9393 id : copilot
9494 timeout-minutes : 30
9595 env :
96- # Copilot CLI auth + Dependabot alerts read. Redacted from logs.
96+ # Copilot CLI auth. Copilot CLI consumes this reserved variable and
97+ # does not expose it to shell tools.
9798 COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_CLI_PAT }}
99+ # Same PAT, available to shell tools for Dependabot alerts reads.
100+ COPILOT_CLI_PAT : ${{ secrets.COPILOT_CLI_PAT }}
98101 # App token used by `gh pr create` and `git push` so the PR
99102 # and commits are authored by github-actions[bot].
100103 GH_TOKEN : ${{ steps.app-token.outputs.token }}
@@ -103,6 +106,15 @@ jobs:
103106 run : |
104107 set -euo pipefail
105108
109+ if [ -z "${COPILOT_CLI_PAT:-}" ]; then
110+ echo "COPILOT_CLI_PAT secret is not configured or is unavailable to this workflow."
111+ exit 1
112+ fi
113+
114+ GH_TOKEN="$COPILOT_CLI_PAT" gh api \
115+ "repos/${REPO}/dependabot/alerts?state=open&per_page=1" \
116+ --jq 'length' >/dev/null
117+
106118 # Inline the skill so behavior is identical even if Copilot CLI
107119 # on the runner does not auto-load .claude/skills/.
108120 SKILL_BODY="$(cat .claude/skills/fix-dependabot-alerts/SKILL.md)"
@@ -117,8 +129,9 @@ jobs:
117129 - A working branch named \`${BRANCH}\` is already created and checked out.
118130 - \`npm ci\` has already installed dependencies.
119131 - \`git\` is configured as github-actions[bot].
120- - \`COPILOT_GITHUB_TOKEN \` is available for \`gh api\` calls that read
132+ - \`COPILOT_CLI_PAT \` is available for \`gh api\` calls that read
121133 Dependabot alerts (e.g. \`gh api repos/${REPO}/dependabot/alerts\`).
134+ - \`COPILOT_GITHUB_TOKEN\` is set for Copilot CLI authentication.
122135 - \`GH_TOKEN\` is a GitHub App token with Contents and Pull requests
123136 write access. Use it (it is already in env) for \`git push\` and
124137 \`gh pr create\`.
@@ -127,16 +140,16 @@ jobs:
127140
128141 1. ALERT ENUMERATION — source of truth.
129142 Run exactly:
130- GH_TOKEN=\$COPILOT_GITHUB_TOKEN gh api \\\\
143+ GH_TOKEN=\$COPILOT_CLI_PAT gh api \\\\
131144 "repos/${REPO}/dependabot/alerts?state=open&per_page=100" \\\\
132145 --paginate \\\\
133- --jq '.[] | {number, ghsa: .security_advisory.ghsa_id, pkg: .dependency.package.name, ecosystem: .dependency.package.ecosystem, severity: .security_vulnerability.severity, scope: .dependency.scope, manifest: .dependency.manifest_path, summary: .security_advisory.summary, vulnerable: .security_vulnerability.vulnerable_version_range, patched: .security_vulnerability.first_patched_version.identifier}'
134- Save the raw output to \` alerts.json\`. The PR description
135- and the count of "alerts fixed" MUST be built one-to-one
136- from this list. Do NOT count transitive-path occurrences
137- of the same alert number as separate alerts. Do NOT
138- inflate counts based on how many \`node_modules/**\`
139- entries appear in \`package-lock.json\`.
146+ --jq '.[] | {number, ghsa: .security_advisory.ghsa_id, pkg: .dependency.package.name, ecosystem: .dependency.package.ecosystem, severity: .security_vulnerability.severity, scope: .dependency.scope, manifest: .dependency.manifest_path, summary: .security_advisory.summary, vulnerable: .security_vulnerability.vulnerable_version_range, patched: .security_vulnerability.first_patched_version.identifier}' \\\\
147+ > alerts.json
148+ The PR description and the count of "alerts fixed" MUST
149+ be built one-to-one from \`alerts.json\`. Do NOT count
150+ transitive-path occurrences of the same alert number as
151+ separate alerts. Do NOT inflate counts based on how many
152+ \`node_modules/**\` entries appear in \`package-lock.json\`.
140153
141154 2. ZERO ALERTS — exit cleanly.
142155 If step 1 returns an empty list, do not commit, do not
@@ -227,7 +240,7 @@ jobs:
227240 -s \
228241 --no-ask-user \
229242 --allow-tool 'shell(npm:*), shell(npx:*), shell(gh:*), shell(git:*), shell(node:*), write, read' \
230- --secret-env-vars 'COPILOT_CLI_PAT' \
243+ --secret-env-vars 'COPILOT_CLI_PAT,GH_TOKEN ' \
231244 --share ./copilot-session.md \
232245 | tee copilot-output.txt
233246
0 commit comments