github · dsyme · Jun 18, 2026 · Jun 18, 2026
diff --git a/.changeset/patch-relocate-checkout-manifest-into-safeoutputs.md b/.changeset/patch-relocate-checkout-manifest-into-safeoutputs.md
diff --git a/actions/setup/js/build_checkout_manifest.cjs b/actions/setup/js/build_checkout_manifest.cjs
@@ -88,7 +88,10 @@ function buildCheckoutManifest(entries, options = {}) {
   const runGit = options.runGit;
   const runGH = options.runGH;
 
-  const manifestDir = path.join(runnerTemp, "gh-aw");
+  // Write under safeoutputs/ because that subdirectory is the only part of
+  // $RUNNER_TEMP/gh-aw that is bind-mounted into the containerized safe-outputs
+  // MCP server, which is where the manifest is read by findRepoCheckout.
+  const manifestDir = path.join(runnerTemp, "gh-aw", "safeoutputs");
   fs.mkdirSync(manifestDir, { recursive: true });
   const manifestPath = path.join(manifestDir, "checkout-manifest.json");
   const manifest = {};

diff --git a/actions/setup/js/build_checkout_manifest.test.cjs b/actions/setup/js/build_checkout_manifest.test.cjs
@@ -121,7 +121,7 @@ describe("build_checkout_manifest.cjs", () => {
       }
     );
 
-    expect(manifestPath).toBe(path.join(runnerTemp, "gh-aw", "checkout-manifest.json"));
+    expect(manifestPath).toBe(path.join(runnerTemp, "gh-aw", "safeoutputs", "checkout-manifest.json"));
     expect(manifest).toEqual({
       "owner/repo": {
         repository: "Owner/Repo",

diff --git a/actions/setup/js/checkout_manifest.cjs b/actions/setup/js/checkout_manifest.cjs
@@ -19,9 +19,12 @@ const { getErrorMessage } = require("./error_helpers.cjs");
  * authoritative source for resolving the on-disk checkout path and base branch
  * of cross-repo checkouts without any network access.
  *
- * The default location is $RUNNER_TEMP/gh-aw/checkout-manifest.json. Override
- * with GH_AW_CHECKOUT_MANIFEST when running outside of a GitHub Actions runner
- * (tests, local dev).
+ * The default location is $RUNNER_TEMP/gh-aw/safeoutputs/checkout-manifest.json.
+ * It lives under safeoutputs/ specifically because that subdirectory is the only
+ * part of $RUNNER_TEMP/gh-aw that is bind-mounted into the containerized
+ * safe-outputs MCP server; a sibling file at $RUNNER_TEMP/gh-aw/ would be
+ * invisible inside the container. Override with GH_AW_CHECKOUT_MANIFEST when
+ * running outside of a GitHub Actions runner (tests, local dev).
  */
 
 let cached = null;
@@ -35,7 +38,7 @@ function resolveManifestPath() {
   if (!runnerTemp || runnerTemp.trim() === "") {
     return null;
   }
-  return path.join(runnerTemp, "gh-aw", "checkout-manifest.json");
+  return path.join(runnerTemp, "gh-aw", "safeoutputs", "checkout-manifest.json");
 }
 
 function loadManifest() {

diff --git a/pkg/workflow/checkout_step_generator.go b/pkg/workflow/checkout_step_generator.go
@@ -73,8 +73,9 @@ func (cm *CheckoutManager) GenerateAdditionalCheckoutSteps(getActionPin func(str
 // so the safe-outputs MCP server (which runs without credentials) can look up the
 // base branch without making any network calls.
 //
-// The manifest file lives at $RUNNER_TEMP/gh-aw/checkout-manifest.json. The default
-// branch is resolved at runtime via:
+// The manifest file lives at $RUNNER_TEMP/gh-aw/safeoutputs/checkout-manifest.json
+// (under safeoutputs/ so it is bind-mounted into the containerized safe-outputs MCP
+// server). The default branch is resolved at runtime via:
 //  1. `git symbolic-ref --short refs/remotes/origin/HEAD` on the local checkout
 //     (works when actions/checkout left the remote HEAD set, typical for fetch-depth: 0)
 //  2. `gh api repos/<owner>/<repo> --jq .default_branch` as a credentialed fallback