Skip to content

Move validate-secret step from agent job to activation job#18441

Merged
pelikhan merged 3 commits intomainfrom
copilot/move-secret-validation-step
Feb 26, 2026
Merged

Move validate-secret step from agent job to activation job#18441
pelikhan merged 3 commits intomainfrom
copilot/move-secret-validation-step

Conversation

Copy link
Contributor

Copilot AI commented Feb 26, 2026
edited by github-actions bot
Loading

Secret validation was running in the agent job, after context variable validation and other activation-time checks. Moving it to the activation job ensures secrets are verified early — before wasting activation resources — and makes secret_verification_result available at activation time.

Changes

  • New interface method: Added GetSecretValidationStep(workflowData *WorkflowData) GitHubActionStep to WorkflowExecutor interface with a default no-op in BaseEngine. Each engine (Copilot, Claude, Codex, Gemini) implements it with the logic previously inlined in GetInstallationSteps.

  • Activation job (buildActivationJob): Calls engine.GetSecretValidationStep(data) and inserts the step before "Validate context variables". Adds secret_verification_result to activation job outputs.

  • Agent job (buildMainJob): Removes secret_verification_result output — now owned by the activation job.

  • GetBaseInstallationSteps / EngineHasValidateSecretStep: Removed secret validation from base install steps; EngineHasValidateSecretStep now delegates to GetSecretValidationStep instead of scanning step YAML.

  • Conclusion job (notify_comment.go): Updated GH_AW_SECRET_VERIFICATION_RESULT to reference needs.activation.outputs.secret_verification_result instead of needs.agent.outputs.secret_verification_result.

Resulting activation job step order

setup → validate-secret → Validate context variables → checkout .github → ...

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go ache/node/24.13.1/x64/bin/node 3757�� uts.branch go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -tests /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/gh git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ache/node/24.13.init (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha In9L/_gnlkMHAPMp2RoGGIn9L (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha install --package-lock-only /usr/bin/git 976393/b411/_pkggit GO111MODULE 976393/b411/repo--show-toplevel git rev-�� --show-toplevel 976393/b411/repoutil.test /usr/bin/git t0 GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha 976393/b393/_pkg/repos/actions/setup-node/git/ref/tags/v4 git 1/x64/bin/node user.email test@example.comrev-parse /usr/bin/git git arne�� --show-toplevel git 1/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git rev-�� --show-toplevel basename /usr/bin/git ache/node/24.13.git git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 0546-31941/test-1806434978/.github/workflows GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 2aa9779c..HEAD x_amd64/compile ache/node/24.13.1/x64/bin/npm -json GO111MODULE 64/pkg/tool/linu--show-toplevel ache/node/24.13.1/x64/bin/npm -w nly security /usr/bin/git OUTPUT -d 168.63.129.16 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 4Op_icumgo8EKdHzrev-parse /usr/bin/git git rev-�� --show-toplevel (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha SameOutput2432832455/001/stability-test.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/node/24.13.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha OKEN }} GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -b feature-branch /usr/bin/git che/go-build/80/git GOPROXY 64/bin/go git rev-�� --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git ub/workflows -trimpath 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha bW5I/-pOH6J5YoELjpq_JbW5I -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc 976393/b425/importcfg -C k/gh-aw/gh-aw/pkg/timeutil/format.go k/gh-aw/gh-aw/pkg/timeutil/format_test.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link remote.origin.urgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /tmp/go-build721976393/b434/_testmain.go /usr/bin/git --porcelain node 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git e/git --show-toplevel git 1/x64/bin/node e/git rev-�� --show-toplevel sed /usr/bin/git /usr/bin/git git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git 1110�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� etup-node/git/ref/tags/v4 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel grep /usr/bin/git "type"[[:space:]git git 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env e=false GO111MODULE 64/bin/go GOINSECURE %H %ct %D 18f81f2036bfeb3b-json go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build721976393/b392/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build721976393/b395/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel mkdir /usr/bin/git /tmp/gh-aw git 1/x64/bin/node git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/node/24.13.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git -json tmain.go ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/infocmp 976393/b381/cli.git GO111MODULE 976393/b381/impo--show-toplevel infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git log )$/\1/p -10 1/x64/bin/node --show-toplevel go /usr/bin/mkdir git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel nly /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel nly /usr/bin/git --show-toplevel mkdir (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel dBTUAq5mV9_8 /usr/bin/git --show-toplevel git 7d87457f5a261cb4-d git rev-�� --show-toplevel gh /usr/bin/git /repos/actions/cnode --jq /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/gh --show-toplevel bash /home/REDACTED/.local/bin/node gh api /repos/actions/checkout/git/ref/tags/v3 --jq /usr/bin/git install --package-lock-o--norc /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel e/git /usr/bin/git --show-toplevel bash /opt/hostedtoolcache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel node /usr/bin/git install --package-lock-o--norc /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260226-040546-31941/test-725428964/.github/workflows GO111MODULE 976393/b356/vet.cfg l GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� /\1/p git 1/x64/bin/node --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel git /home/REDACTED/work/_temp/uv-python-dir/node --show-toplevel git 1/x64/bin/node node /opt�� install --package-lock-oowner=github /usr/bin/git --show-toplevel git 64/pkg/tool/linuinspect git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git x_amd64/compile git (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git -m Initial 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/find --show-toplevel 64/pkg/tool/linuapi 1/x64/bin/node find (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git /usr/bin/git git 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git HEAD git 1/x64/bin/node git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel 64/pkg/tool/linu-C 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel /usr/lib/git-core/git /usr/bin/git run --auto 1/x64/bin/node git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 1/x64/bin/node git (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git . git 1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel kflow.test 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git --oneline -10 1/x64/bin/node git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 1/x64/bin/node infocmp (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git user.name Test User 1/x64/bin/node git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 1/x64/bin/node go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go stlo�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path edcfg GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 5250338/b395/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE npx (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel cut x_amd64/link git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1494955110/.github/workflows GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha xterm-color go iptables -json GO111MODULE x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git p/TestGetNpmBinPnode go /usr/bin/git git rev-�� ch git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel nly /usr/bin/git --show-toplevel sed /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -v go es ty-test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git gh-aw/actions/senode go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 5250338/b404/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD ode-gyp-bin/sh ache/go/1.25.0/xGO111MODULE env 5250338/b406/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build721976393/b381/cli.test /tmp/go-build721976393/b381/cli.test -test.testlogfile=/tmp/go-build721976393/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 2888c116b4dd41c7GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 5250338/b394/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/logg--norc GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Move the step that validates secrets from the agent job to the activation job, placing it before the step that validates context variables. Update all references to the action’s outputs accordingly, especially in the conclusion job where the agent failure email is created, and ensure this scenario is handled correctly.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Changeset

  • Type: patch
  • Description: Move the secret validation step into the activation job so it runs before context checks, expose secret_verification_result there, and update downstream consumers to read from the activation outputs.

Generated by Changeset Generator for issue #18441

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • github.com

✨ PR Review Safe Output Test - Run 22427690817

💥 [THE END] — Illustrated by Smoke Claude

@pelikhan
Move validate-secret step from agent job to activation job
35706e1 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Move secret validation step to activation job Move validate-secret step from agent job to activation job Feb 26, 2026
@pelikhan pelikhan added the smoke label Feb 26, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026
edited
Loading

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq 4.52.4
curl 8.5.0
gh 2.87.3
node 20.20.0
python3 3.12.3
go 1.24.13
java 21.0.10 (Temurin)
dotnet 10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

Commit pushed: fd96a62

Generated by Changeset Generator

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

PRs:

  • fix: update TestGetActionPinsSorting expected pin count to 38
  • fix: gh aw update exits gracefully when no workflows have a source field
    GitHub MCP: ✅
    Serena MCP: ✅
    Playwright/Web Fetch/File/Bash/Build: ✅/✅/✅/✅/✅
    Overall status: PASS

🔮 The oracle has spoken through Smoke Codex

@github-actions github-actions bot mentioned this pull request Feb 26, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

Smoke test §22427690866 results for PR #18441@pelikhan, @Copilot:

Test
GitHub MCP
Safe Inputs GH CLI
Serena MCP
Playwright
Web Fetch
File Writing
Bash Tool
Discussion Query
Build gh-aw
Discussion Creation
Workflow Dispatch
PR Review

Overall: ⚠️ PARTIAL PASS (11/12 — Serena MCP unavailable)

📰 BREAKING: Report filed by Smoke Copilot

github-actions[bot]
github-actions bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR systematically moves the validate-secret step from the agent job to the activation job across all workflows. This is a good architectural improvement — secret validation now happens earlier (fail-fast), before the agent job is even scheduled, which saves CI minutes when secrets are misconfigured. The secret_verification_result output is correctly threaded from activation → safe_outputs in all 180 changed files.

📰 BREAKING: Report filed by Smoke Copilot

.github/workflows/agent-performance-analyzer.lock.yml
outputs:
comment_id: ""
comment_repo: ""
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
Copy link
Contributor

@github-actions github-actions bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Good move exposing secret_verification_result as an activation job output — this allows downstream jobs (safe_outputs) to reference it via needs.activation.outputs.secret_verification_result instead of going through the agent job.

.github/workflows/agent-performance-analyzer.lock.yml
GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
GH_AW_WORKFLOW_ID: "agent-performance-analyzer"
GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }}
GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
Copy link
Contributor

@github-actions github-actions bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔄 The reference is correctly updated from needs.agent.outputs to needs.activation.outputs — this is the essential change that wires up the moved step's output to the safe_outputs job. Moving secret validation to the activation job is a smart architecture decision: it fails fast before the expensive agent job even starts.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@pelikhan pelikhan marked this pull request as ready for review February 26, 2026 04:27
Copilot AI review requested due to automatic review settings February 26, 2026 04:27
@pelikhan pelikhan merged commit 645f972 into main Feb 26, 2026
1 check passed
@pelikhan pelikhan deleted the copilot/move-secret-validation-step branch February 26, 2026 04:27
github-actions[bot]
github-actions bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request moves secret validation from the agent job to the activation job, ensuring secrets are verified early in the workflow lifecycle—before context validation and other activation checks. This prevents wasting resources on workflows with invalid secrets.

Changes:

  • Added GetSecretValidationStep interface method to WorkflowExecutor with engine-specific implementations
  • Moved secret validation step execution from agent job to activation job (before context variable validation)
  • Updated conclusion job to read secret_verification_result from activation job outputs instead of agent job outputs

Reviewed changes

Copilot reviewed 181 out of 181 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/agentic_engine.go Added GetSecretValidationStep interface method and BaseEngine default implementation
pkg/workflow/copilot_engine.go Implemented GetSecretValidationStep for Copilot engine (not shown in diff but referenced)
pkg/workflow/claude_engine.go Implemented GetSecretValidationStep for Claude engine
pkg/workflow/codex_engine.go Implemented GetSecretValidationStep for Codex engine
pkg/workflow/gemini_engine.go Implemented GetSecretValidationStep for Gemini engine
pkg/workflow/compiler_activation_jobs.go Added secret validation step to activation job and removed from agent job
pkg/workflow/notify_comment.go Updated conclusion job to reference activation job output instead of agent job
pkg/workflow/*_test.go Updated tests to reflect new step counts and locations
.github/workflows/*.lock.yml Regenerated lock files showing secret validation in activation job
.changeset/patch-move-secret-validation.md Added changeset documenting the patch

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot mentioned this pull request Feb 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan