Skip to content

feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN#44204

Merged
pelikhan merged 10 commits into
mainfrom
copilot/add-runtime-check-for-github-tokens
Jul 8, 2026
Merged

feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN#44204
pelikhan merged 10 commits into
mainfrom
copilot/add-runtime-check-for-github-tokens

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

OAuth tokens (gho_...) are over-provisioned user-scoped credentials unsuitable for automation — they can't be scoped to specific repositories and are tied to the user's session lifecycle.

Changes

actions/setup/sh/check_oauth_tokens.sh (new)

  • Checks COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN for gho_ prefix at runtime
  • Skips tokens that are not set
  • On detection: writes actionable error to $GITHUB_STEP_SUMMARY with link to create a fine-grained PAT, exits 1

pkg/workflow/compiler_activation_job_builder.go

  • New addActivationOAuthTokenCheckStep injects a check-oauth-tokens step into every activation job
  • Inserted after the engine-specific validate-secret step
  • Respects engine.env overrides for COPILOT_GITHUB_TOKEN (same resolution as validate-secret)

pkg/workflow/compiler_activation_jobs_test.go

  • TestBuildActivationJob_OAuthTokenCheckStep — step and script reference present
  • TestBuildActivationJob_OAuthTokenCheckStep_DefaultTokenExprs — default secret expressions used without overrides
  • TestBuildActivationJob_OAuthTokenCheckStep_EngineEnvOverrideengine.env override honored for COPILOT_GITHUB_TOKEN
  • TestBuildActivationJob_OAuthCheckAfterSecretValidation — ordering: OAuth check follows validate-secret

Copilot AI and others added 2 commits July 8, 2026 05:29
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Add a new `check-oauth-tokens` step to the activation job that detects
OAuth tokens (gho_...) in COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN.
OAuth tokens are not suitable for automation as they are typically
over-provisioned and cannot be scoped to specific repositories.

- New script: actions/setup/sh/check_oauth_tokens.sh
- New step function: addActivationOAuthTokenCheckStep in compiler_activation_job_builder.go
- Step is added after the engine-specific secret validation step
- Respects engine.env overrides for COPILOT_GITHUB_TOKEN
- Updated wasm golden files and recompiled all workflow lock files
- Added 4 tests covering the new step

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title feat: add OAuth token check step to activation job feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 05:41
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot

  • also validated the GitHub MCP token
  • validate any github token using in JavaScript before instantiating a new Octokit

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…okens in getOctokit

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot

  • also validated the GitHub MCP token...

Done in commit feat: add GH_AW_GITHUB_MCP_SERVER_TOKEN to OAuth check and validate tokens in getOctokit:

  • check_oauth_tokens.sh: Added GH_AW_GITHUB_MCP_SERVER_TOKEN to the gho_ prefix checks alongside the existing COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN checks.
  • compiler_activation_job_builder.go: The activation job's check-oauth-tokens step now passes GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} as an env var.
  • setup_globals.cjs: The global.getOctokit wrapper now validates the token before calling the underlying getOctokitFn. Any call with a gho_-prefixed token throws immediately with an actionable error message pointing to the PAT creation page.

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI and others added 3 commits July 8, 2026 06:19
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…heck-for-github-tokens

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Done in commit chore: merge main and recompile workflows — merged main (through 1170a4a) and recompiled all 258 workflows successfully.

@pelikhan pelikhan marked this pull request as ready for review July 8, 2026 06:35
Copilot AI review requested due to automatic review settings July 8, 2026 06:35
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an early-fail guardrail to prevent user-scoped OAuth tokens (gho_...) from being used as automation credentials by (1) injecting a new activation-job step that checks key token env vars and (2) hard-failing if global.getOctokit(...) is invoked with an OAuth token. It also regenerates the compiled workflow outputs (goldens and .lock.yml files) to reflect the new activation step.

Changes:

  • Add check_oauth_tokens.sh and inject a check-oauth-tokens activation step (after validate-secret) to detect gho_... tokens.
  • Add/extend constants and tests to cover step presence, default secret expressions, and engine.env override behavior.
  • Regenerate workflow goldens and many compiled .lock.yml workflows to include the new step.
Show a summary per file
File Description
actions/setup/sh/check_oauth_tokens.sh New shell script that fails the job if configured tokens are OAuth (gho_...) tokens.
actions/setup/js/setup_globals.cjs Adds a runtime guard to throw if getOctokit is called with a gho_... token.
pkg/constants/engine_constants.go Introduces a constant for GH_AW_GITHUB_MCP_SERVER_TOKEN.
pkg/workflow/compiler_activation_job_builder.go Injects the new check-oauth-tokens activation job step and wires env vars.
pkg/workflow/compiler_activation_jobs_test.go Adds tests asserting presence, ordering, and token expression resolution for the new step.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Golden updated to include the new check-oauth-tokens step.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Golden updated to include the new check-oauth-tokens step.
.github/workflows/ace-editor.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/agent-persona-explorer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/agentic-token-audit.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/agentic-token-optimizer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/agentic-token-trend-audit.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/bot-detection.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/chaos-pr-bundle-fuzzer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/code-simplifier.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/commit-changes-analyzer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/contribution-check.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/copilot-centralization-optimizer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/copilot-opt.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/copilot-pr-merged-report.lock.yml Regenerated lock workflow including the new activation step and updated manifest secrets list.
.github/workflows/constraint-solving-potd.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-ambient-context-optimizer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-byok-ollama-test.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-cli-tools-tester.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-community-attribution.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-credit-limit-test.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-doc-updater.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-firewall-report.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-function-namer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-issues-report.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-model-inventory.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-model-resolution.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-multi-device-docs-tester.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-performance-summary.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-regulatory.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-security-observability.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-sentrux-report.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-skill-optimizer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-team-status.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/daily-windows-terminal-integration-builder.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/dataflow-pr-discussion-dataset.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/dependabot-burner.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/dependabot-go-checker.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/dependabot-repair.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/deployment-incident-monitor.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/designer-drift-audit.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/eslint-monster.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/example-failure-category-filter.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/example-permissions-warning.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/firewall.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/functional-pragmatist.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/glossary-maintainer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/gpclean.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/issue-triage-agent.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/jsweep.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/layout-spec-maintainer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/lint-monster.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/mcp-inspector.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/mergefest.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/metrics-collector.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/notion-issue-summary.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/objective-impact-report.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/org-health-report.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/outcome-collector.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/pdf-summary.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/plan.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/poem-bot.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/pr-description-caveman.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/pr-nitpick-reviewer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/pr-triage-agent.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/python-data-charts.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/q.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/refiner.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/release.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/repo-audit-analyzer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/repo-tree-map.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/repository-quality-improver.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/research.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/schema-consistency-checker.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/security-compliance.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/slide-deck-maintainer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-call-workflow.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-ci.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-claude-on-copilot.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-copilot-arm.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-copilot-sdk.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-copilot.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-multi-pr.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-opencode.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-otel-backends.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-pi.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-project.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-service-ports.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-temporary-id.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-test-tools.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/smoke-workflow-call.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/spec-enforcer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/stale-repo-identifier.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/sub-issue-closer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/super-linter.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/technical-doc-writer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/terminal-stylist.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/test-dispatcher.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/test-project-url-default.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/test-workflow.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/tidy.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/uk-ai-operational-resilience.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/ubuntu-image-analyzer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/unbloat-docs.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/update-astro.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/video-analyzer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/visual-regression-checker.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/weekly-blog-post-writer.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/weekly-editors-health-check.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/weekly-issue-summary.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/workflow-generator.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/workflow-health-manager.lock.yml Regenerated lock workflow including the new activation step.
.github/workflows/workflow-normalizer.lock.yml Regenerated lock workflow including the new activation step and MCP gateway config changes.
.github/workflows/workflow-skill-extractor.lock.yml Regenerated lock workflow including the new activation step.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 172/272 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines 799 to 803
"accept": [
"*"
],
"sink-visibility": "public"
]
}
}
Comment on lines 847 to 851
"accept": [
"*"
],
"sink-visibility": "public"
]
}
}
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category feature
Risk 🔴 High
Score 75/100 (impact:38 urgency:22 quality:15)
Action fast_track

Rationale: Detects OAuth tokens (gho_ prefix) that are unsuitable for automation — over-provisioned user-scoped credentials. Injects runtime check into activation job. Security-adjacent, high impact. CHANGES_REQUESTED by CI; address before merge.


Run §28924016278

Generated by 🔧 PR Triage Agent · 101 AIC · ⌖ 9.82 AIC · ⊞ 5.4K ·

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI and others added 2 commits July 8, 2026 09:39
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…heck-for-github-tokens

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Done — merged origin/main (through 3943a52) and recompiled all 258 workflows successfully (0 errors, 185 warnings). The sink-visibility reviewer concern is addressed by the upstream refactor 3d764337 ("compute sink-visibility at runtime instead of compile time") that landed in main and is now included in this merge.

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

/smoke-copilot

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this issue comment. Sources say the story is developing...

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address the open review feedback on the OAuth-token guardrails, and rerun checks once the branch is ready. Current blockers still called out in review include the $GITHUB_STEP_SUMMARY guard, empty override handling, and verifying the engine env secret override behavior.

Generated by PR Sous Chef · run: https://github.com/github/gh-aw/actions/runs/28933908079

Generated by 👨‍🍳 PR Sous Chef · 26.2 AIC · ⌖ 4.5 AIC · ⊞ 7.1K ·
Comment /souschef to run again

@pelikhan pelikhan merged commit f9635a3 into main Jul 8, 2026
12 of 13 checks passed
@pelikhan pelikhan deleted the copilot/add-runtime-check-for-github-tokens branch July 8, 2026 10:08
Copilot stopped work on behalf of gh-aw-bot due to an error July 8, 2026 10:08
Copilot AI requested a review from gh-aw-bot July 8, 2026 10:08
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke

PR: feat: detect OAuth tokens in activation job for COPILOT_GITHUB_TOKEN and GH_AW_GITHUB_TOKEN
Merged: fix(eslint-factory): treat try/finally without catch as unprotected in isInsideTryBlock | Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.*
1✅ 2✅ 3✅ 4✅ 5❌ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ 13✅ 14❌ 15✅ 16✅
FAIL • author @app/copilot-swe-agent • assignees @pelikhan @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 107.1 AIC · ⌖ 7.9 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Circuit hums at dawn
Robots test the pull request tide
Green sparks trace the sky

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 107.1 AIC · ⌖ 7.9 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review submitted.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 107.1 AIC · ⌖ 7.9 AIC · ⊞ 19.1K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.5

github-actions Bot added a commit that referenced this pull request Jul 8, 2026
Add three new user-facing terms from today's commits:

- dismiss-pull-request-review: New safe output capability for dismissing
  PR reviews authored by the workflow actor (PR #44209)
- COPILOT_GITHUB_TOKEN: Fine-grained PAT for Copilot inference, now
  validated in activation job for OAuth token detection (PR #44204)
- restore-memory (jobs.<job-id>.restore-memory): New custom job field
  for read-only memory store restore in deterministic jobs (PR #44214)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants