Skip to content

Document GH_AW_GITHUB_TOKEN removal and enterprise 8-day PAT policy#9588

Merged
Evangelink merged 2 commits into
mainfrom
dev/amauryleve/document-gh-aw-token-removal
Jul 3, 2026
Merged

Document GH_AW_GITHUB_TOKEN removal and enterprise 8-day PAT policy#9588
Evangelink merged 2 commits into
mainfrom
dev/amauryleve/document-gh-aw-token-removal

Conversation

@Evangelink

Copy link
Copy Markdown
Member

Why

The Grade Tests on PR agentic workflow (and every other gh-aw workflow here) was failing at the Checkout PR branch step, e.g. run 28666711551 on #9583:

GET /repos/microsoft/testfx/collaborators/Evangelink/permission - 403
GET /repos/microsoft/testfx/pulls/9583 - 403
The 'Microsoft Open Source' enterprise forbids access via a fine-grained
personal access token if the token's lifetime is greater than 8 days.

The enterprise now hard-rejects fine-grained PATs whose lifetime exceeds 8 days. The failing step resolves its token as GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, so the over-lifetime GH_AW_GITHUB_TOKEN PAT it picked up got 403'd.

Fix

The actual remediation is an ops action, not a code change: delete the GH_AW_GITHUB_TOKEN secret so the compiler's token chain falls back to the built-in per-run GITHUB_TOKEN. This is safe repo-wide because:

  • No source .md workflow uses lockdown: true (removed repo-wide) or references the PAT secrets by hand.
  • All declare min-integrity: none, so nothing forces a custom PAT — they only prefer it when present.
  • All 30 compiled workflows share the identical fallback chain, so a single secret deletion fixes them all at once.

The only residual gap is write-backs on fork PRs (where GITHUB_TOKEN is read-only) — those should move to the org-owned GitHub App already documented in this README.

Change

Docs-only: updates .github/workflows/README.md to

  • reflect the concrete enterprise ≤8-day enforcement (previously worded as "~1 week" org policy),
  • note that GH_AW_GITHUB_TOKEN should be left unset so workflows degrade to GITHUB_TOKEN,
  • record the fast-unblock command and the fork-PR caveat.

No workflow behavior changes; .lock.yml files are untouched (no recompile needed).

Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com

The 'Microsoft Open Source' enterprise now hard-rejects fine-grained PATs whose lifetime exceeds 8 days, which 403s the agentic workflows' 'Checkout PR branch' step. Document the fast unblock (delete GH_AW_GITHUB_TOKEN so the token chain falls back to the built-in GITHUB_TOKEN) and clarify the enterprise policy in the workflows README.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 14:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documentation update to the agentic workflows README, clarifying the enterprise enforcement around fine-grained PAT lifetimes and the intended token fallback behavior so workflows don’t break when GH_AW_GITHUB_TOKEN is present but invalid.

Changes:

  • Updates the PAT policy wording to reflect the enterprise’s hard ≤8-day enforcement and the observed 403 failure mode.
  • Documents that GH_AW_GITHUB_TOKEN should be left unset so workflows fall back to the per-run GITHUB_TOKEN.
  • Adds a “fast unblock” remediation command and notes the fork-PR write-back caveat.
Show a summary per file
File Description
.github/workflows/README.md Updates secrets/auth documentation to reflect the 8-day PAT enforcement and the recommended fallback/remediation steps.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread .github/workflows/README.md Outdated
Comment thread .github/workflows/README.md Outdated
@Evangelink Evangelink enabled auto-merge (squash) July 3, 2026 15:01
Split the token-chain code span so escaped pipes render as || instead of \\|\\|, and keep the gh secret delete command on a single line so the inline code span no longer spans a newline.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note

🤖 Automated review by GitHub Copilot. Posted via a maintainer's GitHub token, so it appears under their account — the account owner did not write or approve this content personally. Generated by the Expert Code Review workflow. To request a follow-up action, reply by tagging @copilot directly.

✅ 22/22 dimensions clean — no findings.

Applicable dimensions verified:

  • §17 Documentation Accuracy — The token fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) matches what's compiled into .lock.yml files. The enterprise 8-day PAT enforcement policy, gh secret delete syntax, lockdown removal history, and the fork-PR GITHUB_TOKEN read-only caveat are all factually accurate and consistent with the existing README context.
  • §3 Security — The guidance to reduce secret surface area (delete the PAT, fall back to GITHUB_TOKEN) is sound. No credential exposure risk in the documented command.
  • §21 Scope & PR Discipline — Single-concern docs-only PR, well-motivated by actual workflow failures.

All other dimensions (1–2, 4–16, 18–20, 22) are N/A for this docs-only change.

@Evangelink Evangelink disabled auto-merge July 3, 2026 15:10
@Evangelink Evangelink merged commit 0c3fc2b into main Jul 3, 2026
20 checks passed
@Evangelink Evangelink deleted the dev/amauryleve/document-gh-aw-token-removal branch July 3, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants