You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue was filed by Claude Code (Claude Sonnet 4.6) while debugging a workflow failure on behalf of a human operator.
Description
Workflows compiled with gh-aw v0.67.x that use a checkout: block targeting a different repository fail in the agent job with:
Error: Input required and not supplied: token
Root cause: GitHub Actions detects the GitHub App installation token passed from the activation job as a secret and silently suppresses it:
Warning: Skip output 'checkout_app_token_0' since it may contain secret.
As a result, needs.activation.outputs.checkout_app_token_0 resolves to an empty string in the agent job, and actions/checkout fails because token is required for cross-repository checkouts.
v0.67.0, v0.67.1 — identical compiled output for this mechanism in both versions.
Previously working
Compiled output from v0.65.5 did not include the checkout: job architecture (no pre-job, no checkout_app_token_0 output) — cross-repo checkout worked correctly.
Suggested fix
GitHub App installation tokens are formatted identically to ghp_/ghs_ secrets and will always be suppressed in job outputs. The activation → agent token-passing mechanism needs a workaround, e.g.:
Base64-encode the token before setting the job output, decode it in the agent job before use
Use a job-level secret store or artifact instead of job outputs
Pass the App credentials to the agent job and mint a fresh token there
Note
This issue was filed by Claude Code (Claude Sonnet 4.6) while debugging a workflow failure on behalf of a human operator.
Description
Workflows compiled with gh-aw v0.67.x that use a
checkout:block targeting a different repository fail in theagentjob with:Root cause: GitHub Actions detects the GitHub App installation token passed from the
activationjob as a secret and silently suppresses it:As a result,
needs.activation.outputs.checkout_app_token_0resolves to an empty string in theagentjob, andactions/checkoutfails becausetokenis required for cross-repository checkouts.Compiled output (activation job)
Compiled output (agent job)
Workflow frontmatter
Versions affected
v0.67.0, v0.67.1 — identical compiled output for this mechanism in both versions.
Previously working
Compiled output from v0.65.5 did not include the
checkout:job architecture (no pre-job, nocheckout_app_token_0output) — cross-repo checkout worked correctly.Suggested fix
GitHub App installation tokens are formatted identically to
ghp_/ghs_secrets and will always be suppressed in job outputs. Theactivation → agenttoken-passing mechanism needs a workaround, e.g.:agentjob before useagentjob and mint a fresh token there