Summary
The auto-generated conclusion job is reachable on workflow runs where the configured GitHub App secrets (GH_AW_APP_ID / GH_AW_APP_PRIVATE_KEY) are not available to the workflow context, most commonly on pull_request events from forks, where GitHub does not pass repo/org secrets to the runner, even after manual approval. The conclusion job's first step (actions/create-github-app-token) then fails with:
Error: The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string.
This puts a red ❌ on every PR opened from a fork (where repo/org secrets are not exposed to the workflow context). The bug is that the App-token mint step doesn't tolerate the secret being empty.
Environment
Reproduction
-
Author a workflow .md with:
on:
pull_request:
branches: [main]
safe-outputs:
github-app:
client-id: ${{ secrets.GH_AW_APP_ID }}
private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }}
add-comment:
max: 3
-
gh aw compile.
-
Trigger the workflow in a context where the App secrets are unavailable — easiest repro is opening a PR from a fork. (Same symptom on any run if the org just hasn't set up GH_AW_APP_ID yet.)
-
Observe: when the run reaches the conclusion job (after a cancellation, failure, or any non-skipped agent outcome), the Generate GitHub App token step fails with the client-id required error above.
Why is this a problem
Specifically: a first contribution from an external contributor, where GitHub's first-time-contributor approval gate holds the workflow as action_required, and multiple events queue up while waiting (e.g. the PR is opened, then a comment is posted, both events trigger the workflow). When a maintainer eventually approves, both queued runs fire at once, cancel-in-progress: true on the shared concurrency group cancels one, and the conclusion job then trips on create-github-app-token because fork PRs aren't passed repo/org secrets.
Root cause
This section is AI-generated, if you want to not consider this, feel free to ignore this section.
In pkg/workflow/notify_comment.go:493-545, the App-token step is added unconditionally:
- name: Generate GitHub App token
id: safe-outputs-app-token
uses: actions/create-github-app-token@...
with:
client-id: ${{ secrets.GH_AW_APP_ID }}
private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }}
...There's no if: guard on this step, so when secrets.GH_AW_APP_ID evaluates to empty string, actions/create-github-app-token errors out and fails the whole job.
Proposed fix
This section is AI-generated, if you want to not consider this, feel free to ignore this section.
Guard the App-token step (and the downstream steps that use its output) so the conclusion job degrades gracefully when secrets aren't available.
-
Add an if: to the Generate GitHub App token step:
- name: Generate GitHub App token
id: safe-outputs-app-token
if: ${{ env.GH_AW_APP_ID != '' }}
env:
GH_AW_APP_ID: ${{ secrets.GH_AW_APP_ID }}
uses: actions/create-github-app-token@...(Using env: is necessary because secrets.* isn't allowed in step-level if: directly.)
Summary
The auto-generated
conclusionjob is reachable on workflow runs where the configured GitHub App secrets (GH_AW_APP_ID/GH_AW_APP_PRIVATE_KEY) are not available to the workflow context, most commonly onpull_requestevents from forks, where GitHub does not pass repo/org secrets to the runner, even after manual approval. The conclusion job's first step (actions/create-github-app-token) then fails with:This puts a red ❌ on every PR opened from a fork (where repo/org secrets are not exposed to the workflow context). The bug is that the App-token mint step doesn't tolerate the secret being empty.
Environment
v0.71.5pull_requestwithsafe-outputs:configured (status comments, missing-tool, etc.)Reproduction
Author a workflow
.mdwith:gh aw compile.Trigger the workflow in a context where the App secrets are unavailable — easiest repro is opening a PR from a fork. (Same symptom on any run if the org just hasn't set up
GH_AW_APP_IDyet.)Observe: when the run reaches the
conclusionjob (after a cancellation, failure, or any non-skipped agent outcome), theGenerate GitHub App tokenstep fails with theclient-id requirederror above.Why is this a problem
Specifically: a first contribution from an external contributor, where GitHub's first-time-contributor approval gate holds the workflow as
action_required, and multiple events queue up while waiting (e.g. the PR is opened, then a comment is posted, both events trigger the workflow). When a maintainer eventually approves, both queued runs fire at once,cancel-in-progress: trueon the shared concurrency group cancels one, and theconclusionjob then trips oncreate-github-app-tokenbecause fork PRs aren't passed repo/org secrets.Root cause
This section is AI-generated, if you want to not consider this, feel free to ignore this section.
In
pkg/workflow/notify_comment.go:493-545, the App-token step is added unconditionally:There's no
if:guard on this step, so whensecrets.GH_AW_APP_IDevaluates to empty string,actions/create-github-app-tokenerrors out and fails the whole job.Proposed fix
This section is AI-generated, if you want to not consider this, feel free to ignore this section.
Guard the App-token step (and the downstream steps that use its output) so the conclusion job degrades gracefully when secrets aren't available.
Add an
if:to theGenerate GitHub App tokenstep:(Using
env:is necessary becausesecrets.*isn't allowed in step-levelif:directly.)