Document GH_AW_GITHUB_TOKEN removal and enterprise 8-day PAT policy#9588
Conversation
The 'Microsoft Open Source' enterprise now hard-rejects fine-grained PATs whose lifetime exceeds 8 days, which 403s the agentic workflows' 'Checkout PR branch' step. Document the fast unblock (delete GH_AW_GITHUB_TOKEN so the token chain falls back to the built-in GITHUB_TOKEN) and clarify the enterprise policy in the workflows README. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Documentation update to the agentic workflows README, clarifying the enterprise enforcement around fine-grained PAT lifetimes and the intended token fallback behavior so workflows don’t break when GH_AW_GITHUB_TOKEN is present but invalid.
Changes:
- Updates the PAT policy wording to reflect the enterprise’s hard ≤8-day enforcement and the observed 403 failure mode.
- Documents that
GH_AW_GITHUB_TOKENshould be left unset so workflows fall back to the per-runGITHUB_TOKEN. - Adds a “fast unblock” remediation command and notes the fork-PR write-back caveat.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/README.md |
Updates secrets/auth documentation to reflect the 8-day PAT enforcement and the recommended fallback/remediation steps. |
Review details
- Files reviewed: 1/1 changed files
- Comments generated: 2
- Review effort level: Low
Split the token-chain code span so escaped pipes render as || instead of \\|\\|, and keep the gh secret delete command on a single line so the inline code span no longer spans a newline. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Note
🤖 Automated review by GitHub Copilot. Posted via a maintainer's GitHub token, so it appears under their account — the account owner did not write or approve this content personally. Generated by the Expert Code Review workflow. To request a follow-up action, reply by tagging @copilot directly.
✅ 22/22 dimensions clean — no findings.
Applicable dimensions verified:
- §17 Documentation Accuracy — The token fallback chain (
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) matches what's compiled into.lock.ymlfiles. The enterprise 8-day PAT enforcement policy,gh secret deletesyntax,lockdownremoval history, and the fork-PRGITHUB_TOKENread-only caveat are all factually accurate and consistent with the existing README context. - §3 Security — The guidance to reduce secret surface area (delete the PAT, fall back to
GITHUB_TOKEN) is sound. No credential exposure risk in the documented command. - §21 Scope & PR Discipline — Single-concern docs-only PR, well-motivated by actual workflow failures.
All other dimensions (1–2, 4–16, 18–20, 22) are N/A for this docs-only change.
Why
The
Grade Tests on PRagentic workflow (and every other gh-aw workflow here) was failing at the Checkout PR branch step, e.g. run 28666711551 on #9583:The enterprise now hard-rejects fine-grained PATs whose lifetime exceeds 8 days. The failing step resolves its token as
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, so the over-lifetimeGH_AW_GITHUB_TOKENPAT it picked up got 403'd.Fix
The actual remediation is an ops action, not a code change: delete the
GH_AW_GITHUB_TOKENsecret so the compiler's token chain falls back to the built-in per-runGITHUB_TOKEN. This is safe repo-wide because:.mdworkflow useslockdown: true(removed repo-wide) or references the PAT secrets by hand.min-integrity: none, so nothing forces a custom PAT — they only prefer it when present.The only residual gap is write-backs on fork PRs (where
GITHUB_TOKENis read-only) — those should move to the org-owned GitHub App already documented in this README.Change
Docs-only: updates
.github/workflows/README.mdtoGH_AW_GITHUB_TOKENshould be left unset so workflows degrade toGITHUB_TOKEN,No workflow behavior changes;
.lock.ymlfiles are untouched (no recompile needed).Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com