Skip to content

fix: use token instead of github-token for upload-sarif action#23837

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-code-scanning-alerts
Apr 1, 2026
Merged

fix: use token instead of github-token for upload-sarif action#23837
pelikhan merged 2 commits intomainfrom
copilot/fix-code-scanning-alerts

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 1, 2026
edited
Loading

github/codeql-action/upload-sarif accepts token as its input name — not github-token. The compiled safe-outputs job was passing github-token:, which triggered an "Unexpected input(s) 'github-token'" warning and caused the token to be silently ignored, breaking GHAS alert uploads.

Changes

  • pkg/workflow/create_code_scanning_alert.go: Adds addUploadSARIFToken helper that emits token: (matching the action's schema) with the same precedence as the rest of the safe-outputs token resolution: per-config → safe-outputs global → GH_AW_GITHUB_TOKEN || GITHUB_TOKEN. Replaces the addSafeOutputGitHubTokenForConfig call in buildUploadCodeScanningSARIFStep with this new helper. Adds debug logging indicating which token source is selected.

  • actions/setup/js/create_code_scanning_alert.cjs: Logs GITHUB_REF, GITHUB_SHA, GITHUB_REPOSITORY, working directory, and SARIF output path at handler startup to aid debugging upload failures (e.g. "commit not found").

  • pkg/workflow/compiler_safe_outputs_job_test.go: Adds assertions scoped to the upload-sarif step section to verify token: is present and github-token: is absent.

Before (broken):

- uses: github/codeql-action/upload-sarif@...
  with:
    github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}  # ← ignored, wrong key
    sarif_file: ...

After (fixed):

- uses: github/codeql-action/upload-sarif@...
  with:
    token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
    sarif_file: ...

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json UIm1LDRzQ ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 0/x64/lib/node_m--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE /home/node_modul--show-toplevel git rev-�� --show-toplevel node /usr/bin/git runs/20260401-05git --check /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3473776140/b234/importcfg -embedcfg /tmp/go-build3473776140/b234/embedcfg -o /tmp/go-build695-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go tierignore ache/go/1.25.0/xenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.email test@example.com /usr/bin/git ub/workflows color.go x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260401-055058-44945/test-2967427792 status /usr/bin/git .github/workflowgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/go-build3473776140/b207/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p mime/multipart -lang=go1.25 git t-41�� sistency_InlinedImports68798031/001/inlined-a.md UOAcbQtM2LuWAJpR6IrE/UOAcbQtM2LuWAJpR6IrE /usr/bin/git -goversion go1.25.0 -c=4 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 5058-44945/test-2967427792 GOPROXY /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -V=f�� /usr/bin/git l /opt/hostedtoolcache/node/24.14.0/x64/bin/node "prettier" --wrigit git 64/bin/go node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 2226378516 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE exbyte_wasm.o 64/src/internal/inputs.version 64/pkg/tool/linux_amd64/compile env g_.a VFC3U_1OT er.test GOINSECURE t GOMODCACHE er.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json tants.go 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 3776140/b125/_pkgit qsQw/dwWnjiow0WKrev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git artifacts-summargit GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha uts.version go /usr/bin/git -json GO111MODULE x_amd64/asm git chec�� .github/workflows/test.md x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build393180188/b445/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git init�� -pOH6J5YoELjpq_JbW5I/-pOH6J5YoELjpq_JbW5I -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 4828-31340/test-git GO111MODULE cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 3776140/b168/_pkgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3473776140/b239/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/language/coverage.go conf�� extensions.objec-p o 64/bin/go -d x_amd64/vet 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GOCACHE 64/bin/go tierignore x_amd64/vet 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha x_amd64/vet sh 64/bin/go -d x_amd64/vet 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ts.result -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git -C /tmp/gh-aw-test-runs/20260401-054828-31340/test-2732005519 status /usr/bin/git .github/workflowgit GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go ps -json GO111MODULE 64/bin/go ps (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/shared-actions-test1415766640 config r,url,status,conclusion,workflowName,createdAt,startedAt,updated-nilfunc remote.origin.urgit flow-12345 x_amd64/asm git rev-�� --git-dir x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --show-toplevel (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel sh /usr/bin/git sistency_Inlined/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo GOPROXY /opt/hostedtoolcache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuTest User /usr/bin/git -bool l /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } user.email test@example.comimage /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel sh ache/node/24.14.0/x64/bin/node "prettier" --chegit GOPROXY /opt/hostedtoolc--show-toplevel git ache�� --show-toplevel nly /usr/bin/git -bool -buildtags /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/file-tracker-test3693788784/test1.md /tmp/file-tracker-test3693788784/test2.lock.yml /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/TestCompileErrorFormatting939452027/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 4828-31340/test-2732005519 -trimpath 180188/b400/vet.cfg -p maps -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3473776140/b188/_pkg_.a -trimpath 0/x64/bin/node -p crypto/internal/rev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu1 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 39452027/001 GO111MODULE /home/REDACTED/.local/bin/node GOINSECURE GOMOD GOMODCACHE node /opt�� run l 1332826/b444/vet.cfg GOSUMDB GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha licyMinIntegrityOnlymin-integrity_only_defaults_repo1708539116/001 -trimpath 180188/b402/_pkg_.a l slices -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3473776140/b186/_pkg_.a -trimpath /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -p crypto/hmac -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE /home/REDACTED/work/_temp/uv-python-dir/node GOINSECURE GOMOD GOMODCACHE node /opt�� g/cli lint:cjs ache/node/24.14.0/x64/bin/node sions.md GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.19.2/scanner/context.go 64/pkg/tool/linux_amd64/compile on; \ echo "���git GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE k/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json t.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE e_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build393180188/b437/_testmain.go env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/node/24.14.0/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD arith_wasm.s 64/pkg/tool/linux_amd64/compile env 3084760894/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 5058-44945/test-537159707/.github/workflows GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.19.2/internal/format/format.-c=4 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 5058-44945/test-537159707/.github/workflows GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE dules/flatted/gorev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3084760894/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go t-ha�� vaScript2750422491/001/test-complex-frontmatter-with-tools.md GO111MODULE k/gh-aw/gh-aw/actions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3473776140/b139/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/oauth2@v0.34.0/internal/doc.go -o /tmp/go-build695-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a rotocol/go-sdk@vshow-ref 64/pkg/tool/linu--verify git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--verify git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD 95e39d1c 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json sonrpc2/conn.go 64/bin/go GOINSECURE GOMOD GOMODCACHE wasm.s sm.s�� e_wasm.s GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json til/net.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD sm.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json d.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json onrpc.go 64/bin/go GOINSECURE GOMOD wasm.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel go $name) { hasDiscussionsEnabled } } -json (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/pkg/tool/linux_amd64/compile sm); \ wasm-optgit GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a 0/internal/tag/tag.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1425819167/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go -has�� vaScript2750422491/001/test-inlined-imports-enabremote.origin.url GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build695-p -trimpath 64/bin/go -p github.com/githu-c -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build695-p -trimpath 64/bin/go -p github.com/githu-f1 -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go tierignore /opt/hostedtoolcenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/opt/hostedtoolcache/node/24.14.0/x64/bin/npx bin/node go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build393180188/b396/cli.test /tmp/go-build393180188/b396/cli.test -test.testlogfile=/tmp/go-build393180188/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3473776140/b210/importcfg -pack --ch�� scripts/**/*.js --ignore-path 64/bin/go tierignore x_amd64/vet 64/bin/go go (http block)
    • Triggering command: /tmp/go-build1671332826/b396/cli.test /tmp/go-build1671332826/b396/cli.test -test.testlogfile=/tmp/go-build1671332826/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.json --ignore-path ../../../.pretti-json sh -c "prettier" --wriGOINSECURE git 64/bin/go ./cmd/... ./pkg/...; \ else \ echo "golangci-lint is not installed. Run 'make deps-dev' to in /opt/hostedtoolc-c /usr/bin/git go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3473776140/b229/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/internal/util/net.go -o /tmp/go-build695-p -trimpath 64/bin/go -d github.com/ayman-o -lang=go1.24 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go tierignore /opt/hostedtoolcenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier bin/node go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 1, 2026 that may be closed by this pull request
create-code-scanning-alert safe-output doesn't seem to work as it should #23725
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

Hey @Copilot 👋 — great to see work starting on the create-code-scanning-alert safe-output bug! The issue description and SARIF upload error trace provide solid context to work from. A few things to address before this is ready for review:

  • No code changes yet — the PR currently has 0 lines changed (just an "Initial plan" commit). The diff and file list are empty, so the actual fix still needs to be implemented.
  • Missing description — the PR body is a copy of the issue context. Once the fix is in, please replace the placeholder with a concrete summary of what was changed and why (e.g., which files were modified, what the root cause was, and how it was fixed).
  • Missing tests — the safe-output create-code-scanning-alert path will need test coverage. The project uses Go tests in files adjacent to the implementation (e.g., internal/safeoutputs/ or the relevant handler file). Follow the pattern in existing *_test.go files there and ensure make test passes.

If you'd like a hand, you can assign this prompt to your coding agent:

Investigate and fix the `create-code-scanning-alert` safe-output handler in the gh-aw repository.

Context from the issue:
- The `create-code-scanning-alert` safe-output is either silently succeeding without creating GHAS alerts, or failing with "commit not found" from the CodeQL upload-sarif action.
- The SARIF upload flow uses `github/codeql-action/upload-sarif` and requires a valid `ref`/`sha` matching an existing commit on GitHub.

Steps:
1. Locate the `create-code-scanning-alert` safe-output handler (likely under `internal/safeoutputs/` or `pkg/safeoutputs/`). Read the full implementation.
2. Add debug logging (using `pkg/console`) to trace the SARIF file path, ref, sha, and token being passed to the CodeQL upload action.
3. Identify why the commit lookup fails ("commit not found") — check whether the `sha` used is the workflow's calling repo commit, and whether the correct `token`/`github-token` parameter name is being used (the action expects `token`, not `github-token`).
4. Fix the root cause. Common issues: wrong parameter name, missing `ref` field, or using the agent runner's SHA instead of the caller repo's SHA.
5. Write a unit test in the adjacent `*_test.go` file covering:
   - Successful SARIF upload path
   - Error returned when commit SHA is not found
6. Run `make agent-finish` to confirm build, test, lint, and recompile all pass.
7. Update the PR description with a clear summary of the root cause and the fix.

Generated by Contribution Check ·

@github-actions github-actions bot mentioned this pull request Apr 1, 2026
Closed
@pelikhan
fix: use 'token' instead of 'github-token' in upload-sarif step (#issue)
f904afb 
The github/codeql-action/upload-sarif action uses 'token' as its input
name, not 'github-token'. Using 'github-token' caused a warning
"Unexpected input(s) 'github-token'" and the token was silently ignored.

Changes:
- Add addUploadSARIFToken helper that generates 'token:' (not 'github-token:')
  with the same precedence logic (config > safe-outputs > default fallback)
- Update buildUploadCodeScanningSARIFStep to use the new helper
- Add debug logging for token source selection and GitHub context (ref, SHA, repo)
- Update tests to verify 'token:' is used and 'github-token:' is absent in upload step
- Recompile affected lock files

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/60aadb38-9dd2-45c4-a6a0-42bc9bef3ec9

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning alerts for safe-output functionality fix: use token instead of github-token for upload-sarif action Apr 1, 2026
Copilot AI requested a review from pelikhan April 1, 2026 05:58
@github-actions github-actions bot mentioned this pull request Apr 1, 2026
Closed
@pelikhan pelikhan marked this pull request as ready for review April 1, 2026 11:19
Copilot AI review requested due to automatic review settings April 1, 2026 11:19
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes GitHub Advanced Security SARIF uploads by using the correct input key (token) for github/codeql-action/upload-sarif, and adds targeted debug logging and tests to prevent regression.

Changes:

  • Update SARIF upload step generation to emit with: token: (not github-token:) with safe-outputs token precedence.
  • Add startup debug logs in the create_code_scanning_alert JS handler (ref/SHA/repo/cwd/SARIF path).
  • Extend the safe-outputs compiler test to assert token: is present and github-token: is absent in the upload-sarif step.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/workflow/create_code_scanning_alert.go Switches upload-sarif input to token and adds a helper to resolve token source.
actions/setup/js/create_code_scanning_alert.cjs Adds runtime environment/path logging to help debug upload failures.
pkg/workflow/compiler_safe_outputs_job_test.go Adds assertions to ensure the upload-sarif step uses token and not github-token.
.github/workflows/daily-semgrep-scan.lock.yml Updates compiled workflow to use with: token: for upload-sarif.
.github/workflows/daily-malicious-code-scan.lock.yml Updates compiled workflow to use with: token: for upload-sarif.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/workflow/create_code_scanning_alert.go
Comment on lines +89 to +101
// addUploadSARIFToken adds the 'token' input for github/codeql-action/upload-sarif.
// This action uses 'token' as the input name (not 'github-token' like other GitHub Actions).
// Uses precedence: config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, configToken string) {
var safeOutputsToken string
if data.SafeOutputs != nil {
safeOutputsToken = data.SafeOutputs.GitHubToken
}

// If app is configured, use app token
if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {
*steps = append(*steps, " token: ${{ steps.safe-outputs-app-token.outputs.token }}\n")
return
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docstring for addUploadSARIFToken says precedence is config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, but the implementation returns the GitHub App minted token whenever data.SafeOutputs.GitHubApp != nil, regardless of configToken/safeOutputsToken. Please update the comment to reflect the actual precedence (including where the GitHub App token fits) so future changes don’t rely on an incorrect contract.

Copilot uses AI. Check for mistakes.
pkg/workflow/compiler_safe_outputs_job_test.go
"Upload step should wait for processing")
// github/codeql-action/upload-sarif uses 'token' not 'github-token'
// Extract the upload-sarif step section to check it specifically
uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning")
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning") is unlikely to match because the compiled YAML step name line is indented (e.g., it’s emitted as " - name: Upload SARIF to GitHub Code Scanning\n"). This will make the test fail even when the step exists. Update the search string to include the expected indentation (or use a more robust delimiter that doesn’t depend on exact spacing).

Suggested change
uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning")
uploadStepStart := strings.Index(stepsContent, " - name: Upload SARIF to GitHub Code Scanning")

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 9c80520 into main Apr 1, 2026
67 checks passed
@pelikhan pelikhan deleted the copilot/fix-code-scanning-alerts branch April 1, 2026 11:30
@github-actions github-actions bot mentioned this pull request Apr 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

create-code-scanning-alert safe-output doesn't seem to work as it should

3 participants

@pelikhan