Add GitHub App token minting for GitHub MCP server

[Copilot]

Add GitHub App Token Support for GitHub MCP Server

✅ Completed

• Understand current safe-outputs.app implementation
• Add app configuration to tools.github
• Generate token minting steps for GitHub MCP server (similar to safe-outputs)
• Override default token with app token when configured
• Match permissions from agent job permissions
• Add token invalidation step
• Add tests for new functionality
• Update JSON schema
• Run validation suite (fmt, tests)
• Rename safe-outputs app-token to safe-outputs-app-token
• Create shared agentic workflow for GitHub MCP app configuration
• Use shared workflow in smoke-claude
• Use consistent env variable names (APP_ID, APP_PRIVATE_KEY)

📝 Implementation Summary

New Feature: GitHub App token minting for GitHub MCP server

Step IDs (updated naming):

• Safe-outputs token: safe-outputs-app-token (renamed from app-token)
• GitHub MCP token: github-mcp-app-token
• Token references:
  • Safe-outputs: ${{ steps.safe-outputs-app-token.outputs.token }}
  • GitHub MCP: ${{ steps.github-mcp-app-token.outputs.token }}

Shared Workflow: shared/github-mcp-app.md

• Provides centralized GitHub App configuration for GitHub MCP server
• Uses repository variables: APP_ID, APP_PRIVATE_KEY (same as safe-outputs)
• Automatically mints and invalidates tokens
• Permissions auto-mapped from agent job permissions

Configuration Example:

Direct configuration:

tools:
  github:
    mode: local  # or remote
    app:
      app-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
      repositories:  # optional
        - "repo1"
        - "repo2"

Using shared workflow (recommended):

imports:
  - shared/github-mcp-app.md
permissions:
  contents: read
  issues: write
tools:
  github:
    toolsets: [repos, issues, pull_requests]

Repository Variables (shared between safe-outputs and GitHub MCP):

• APP_ID - GitHub App ID
• APP_PRIVATE_KEY - GitHub App private key

How it Works:

1. Token Minting: At workflow start, mints a GitHub App installation access token with permissions matching the agent job's permissions field
2. Override Behavior: App token takes precedence over github-token and default token fallback
3. Auto Permissions: Automatically computes permissions from agent job (e.g., contents: read, issues: write)
4. Token Cleanup: Token is invalidated at workflow end (even on failure) using if: always() condition
5. Both Modes: Works with local (Docker) and remote (hosted) GitHub MCP modes

Files Changed:

• tools_types.go: Added App *GitHubAppConfig field to GitHubToolConfig
• tools_parser.go: Added parsing for app configuration
• mcp_github_config.go: Added token minting and invalidation step generators
• compiler_yaml_main_job.go: Integrated minting (before MCP setup) and invalidation (at job end)
• mcp_environment.go: Updated token precedence to prioritize app token
• main_workflow_schema.json: Added app property to GitHub tool schema with consistent variable names
• github_mcp_app_token_test.go: 4 comprehensive tests using APP_ID and APP_PRIVATE_KEY
• safe_outputs_app.go: Renamed step ID from app-token to safe-outputs-app-token
• safe_outputs_env.go: Updated token references
• compiler_safe_outputs_steps.go: Updated token references
• shared/github-mcp-app.md: New shared workflow for GitHub MCP app configuration (uses APP_ID, APP_PRIVATE_KEY)
• smoke-claude.md: Updated to use shared github-mcp-app workflow
• Test files: Updated expectations for new step ID and consistent variable names

✅ Testing

All tests passing:

• ✅ TestGitHubMCPAppTokenConfiguration - Config parsing
• ✅ TestGitHubMCPAppTokenMintingStep - Step generation with APP_ID/APP_PRIVATE_KEY
• ✅ TestGitHubMCPAppTokenOverridesDefaultToken - Override behavior
• ✅ TestGitHubMCPAppTokenWithRemoteMode - Remote mode support
• ✅ All safe-outputs app tests pass with renamed step ID
• ✅ smoke-claude.md compiles successfully with GitHub App token integration

Original prompt

Add support for minting a token using a GitHub app for the GitHub mcp server.

• configured similarly to safe-outputs.all
• generate the steps to create and imvlidate token like in safe outputs
• overrides other tokens
• permissions match the GitHub actions permissions defined in the agent job

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Changeset

• Type: patch
• Description: Added GitHub App token minting for the GitHub MCP server tooling and workflows.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot rename app-token step (for safe-outputs) to safe-outputs-app-token

[Copilot]

@copilot rename app-token step (for safe-outputs) to safe-outputs-app-token

Done in 3c3d6b9. Renamed safe-outputs app-token step to safe-outputs-app-token, and updated all references throughout the codebase. The GitHub MCP app token continues to use github-mcp-app-token.

[pelikhan]

@copilot create a shared agentic workflow that configure the GitHub MCP to use the app for the current repo. Use in smoke-Claude

[Copilot]

@copilot create a shared agentic workflow that configure the GitHub MCP to use the app for the current repo. Use in smoke-Claude

Done in d1acc15. Created shared/github-mcp-app.md that configures GitHub MCP to use GitHub App authentication for the current repo, and updated smoke-claude to import it.

The shared workflow:

• Uses repository variables GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY
• Automatically mints tokens with permissions from the agent job
• Invalidates tokens on workflow end
• Works with both local and remote GitHub MCP modes

[pelikhan]

@copilot use the same env variable names as for the safe output app

[Copilot]

@copilot use the same env variable names as for the safe output app

Done in 1e78b89. Updated all references to use APP_ID and APP_PRIVATE_KEY (matching safe-outputs) instead of GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY. This includes the shared workflow, tests, and schema examples.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Smoke Test Results ✅

PR #11678: Add report formatting guidelines to daily-compiler-quality workflow
PR #11661: Abstract manual ANSI escape sequences to console package

✅ GitHub MCP
✅ Safe Inputs GH CLI
✅ Serena MCP
✅ Playwright
✅ File Writing
✅ Bash Tool
✅ Discussion Interaction

Status: PASS

Run: §21318175451

cc @pelikhan

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Add report formatting guidelines to daily-compiler-quality workflow ✅
Abstract manual ANSI escape sequences to console package ✅
[WIP] Add action folder setup-cli for gh-aw extension installation ✅
Refactor ParseWorkflowFile: 383→74 lines via helper extraction ✅
Serena activate ✅
Playwright title ✅
Tavily search ✅
File write/read ✅
Discussion query/comment ✅
Overall: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test Results

• Add report formatting guidelines to daily-compiler-quality workflow
• Abstract manual ANSI escape sequences to console package

✅ GitHub MCP Testing
✅ Safe Inputs GH CLI Testing
✅ Serena MCP Testing
✅ Make Build Testing
✅ Playwright Testing
✅ Tavily Web Search Testing
✅ File Writing Testing
✅ Bash Tool Testing
✅ Discussion Interaction Testing

Overall Status: PASS

AI generated by Smoke Claude