fix: use custom token for PR creation push access#38
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Traffic Updater automation to use a custom GitHub token (PAT) with write permissions when creating/pushing branches for pull requests.
Changes:
- Add
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}to thesafe-outputs.create-pull-requestconfiguration in the source workflow definition. - Regenerate the locked workflow to propagate the custom token into Safe Outputs config/handler wiring and enable custom tokens support.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/traffic-updater.md | Adds PAT-based github-token to Safe Outputs PR creation configuration. |
| .github/workflows/traffic-updater.lock.yml | Regenerates compiled workflow to pass/use the PAT in Safe Outputs config and related steps. |
Comments suppressed due to low confidence (2)
.github/workflows/traffic-updater.lock.yml:1212
GIT_TOKENis now set exclusively fromsecrets.GH_AW_GITHUB_TOKEN, which removes the previous fallback tosecrets.GITHUB_TOKEN. If the PAT secret is unavailable, git remote re-auth will produce an invalid URL and subsequent push steps will fail; either keep the fallback consistent with prior behavior or fail fast with a dedicated validation step before configuring git.
if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request')
env:
REPO_NAME: ${{ github.repository }}
SERVER_URL: ${{ github.server_url }}
GIT_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
run: |
.github/workflows/traffic-updater.lock.yml:1242
- In
Process Safe Outputs, the step is settingGITHUB_TOKENto the PAT and embedding the PAT intoGH_AW_SAFE_OUTPUTS_HANDLER_CONFIG, but theactions/github-scriptinput still uses the fallback expression (secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN). For clarity and to avoid accidentally using a read-only token in environments where the PAT is required, make thegithub-tokeninput consistent with the PAT-only approach used elsewhere in this job.
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"allowed_files\":[\".github/uvs.csv\",\".github/views.csv\"],\"base_branch\":\"main\",\"fallback_as_issue\":false,\"github-token\":\"${{ secrets.GH_AW_GITHUB_TOKEN }}\",\"labels\":[\"automated-update\",\"traffic-data\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\"],\"protected_files_policy\":\"allowed\",\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"title_prefix\":\"[bot] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"}}"
GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout repository | ||
| if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| ref: main | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN }} | ||
| persist-credentials: false |
There was a problem hiding this comment.
actions/checkout is now using only secrets.GH_AW_GITHUB_TOKEN (previously it fell back to secrets.GITHUB_TOKEN). If this secret is not configured (e.g., in forks or new environments), the workflow will fail at checkout. Consider keeping the fallback, or add an explicit preflight check with a clear error explaining that the PAT secret is required for branch pushes/PR creation.
This issue also appears in the following locations of the same file:
- line 1207
- line 1237
| allowed-files: | ||
| - ".github/uvs.csv" | ||
| - ".github/views.csv" | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }} |
There was a problem hiding this comment.
Adding a PAT-based github-token here makes the workflow depend on secrets.GH_AW_GITHUB_TOKEN being present. If this workflow is expected to run in forks or in environments where the PAT isn’t configured, consider using a fallback to secrets.GITHUB_TOKEN (or documenting/enforcing the requirement with a clear validation step).
The safe-outputs PR creation step needs Contents:Write permission to push branches. This adds
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }}to thecreate-pull-requestconfig so it uses the PAT with write access.