Skip to content

BUG: 'GH_HOST' set with GITHUB_OUTPUT (not env or env-threaded), breaking Process Safe Outputs on GHES #23093

Closed
Closed
BUG: 'GH_HOST' set with GITHUB_OUTPUT (not env or env-threaded), breaking Process Safe Outputs on GHES#23093
Assignees
lpcox
Labels
GHESawfcommunity
@grahame-white

Description

@grahame-white
grahame-white
opened on Mar 26, 2026

Summary

In the safe-outputs agentic workflow, the Configure GH_HOST for enterprise compatibility step is sometimes compiled to write GH_HOST into $GITHUB_OUTPUT rather than $GITHUB_ENV. The value is unused downstream (not picked up via env threading or steps.ghes-host-config.outputs.GH_HOST), so subsequent jobs referencing the gh CLI (notably Process Safe Outputs) default to public github.com instead of the expected GitHub Enterprise host.

What failed

  • For steps on GHES, GH_HOST is expected to be available as an environment variable. Instead, it was written to $GITHUB_OUTPUT but not surfaced into step/job env, so was never seen by subsequent steps.

Why it failed

  • Compiler used an incorrect step template for Configure GH_HOST for enterprise compatibility, writing GH_HOST to $GITHUB_OUTPUT not $GITHUB_ENV.
  • Downstream jobs failed to thread env (env: GH_HOST: ${{ steps.ghes-host-config.outputs.GH_HOST }}) or lacked direct export.

Root cause

  • Regression in the build template or generator for this step around the v0.64.0 $GITHUB_ENV hardening changes. The canonical code in pkg/workflow/ghes_host_step.go is correct; this suggests the error results from an intermediate template or missed job regeneration (stale .lock.yml).

Supporting evidence / References

  • PR Review Copilot observation 2, 4, 6, 8, 10
  • gh-aw source: pkg/workflow/ghes_host_step.go, ghes_host_step_test.go (asserts only $GITHUB_ENV allowed)
  • Stale/incorrect output observed in generated .lock.yml in downstream repo

Proposed fix

  • Confirm all template and generator code for this step only writes to $GITHUB_ENV (never $GITHUB_OUTPUT).
  • Add compiler regression/integration tests for GHES env propagation, confirm subsequent steps have env: GH_HOST as required.
  • Document required env propagation explicitly for all steps that use the gh CLI under GHES.

Implementation plan

  1. Audit compiler generator and template code for all workflows that use the GHES host step.
  2. Fix any places writing GH_HOST into the wrong context or failing to propagate it properly.
  3. Add unit and .lock.yml output tests for GHES jobs to assert correct env presence.

Metadata

Metadata

Assignees

Labels

GHESawfcommunity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions