Summary
When a reusable workflow compiled by gh aw compile is invoked cross-org via workflow_call (caller in org-A, callee/platform repo in org-B, same enterprise), the activation job fails at multiple points. The compiled lock file cannot resolve the correct source repository, cannot check out the callee's files, and cannot verify the frontmatter hash.
This blocks all cross-org central-repo-ops patterns.
Environment
gh-aw CLI: v0.67.2gh-aw-actions/setup: v0.67.2 (3922978bff4d7cf117e185580ad108da5a0134d8)- Both organizations are in the same GitHub Enterprise Cloud account
- Callee repository visibility:
internal
Bug 1: resolve_host_repo.cjs resolves to the caller repo
Expected
The "Resolve host repo for activation checkout" step should resolve to the callee (platform) repository so the checkout fetches the correct .github/ and .agents/ content.
Actual
It resolves to the caller repository. The script relies on GITHUB_WORKFLOW_REF (line 38), but in a workflow_call invocation, GITHUB_WORKFLOW_REF points to the top-level caller's workflow — not the reusable workflow being executed.
The code comment on line 14 states:
"GITHUB_WORKFLOW_REF always reflects the currently executing workflow file"
This is incorrect for workflow_call. The GitHub Actions docs confirm that github.workflow_ref resolves to the caller's workflow ref in reusable workflow contexts.
Suggested Fix
Apply the same referenced_workflows API lookup that check_workflow_timestamp_api.cjs already uses (lines 118–157). When the env workflow ref doesn't match the current lock file, query GET /repos/{caller}/actions/runs/{run_id} and find the matching entry in referenced_workflows[] to determine the correct callee repo and ref.
The target_repo_name output is already designed for actions/create-github-app-token (per the comment on line 76–77), confirming that cross-org was anticipated — the resolution logic just wasn't updated.
Bug 2: Checkout step cannot access the callee repo cross-org
Expected
The "Checkout .github and .agents folders" step should successfully clone the callee's repository content.
Actual
The checkout step uses the default GITHUB_TOKEN (no explicit token: parameter). The GITHUB_TOKEN is a GitHub App installation token scoped to the caller's organization. It cannot access repositories in a different org, even if both orgs are in the same enterprise and the callee repo is internal. The checkout fails with:
remote: Repository not found.
Error: fatal: repository 'https://github.com/<callee-org>/<callee-repo>/' not found
Suggested Fix — Two Options
Option A: actions/create-github-app-token integration
When resolve_host_repo detects a cross-org invocation (targetRepo !== currentRepo and different org prefix), the compiled workflow should include a step that mints a short-lived installation token via actions/create-github-app-token. This would require:
- The user to install a GitHub App in both orgs (one-time admin setup)
- App ID and private key stored as secrets, passed via
workflow_call secrets
- The compiled workflow to call
actions/create-github-app-token with owner: and repositories: (using the existing target_repo_name output) to generate a cross-org token
- That token is passed to the checkout step and hash check step
This is the standard GitHub-recommended approach for cross-org access.
Option B: Pre-inline all runtime imports during compilation (optional frontmatter flag)
An alternative that requires zero extra token setup: add an optional frontmatter flag (e.g., inline-imports: true or self-contained: true) that causes gh aw compile to inline all {{#runtime-import ...}} content directly into the lock file at compile time, rather than leaving them as runtime directives.
With fully inlined content:
- The cross-org checkout of
.agents/ becomes unnecessary (no runtime imports to resolve)
- The checkout of
.github/workflows/ is only needed for the hash check, which could be made non-fatal or skipped for cross-org scenarios
- The lock file becomes entirely self-contained — no runtime file dependencies
This would be particularly helpful for teams using central-repo-ops patterns where the platform repo and caller repos are in different organizations. The trade-off is larger lock files, which is why making it opt-in via frontmatter seems ideal.
Option B would be particularly valuable for our use case — we maintain a central platform repo with reusable agentic workflows consumed by repos across multiple orgs in the same enterprise. Eliminating the cross-org checkout dependency would significantly simplify adoption.
Bug 3: check_workflow_timestamp_api.cjs requires actions: read but the compiler doesn't add it
The hash check step calls github.rest.actions.getWorkflowRun() via the referenced_workflows API lookup (line 124). This requires the actions: read permission on the GITHUB_TOKEN. However, the compiled activation job only declares contents: read in its permissions: block.
Since explicit permissions: restricts the token to only the listed scopes, actions: read is absent and the API call fails with:
Error: Resource not accessible by integration
Suggested Fix
The compiler should add actions: read to the activation job's permissions: whenever it emits the check_workflow_timestamp_api.cjs step.
Reproduction
- Create a reusable workflow in org-B using
gh aw compile
- Create a caller workflow in org-A (different org, same enterprise) that uses
workflow_call to invoke the reusable workflow
- Run the caller workflow
- Observe:
resolve_host_repo resolves to org-A's repo (wrong)- Checkout clones org-A's repo (no
.agents/ or .github/workflows/*.md present)
- Hash check fails (no files on disk, API fallback also fails)
Summary of Fixes Needed
| Component |
Issue |
Fix |
resolve_host_repo.cjs |
Uses GITHUB_WORKFLOW_REF which points to caller |
Add referenced_workflows API lookup (same as check_workflow_timestamp_api.cjs) |
| Checkout step (compiled) |
No cross-org token |
Option A: actions/create-github-app-token integration; Option B: inline-imports frontmatter flag to eliminate runtime checkout |
Compiler (permissions:) |
Missing actions: read |
Add actions: read when emitting hash check step |
Option B (pre-inline with frontmatter flag) would be particularly valuable for our use case and likely for other teams adopting central-repo-ops across org boundaries.
Summary
When a reusable workflow compiled by
gh aw compileis invoked cross-org viaworkflow_call(caller in org-A, callee/platform repo in org-B, same enterprise), the activation job fails at multiple points. The compiled lock file cannot resolve the correct source repository, cannot check out the callee's files, and cannot verify the frontmatter hash.This blocks all cross-org central-repo-ops patterns.
Environment
gh-awCLI: v0.67.2gh-aw-actions/setup: v0.67.2 (3922978bff4d7cf117e185580ad108da5a0134d8)internalBug 1:
resolve_host_repo.cjsresolves to the caller repoExpected
The "Resolve host repo for activation checkout" step should resolve to the callee (platform) repository so the checkout fetches the correct
.github/and.agents/content.Actual
It resolves to the caller repository. The script relies on
GITHUB_WORKFLOW_REF(line 38), but in aworkflow_callinvocation,GITHUB_WORKFLOW_REFpoints to the top-level caller's workflow — not the reusable workflow being executed.The code comment on line 14 states:
This is incorrect for
workflow_call. The GitHub Actions docs confirm thatgithub.workflow_refresolves to the caller's workflow ref in reusable workflow contexts.Suggested Fix
Apply the same
referenced_workflowsAPI lookup thatcheck_workflow_timestamp_api.cjsalready uses (lines 118–157). When the env workflow ref doesn't match the current lock file, queryGET /repos/{caller}/actions/runs/{run_id}and find the matching entry inreferenced_workflows[]to determine the correct callee repo and ref.The
target_repo_nameoutput is already designed foractions/create-github-app-token(per the comment on line 76–77), confirming that cross-org was anticipated — the resolution logic just wasn't updated.Bug 2: Checkout step cannot access the callee repo cross-org
Expected
The "Checkout .github and .agents folders" step should successfully clone the callee's repository content.
Actual
The checkout step uses the default
GITHUB_TOKEN(no explicittoken:parameter). TheGITHUB_TOKENis a GitHub App installation token scoped to the caller's organization. It cannot access repositories in a different org, even if both orgs are in the same enterprise and the callee repo isinternal. The checkout fails with:Suggested Fix — Two Options
Option A:
actions/create-github-app-tokenintegrationWhen
resolve_host_repodetects a cross-org invocation (targetRepo !== currentRepoand different org prefix), the compiled workflow should include a step that mints a short-lived installation token viaactions/create-github-app-token. This would require:workflow_callsecretsactions/create-github-app-tokenwithowner:andrepositories:(using the existingtarget_repo_nameoutput) to generate a cross-org tokenThis is the standard GitHub-recommended approach for cross-org access.
Option B: Pre-inline all runtime imports during compilation (optional frontmatter flag)
An alternative that requires zero extra token setup: add an optional frontmatter flag (e.g.,
inline-imports: trueorself-contained: true) that causesgh aw compileto inline all{{#runtime-import ...}}content directly into the lock file at compile time, rather than leaving them as runtime directives.With fully inlined content:
.agents/becomes unnecessary (no runtime imports to resolve).github/workflows/is only needed for the hash check, which could be made non-fatal or skipped for cross-org scenariosThis would be particularly helpful for teams using central-repo-ops patterns where the platform repo and caller repos are in different organizations. The trade-off is larger lock files, which is why making it opt-in via frontmatter seems ideal.
Option B would be particularly valuable for our use case — we maintain a central platform repo with reusable agentic workflows consumed by repos across multiple orgs in the same enterprise. Eliminating the cross-org checkout dependency would significantly simplify adoption.
Bug 3:
check_workflow_timestamp_api.cjsrequiresactions: readbut the compiler doesn't add itThe hash check step calls
github.rest.actions.getWorkflowRun()via thereferenced_workflowsAPI lookup (line 124). This requires theactions: readpermission on theGITHUB_TOKEN. However, the compiled activation job only declarescontents: readin itspermissions:block.Since explicit
permissions:restricts the token to only the listed scopes,actions: readis absent and the API call fails with:Suggested Fix
The compiler should add
actions: readto the activation job'spermissions:whenever it emits thecheck_workflow_timestamp_api.cjsstep.Reproduction
gh aw compileworkflow_callto invoke the reusable workflowresolve_host_reporesolves to org-A's repo (wrong).agents/or.github/workflows/*.mdpresent)Summary of Fixes Needed
resolve_host_repo.cjsGITHUB_WORKFLOW_REFwhich points to callerreferenced_workflowsAPI lookup (same ascheck_workflow_timestamp_api.cjs)actions/create-github-app-tokenintegration; Option B:inline-importsfrontmatter flag to eliminate runtime checkoutpermissions:)actions: readactions: readwhen emitting hash check stepOption B (pre-inline with frontmatter flag) would be particularly valuable for our use case and likely for other teams adopting central-repo-ops across org boundaries.