Sample replay handler fails to find side-repo checkout because 'Configure Git credentials' overwrites origin URL

[dsyme]

Summary

When a workflow uses checkout: to check out a non-workflow repository into $GITHUB_WORKSPACE, the compiled lockfile's "Configure Git credentials" step resets origin back to the workflow's own repository URL:

- name: Configure Git credentials
  env:
    REPO_NAME: ${{ github.repository }}   # <-- always the workflow repo
    SERVER_URL: ${{ github.server_url }}
    GITHUB_TOKEN: ${{ github.token }}
  run: |
    ...
    git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"

The on-disk repo contents are the target repo (e.g. gh-aw-side-repo), but git config --get remote.origin.url returns the workflow repo (e.g. gh-aw-test).

This breaks downstream multi-repo detection in find_repo_checkout.cjs, which walks the workspace looking for a .git whose remote matches the target. The match always fails because the URL has been overwritten.

Reproduction

Trigger any workflow with safe-outputs.create-pull-request (or push-to-pull-request-branch) that uses checkout: to a different repo than github.repository, in sample-replay mode.

Example from githubnext/gh-aw-test:

• Workflow: test-copilot-siderepo-create-pull-request.md
• checkout: declares repository: githubnext/gh-aw-side-repo
• safe-outputs.create-pull-request declares target-repo: 'githubnext/gh-aw-side-repo'
• Sample replay: https://github.com/githubnext/gh-aw-test/actions/runs/27091821141

Sample MCP server response:

[safeoutputs] Multi-repo mode: looking for checkout of githubnext/gh-aw-side-repo
git config --get remote.origin.url
Git command output: https://github.com/githubnext/gh-aw-test.git
[safeoutputs] Failed to find repo checkout: Repository 'githubnext/gh-aw-side-repo' not found in workspace.

The handler then returns an error-shaped MCP response, no safe-output is emitted, and Process Safe Outputs reports Found 0 message(s) in agent output.

Expected

Either:

1. The "Configure Git credentials" step should not overwrite origin when the workspace is a checkout: of a different repo, or
2. find_repo_checkout.cjs should consult the existing checkout-manifest.json (built earlier in the same job at line ~410 of the lockfile) rather than relying on git config --get remote.origin.url after a credentials step has potentially clobbered it.

The checkout manifest already contains the correct mapping (githubnext/gh-aw-side-repo -> path=), so option (2) is a localized fix.

Affected tests in githubnext/gh-aw-test

• test-copilot-siderepo-create-pull-request
• test-copilot-siderepo-create-pull-request-review-comment
• test-copilot-siderepo-create-two-pull-requests

All produce Found 0 message(s) in agent output despite samples being declared.

Repro lockfile snippet

- name: Checkout repository
  uses: actions/checkout@... # gh-aw-test
- name: Checkout githubnext/gh-aw-side-repo
  uses: actions/checkout@... # overwrites workspace
- name: Build checkout manifest for safe-outputs handlers
  run: |
    # ... produces checkout-manifest.json mapping githubnext/gh-aw-side-repo -> path=""
- name: Configure Git credentials
  env:
    REPO_NAME: ${{ github.repository }}
  run: |
    git remote set-url origin "...github.com/${REPO_NAME}.git"  # <-- clobbers
- name: Replay safe-outputs samples (deterministic)
  # MCP server now sees origin=gh-aw-test, fails to find side-repo, returns error

[dsyme]

Here's the full problematic workflow

---
on:
  workflow_dispatch:

permissions: read-all

engine: 
  id: copilot

tools:
  github:
    # The GitHub tools must be authorized to read across-repo 
    github-token: ${{ secrets.TEMP_USER_PAT }}

checkout:
  - repository: githubnext/gh-aw-side-repo
    token: ${{ secrets.TEMP_USER_PAT }}
    fetch: ["*"]      # fetch all open PR refs after checkout
    fetch-depth: 0               # fetch full history to ensure we can see all commits and PR details

safe-outputs:
  create-pull-request:
    title-prefix: "[copilot-test-single-pr] "
    labels: [copilot, automation, bot]
    target-repo: 'githubnext/gh-aw-side-repo'
    allowed-repos: ['githubnext/gh-aw-side-repo']
    github-token: ${{ secrets.TEMP_USER_PAT }}
    samples:
      - title: "Multi-commit test from Copilot"
        body: "This pull request was created by Copilot in the side repository to test multi-commit functionality."
        branch: "gh-aw-sample-copilot-siderepo-multi-commit"
        patch: |
          diff --git a/README-test.md b/README-test.md
          new file mode 100644
          --- /dev/null
          +++ b/README-test.md
          @@ -0,0 +1,3 @@
          +# Test Project (Side Repo)
          +
          +This is a test project created by Copilot in the side repository.
---

# Test Copilot Create Pull Request (Side Repo)

This test workflow specifically tests multi-commit functionality in create-pull-request in the side repository.

**IMPORTANT: Create multiple separate commits for this test case**

1. **First commit**: Create a file "README-test.md" with content:
   ```markdown
   # Test Project
   
   This is a test project created by Copilot to test multi-commit pull requests.
   
   Created at: {{ current timestamp }}
   ```

2. **Second commit**: Create a JavaScript script "test-script.js" with:
   ```javascript
   #!/usr/bin/env node
   function hello() {
       console.log("Hello from Copilot multi-commit test!");
   }
   
   if (require.main === module) {
       hello();
   }
   ```

3. **Third commit**: Create a configuration file "config.json" with:
   ```json
   {
       "test": true,
       "engine": "copilot",
       "purpose": "multi-commit-test",
       "repository": "githubnext/gh-aw-side-repo",
       "timestamp": "{{ current timestamp }}"
   }
   ```

Create a pull request in the repository githubnext/gh-aw-side-repo with title "[copilot-test] Multi-Commit PR Test" targeting the main branch.

Make sure all three commits are separate and properly attributed. Include a summary of all changes in the PR description.
~~~~