secrets, because the safe_outputs job generates the App token at runtime:
# In the compiled .lock.yml — safe_outputs job (NO environment: field)
- name: Generate GitHub App token
id: safe-outputs-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.WORKFLOW_APP_ID }} # ← empty, no environment context
private-key: ${{ secrets.WORKFLOW_APP_PRIVATE_KEY }} # ← empty, no environment contextExpected behavior
The environment: frontmatter field should be propagated to all compiler-generated jobs that reference secrets, including safe_outputs, activation, conclusion, and any other jobs that use safe-outputs.app: or safe-outputs.github-token:.
For example, if the frontmatter is:
environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}Then the compiled safe_outputs job should include:
safe_outputs:
needs: [activation, agent]
runs-on: ubuntu-slim
environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }} # ← missing today
# ...Reproduction
- Create a workflow with
environment: in frontmatter and safe-outputs.app: referencing environment-level secrets
- Compile with
gh aw compile
- Inspect the
.lock.yml — only the agent job has the environment: field
- The
safe_outputs job references the same secrets but has no environment: context
Workaround
Store the GitHub App credentials (WORKFLOW_APP_ID, WORKFLOW_APP_PRIVATE_KEY) as repository-level secrets instead of environment-level secrets so they are accessible from all jobs regardless of environment: context.
Context
- gh-aw version: v0.51.5 (also verified in v0.57.1 docs — no fix present)
- Use case: CentralRepoOps pattern with environment-based dev/prod secret isolation
- Impact: Any workflow using
environment: with exclusively environment-scoped secrets will have its safe outputs silently fail (App token generation returns empty strings)
environment:frontmatter field not propagated tosafe_outputsjob — breaks environment-level secretsDescribe the feature
When using the
environment:frontmatter field, the compiler only applies it to theagentjob in the compiled.lock.yml. Thesafe_outputsjob does not receive theenvironment:field, which means any secrets scoped exclusively to GitHub deployment environments (e.g.,dev,prod) are inaccessible in thesafe_outputsjob.This is a problem when using GitHub App authentication via
safe-outputs.app:with environment-level secrets, because thesafe_outputsjob generates the App token at runtime:Expected behavior
The
environment:frontmatter field should be propagated to all compiler-generated jobs that reference secrets, includingsafe_outputs,activation,conclusion, and any other jobs that usesafe-outputs.app:orsafe-outputs.github-token:.For example, if the frontmatter is:
Then the compiled
safe_outputsjob should include:Reproduction
environment:in frontmatter andsafe-outputs.app:referencing environment-level secretsgh aw compile.lock.yml— only theagentjob has theenvironment:fieldsafe_outputsjob references the same secrets but has noenvironment:contextWorkaround
Store the GitHub App credentials (
WORKFLOW_APP_ID,WORKFLOW_APP_PRIVATE_KEY) as repository-level secrets instead of environment-level secrets so they are accessible from all jobs regardless ofenvironment:context.Context
environment:with exclusively environment-scoped secrets will have its safe outputs silently fail (App token generation returns empty strings)