diff --git a/docs/src/content/docs/reference/auth.mdx b/docs/src/content/docs/reference/auth.mdx index 59f7bd84e89..ad29d5b4ffe 100644 --- a/docs/src/content/docs/reference/auth.mdx +++ b/docs/src/content/docs/reference/auth.mdx @@ -298,6 +298,12 @@ For both tool authentication and safe outputs, you can scope the GitHub App toke - `repositories: ["*"]` - Org-wide access (all repos in the installation) - `repositories: ["repo1", "repo2"]` - Specific repositories only +#### Omitting `owner` + +When `owner` is omitted, gh-aw derives the installation owner from the workflow's effective checkout target. For literal `owner/repo` repositories, the owner is emitted directly at compile time; for expression-based repositories, a generated pre-step extracts the owner at runtime before token minting. For `workflow_call` workflows with no explicit `checkout.repository`, derivation falls back to `${{ needs.activation.outputs.target_repo }}`. + +This lets multi-org workflows mint App tokens against the effective target without setting `owner:` explicitly. An explicit `owner:` always takes precedence. Owner derivation applies under `checkout[*].github-app`, top-level `safe-outputs.github-app`, and `tools.github.github-app`. + ### Gracefully Skip Minting When Keys Are Missing (`ignore-if-missing:`) By default, jobs fail when `client-id` or `private-key` resolve to empty strings at runtime — for example, on fork pull requests where App secrets are unavailable. Set `ignore-if-missing: true` to skip the token mint step instead and fall back to the standard non-App token chain (`secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN`): diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md index 9b72d09b337..c438c9ea63b 100644 --- a/docs/src/content/docs/reference/safe-outputs.md +++ b/docs/src/content/docs/reference/safe-outputs.md @@ -310,6 +310,20 @@ The author of the parent issue, PR, or discussion receiving the comment is autom Set `hide-older-comments: true` to minimize previous comments from the same workflow (identified by `GITHUB_WORKFLOW`) before posting new ones. Useful for status updates. Allowed reasons: `spam`, `abuse`, `off_topic`, `outdated` (default), `resolved`, `low_quality`. +To also minimize comments from one or more other workflows in the same pass, use the object form with `match`: + +```yaml wrap +safe-outputs: + add-comment: + hide-older-comments: + enabled: true + match: + - other_workflow + - yet-another +``` + +`match` is an exact-match list of workflow IDs (the `GITHUB_WORKFLOW` value, not the file name). The current workflow is always included; entries in `match` are added to the set. Set `enabled: false` to disable hiding while keeping the object form. The boolean form (`hide-older-comments: true`) is still supported for the single-workflow case. + #### Append-Only Status Comments By default, gh-aw posts an activation comment when a workflow starts, then updates that same comment with the final status.