fix: mint GitHub MCP App token in agent job, not activation job by Copilot · Pull Request #24585 · github/gh-aw

Copilot · 2026-04-04T21:24:35Z

actions/create-github-app-token unconditionally masks its output token. GitHub Actions runner v2.308+ silently drops masked values from job outputs, so github_mcp_app_token was always empty in the agent job — the GitHub MCP server ran unauthenticated.

Root cause

The PR #24251 pattern of minting in activation and passing via needs.activation.outputs.github_mcp_app_token is fundamentally incompatible with how masked values propagate across job boundaries.

Changes

compiler_activation_job.go — Remove generateGitHubMCPAppTokenMintingSteps call and github_mcp_app_token job output
compiler_yaml_main_job.go — Mint github-mcp-app-token directly in the agent job, before MCP setup steps
mcp_environment.go / copilot_engine_execution.go — Update GITHUB_MCP_SERVER_TOKEN reference from needs.activation.outputs.github_mcp_app_token → steps.github-mcp-app-token.outputs.token
compiler_github_mcp_steps.go — Update invalidation step to reference steps.github-mcp-app-token.outputs.token
compiler_main_job.go — Narrow the compiler invariant: checkout token minting is still forbidden in the agent job; github-mcp-app-token is now explicitly permitted

# Before (broken): token silently dropped by runner
jobs:
  activation:
    steps:
      - id: github-mcp-app-token          # masked here
        uses: actions/create-github-app-token@...
    outputs:
      github_mcp_app_token: ${{ steps.github-mcp-app-token.outputs.token }}  # dropped!
  agent:
    env:
      GITHUB_MCP_SERVER_TOKEN: ${{ needs.activation.outputs.github_mcp_app_token }}  # always ""

# After (fixed): token minted and consumed within the same job
jobs:
  agent:
    steps:
      - id: github-mcp-app-token
        uses: actions/create-github-app-token@...
    env:
      GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}  # works

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git 3648-32142/test-git rg/x/text@v0.35.rev-parse tartedAt,updated--show-toplevel git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw DefaultBranchFrorev-parse k/gh-aw/gh-aw/ac--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 5047-57755/test-git GO111MODULE bin/node git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw /usr/lib/git-correv-parse ache/node/24.14.--show-toplevel git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node 5520-65356/test-git git ache/node/24.14.--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name 32289995/001' 32289995/001' 64/bin/go -p github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD ha8_stub.s go (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti-c in/node go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --git-dir 64/pkg/tool/linux_amd64/compile /usr/bin/git tmatter-with-arrgit GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha y remote1 /usr/bin/git ty-test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel epo}/actions/runs/12346/artifacts /usr/bin/gh e GO111MODULE ache/go/1.25.8/x--show-toplevel gh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel gh /usr/bin/git /repos/actions/cgit --jq 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha bility_SameInputSameOutput1635969564/001/stability-test.md 9101316/b421/_testmain.go /usr/bin/infocmp --detach blob 64/bin/go infocmp -1 xterm-color s/test.md /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -test.paniconexit0 -test.timeout=10m0s /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� /tmp/TestHashConsistency_GoAndJavaScript2444263300/001/test-inlined-imports-enabled-with-env-temgit go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link ath ../../../.prgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -v -tests /usr/bin/git 19642154/001' 19642154/001' /usr/bin/git git -C /tmp/TestGuardPolicyTrustedUsersCompiledOutput333070021/001 config /usr/bin/gh remote.origin.urgit git /usr/bin/git gh (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 43/001/test-simple-frontmatter.md GFI5vTWRl 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu^remote\..*\.gh-resolved$ env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE erutil GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color 64/pkg/tool/linurev-parse /usr/bin/git ty-test.md @v1.1.3/cpu/cpu.rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git 2359418043 QyquJZDcH ache/go/1.25.8/x--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote /usr/bin/git '/tmp/TestParseDgit '/tmp/TestParseDrev-parse trepo.git git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git /tmp/go-build207git -trimpath ache/go/1.25.8/x--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -b feature-branch /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --oneline epo}/actions/runs/2/artifacts /usr/bin/git e GO111MODULE x_amd64/compile git conf�� user.name Test User /usr/bin/git -json GO111MODULE x_amd64/link git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -aw-actions/git/ref/tags/v1.2.3 go /usr/bin/git agent-performancgit aqNl/Sak5XWYSYfQrev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm /usr/bin/git 6584372/b093/impgit -trimpath /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -goversion go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2076584372/b207/importcfg -pack -o /tmp/go-build362-p -trimpath 64/bin/go ced successfully/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile main -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json onrpc.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json d.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ub.actor }} go /usr/bin/git le-frontmatter.mgit GO111MODULE 64/bin/go git remo�� remove other /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/sed git rev-�� --show-toplevel sed /usr/bin/git 64/bin/go git /usr/bin/git git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-current x_amd64/compile /usr/bin/git Gitbranch_with_hgit Gitbranch_with_hrev-parse x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha test.txt git /usr/bin/git --show-toplevel 1/x64/bin/node /usr/bin/mkdir git remo�� ache/node/24.14.xterm-color mkdir 1/x64/bin/node 18/001 ache/node/24.14.rev-parse x_amd64/link 1/x64/bin/node (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 999 -trimpath /bin/sh -p github.com/santhrev-parse -lang=go1.21 /bin/sh -c git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithReago1.25.8 git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRea-c=4 /usr/bin/git go1.25.8 -c=4 -nolocalimports git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 5047-57755/test-2352323939 scripts/**/*.js /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link l **/*.cjs 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link -o /tmp/go-build2535655268/b421/parser.test -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 5520-65356/test-698636505 git ache/node/24.14.1/x64/bin/node --show-toplevel 433b3719..HEAD k/_temp/uv-pytho--show-toplevel /bin/sh t-18�� k/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmain_branch1019642154/001' /usr/bin/git --show-toplevel nly /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha b.actor }}, Repo: ${{ github.repository }} --auto /usr/bin/git --detach GO111MODULE x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha github.actor s/5/artifacts /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.1/x64/bin/node 10349/001 git x_amd64/link ache/node/24.14.1/x64/bin/node (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha k/gh-aw/gh-aw/.github/workflows oMQac4bC0uy1Yg0zHCmd/oMQac4bC0uy1Yg0zHCmd /usr/bin/git -goversion go1.25.8 -c=4 git push�� origin l epo.git "prettier" --chegit GOPROXY 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha extensions.objectformat node /bin/sh --write **/*.cjs 64/bin/go /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch3797660105/001' git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch3797660105/001' /usr/bin/git "prettier" --wrigit go 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260404-215520-65356/test-303166280/.github/workflows security /usr/lib/git-core/git OUTPUT -d -d /usr/lib/git-core/git main�� run (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows/agent-performance-analyzer.md Sak5XWYSYfQ9xL6IaqNl/Sak5XWYSYfQ9xL6IaqNl /usr/bin/git -goversion go1.25.8 -c=4 git comm�� -m l 1/x64/bin/node "prettier" --chegit GOPROXY 64/bin/go 1/x64/bin/node (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub-script/git/ref/tags/v8 node /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile --write **/*.cjs 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build2535655268/b425/_pkg_.a l /opt/hostedtoolcache/node/24.14.1/x64/bin/node -p main -lang=go1.25 node (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -t security /usr/lib/git-core/git OUTPUT -d 168.63.129.16 /usr/lib/git-core/git rev-�� --objects --stdin /usr/bin/git --exclude-hiddengit --all --quiet git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a AUUx1O_e3 x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 4026736021 dtNyzpRaw 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c2045285698/001 GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a pMTTxllzq 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env g_.a GO111MODULE x_amd64/vet GOINSECURE a20poly1305 abis x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env rity308184044/001 GO111MODULE x_amd64/compile GOINSECURE GOMOD abis x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ndor/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env g_.a V3gqgd2UJ 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 _56Gjvce9 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 4026736021 dq87ptaK6 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE pproxy GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name mLsRemoteWithRealGitcustom_branch1490792703/001' ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c2045285698/001 GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env ithub/workflows GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rotocol/go-sdk@v1.4.1/internal/util/net.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile 64/s�� g_.a GO111MODULE x_amd64/compile GOINSECURE age/compact GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c2045285698/001 GO111MODULE 86_64/node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name @v1.1.3/base64/base64.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ithub/workflows h00yucQ7c .test GOINSECURE GOMOD GOMODCACHE .test (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 0/internal/stringset/set.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a uVfRvwDwi 64/pkg/tool/linux_amd64/link GOINSECURE age GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name /cpu/byteorder.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ithub/workflows 8kq6Gg-gh sole.test GOINSECURE o8601 GOMODCACHE sole.test (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 _3ywvdE5S 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 4026736021 LamLkoYmy ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/internal/init GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 1/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity846230384/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path modules/@npmcli/-p sh 64/bin/go "prettier" --wri/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile x_amd64/vet 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD sm.s go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -dirty" -o gh-aw ./cmd/gh-aw GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE ozB3OyM/53JDUVz3Yi38tygIY8B- (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ut3981578066/001 tOLMlgimq 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git 8937575/001 GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git -json qbNVEaFt_ x_amd64/link git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha GOMODCACHE go /opt/hostedtoolcache/node/24.14.1/x64/bin/node edOutput42395136git GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� secrets.GITHUB_TOKEN 64/pkg/tool/linux_amd64/link /usr/bin/git .test GO111MODULE 64/pkg/tool/linugit-upload-pack 'origin' git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha No expressions here git ache/node/24.14.1/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git ache/node/24.14.1/x64/bin/node s-23�� list --json /usr/bin/infocmp --workflow nonexistent-work-c --limit infocmp (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha g_.a YGaDW_VvF 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg BytXhgNOP ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha phen3342990744/001 phen3342990744/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE go env tmatter-with-arrremote.origin.url GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git add remote2 /usr/bin/git git rev-�� ub/workflows git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 0897�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha l 2>&1 || [ -x "$GOPATH/bin/golangci-lint" ]; then \ PATH="$GOPATH/bin:$PATH" golangci-lint run/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go er_b�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha e_wasm.s GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3419101316/b421/importcfg -pack /tmp/go-build3419101316/b421/_testmain.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE iE8t3kR/-pSRkXIptcbQ_Ihm_uaw (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 0897�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env Gitmaster_branch3778291892/001' Gitmaster_branch3778291892/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha edOutput785503568/001 LvhFNvMoO 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg APhUuwu-5 ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env on' --ignore-path ../../../.pret.prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha /repos/actions/aremote.origin.url --jq /usr/bin/git y remote1 /usr/bin/git git add repo3967570045/001 git /usr/bin/git --show-toplevel epo}/actions/runrev-parse /usr/bin/gh git (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a deRMpwyMD ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link env ithub/workflows GO111MODULE (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build3419101316/b413/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --ignore-path ../../../.pretti-c /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build3419101316/b396/cli.test /tmp/go-build3419101316/b396/cli.test -test.testlogfile=/tmp/go-build3419101316/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -importcfg /tmp/go-build2076584372/b220/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/sys@v0.42.0/cpu/byteorder.go -o /tmp/go-build362-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
- Triggering command: /tmp/go-build1416099003/b396/cli.test /tmp/go-build1416099003/b396/cli.test -test.testlogfile=/tmp/go-build1416099003/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true .prettierignore --log-level=erroenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti-c /usr/bin/git go (http block)
- Triggering command: /tmp/go-build2535655268/b396/cli.test /tmp/go-build2535655268/b396/cli.test -test.testlogfile=/tmp/go-build2535655268/b396/testlog.txt -test.paniconexit0 -test.timeout=10m0s /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erroenv ache/go/1.25.8/x-json go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -x c 64/bin/go - --write 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE wasm.s (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go ch git /usr/bin/git go env -json GO111MODULE /node GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2535655268/b402/importcfg -pack /tmp/go-build2535655268/b402/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

The GitHub Actions runner silently drops masked values when they are used as job outputs (runner v2.308+). Since actions/create-github-app-token unconditionally calls ::add-mask:: on the produced token, the github_mcp_app_token activation output was always empty, causing the GitHub MCP server to run unauthenticated. Fix by minting the GitHub MCP App token directly in the agent job (and any other consuming job), referencing it via steps.github-mcp-app-token.outputs.token instead of needs.activation.outputs.github_mcp_app_token. Checkout app tokens continue to be minted in the activation job since they are passed as job outputs differently and don't use create-github-app-token. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6bb5fdbe-f8ba-428f-945c-4a72f38c9a8b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

This PR fixes GitHub MCP server authentication in generated workflows by minting the GitHub App token in the agent job (where it’s consumed) instead of in the activation job (where masked outputs get dropped by newer runners).

Changes:

Move GitHub MCP App token minting from the activation job to the agent job and consume it via steps.github-mcp-app-token.outputs.token.
Update all GitHub MCP token references (env/config/invalidation) from needs.activation.outputs.github_mcp_app_token to the step output.
Narrow the compiler invariant so checkout-related GitHub App token minting remains forbidden in the agent job, while MCP token minting is explicitly allowed.

Show a summary per file

File	Description
pkg/workflow/compiler_activation_job.go	Removes GitHub MCP App token minting + job output from activation job.
pkg/workflow/compiler_yaml_main_job.go	Adds GitHub MCP App token minting steps into the agent job before MCP setup.
pkg/workflow/mcp_environment.go	Switches `GITHUB_MCP_SERVER_TOKEN` to reference the agent step output.
pkg/workflow/copilot_engine_execution.go	Updates Copilot execution env to use the agent step output token.
pkg/workflow/compiler_github_mcp_steps.go	Updates comments and invalidation step to reference `steps.github-mcp-app-token.outputs.token`.
pkg/workflow/compiler_main_job.go	Updates compiler invariant to only forbid checkout app-token minting in agent job.
pkg/workflow/github_mcp_app_token_test.go	Updates tests to reflect new minting location and adds/renames coverage.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

pkg/workflow/github_mcp_app_token_test.go:668

TestGitHubMCPAppTokenMintedInAgentJob asserts that the minting step exists somewhere in the compiled workflow, but it doesn't verify that id: github-mcp-app-token is actually under jobs.agent.steps (as opposed to another job). To ensure the test would fail if the step were accidentally generated in activation, extract the agent job section (or parse the YAML) and assert the minting step is present within that agent job steps list.

	// The minting step must be present somewhere in the compiled workflow
	assert.Contains(t, lockContent, "create-github-app-token",
		"GitHub MCP App token minting step must be present in the compiled workflow")
	assert.Contains(t, lockContent, "id: github-mcp-app-token",
		"GitHub MCP App token step must use github-mcp-app-token step ID")

Files reviewed: 7/7 changed files
Comments generated: 1

Copilot · 2026-04-04T22:10:52Z

pkg/workflow/github_mcp_app_token_test.go

 			// Locate the agent job section (after "  agent:" and before the next top-level job)
 			agentJobStart := strings.Index(lockContent, "\n  agent:\n")
 			require.NotEqual(t, -1, agentJobStart, "Agent job should be present")

 			// Find the next top-level job after agent (or end of file)
 			nextJobStart := strings.Index(lockContent[agentJobStart+len("\n  agent:\n"):], "\n  ")
 			var agentJobContent string
 			if nextJobStart == -1 {
 				agentJobContent = lockContent[agentJobStart:]
 			} else {
 				agentJobContent = lockContent[agentJobStart : agentJobStart+len("\n  agent:\n")+nextJobStart]
 			}


The logic to extract the agent job section is incorrect: searching for the next job via strings.Index(..., "\n ") will match many lines inside the agent job (any line starting with 4+ spaces also contains the substring \n ), so agentJobContent can be truncated to only the first line(s). That makes the subsequent NotContains(create-github-app-token) assertion unreliable. Consider locating the next top-level job by searching for \n <jobName>: patterns, or parsing the YAML and extracting jobs.agent.steps directly.

This issue also appears on line 663 of the same file.

See below for a potential fix:

var lockWorkflow map[string]interface{} err = goyaml.Unmarshal(content, &lockWorkflow) require.NoError(t, err, "Failed to parse lock file YAML") jobs, ok := lockWorkflow["jobs"].(map[string]interface{}) require.True(t, ok, "Lock file should contain a jobs map") agentJob, ok := jobs["agent"] require.True(t, ok, "Agent job should be present") agentJobBytes, err := goyaml.Marshal(agentJob) require.NoError(t, err, "Failed to marshal agent job YAML") agentJobContent := string(agentJobBytes)

Initial plan

7cdb14a

Copilot AI assigned Copilot and pelikhan Apr 4, 2026

Copilot started work on behalf of pelikhan April 4, 2026 21:24 View session

Copilot AI linked an issue Apr 4, 2026 that may be closed by this pull request

Bug: github_mcp_app_token activation output silently skipped — regression introduced in #24251 #24569

Closed

github-actions bot mentioned this pull request Apr 4, 2026

[aw] No-Op Runs #24437

Closed

Copilot AI changed the title ~~[WIP] Fix activation output for github_mcp_app_token to prevent silent skip~~ fix: mint GitHub MCP App token in agent job, not activation job Apr 4, 2026

Copilot AI requested a review from pelikhan April 4, 2026 22:03

Copilot finished work on behalf of pelikhan April 4, 2026 22:03

pelikhan marked this pull request as ready for review April 4, 2026 22:06

Copilot AI review requested due to automatic review settings April 4, 2026 22:06

github-actions bot mentioned this pull request Apr 4, 2026

Smoke Test: Claude - 23988420639 #24593

Closed

pelikhan merged commit d0ab5f5 into main Apr 4, 2026
129 of 175 checks passed

pelikhan deleted the copilot/fix-github-mcp-app-token-activation-output branch April 4, 2026 22:07

Copilot started reviewing on behalf of pelikhan April 4, 2026 22:07 View session

Copilot AI reviewed Apr 4, 2026

View reviewed changes

Copilot AI mentioned this pull request Apr 4, 2026

fix: revert minting tokens for mcp-servers github-app from activation job back to agent job #24600

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: mint GitHub MCP App token in agent job, not activation job#24585

fix: mint GitHub MCP App token in agent job, not activation job#24585
pelikhan merged 2 commits intomainfrom
copilot/fix-github-mcp-app-token-activation-output

Copilot AI commented Apr 4, 2026 •

edited

Loading

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Root cause

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 4, 2026 •

edited

Loading