Skip to content

Enterprise: replace hardcoded github.com with GITHUB_SERVER_URL in safe output JS#19621

Open
Copilot wants to merge 6 commits intomainfrom
copilot/review-js-github-usage
Open

Enterprise: replace hardcoded github.com with GITHUB_SERVER_URL in safe output JS#19621
Copilot wants to merge 6 commits intomainfrom
copilot/review-js-github-usage

Conversation

Copy link
Contributor

Copilot AI commented Mar 4, 2026
edited by github-actions bot
Loading

Hardcoded https://github.com in safe output handlers breaks GitHub Enterprise Server (GHES) deployments. Most critically, extra_empty_commit.cjs was constructing git remote URLs with a hardcoded domain, causing fatal: could not read Username for 'https://github.com' auth failures on GHES.

Changes

  • extra_empty_commit.cjs — Critical: git remote URL now uses GITHUB_SERVER_URL hostname instead of hardcoded github.com

    // Before
const remoteUrl = `https://x-access-token:${token}@github.com/${repoOwner}/${repoName}.git`;
// After
const serverHostStripped = (process.env.GITHUB_SERVER_URL || "https://github.com").replace(/^https?:\/\//, "");
const remoteUrl = `https://x-access-token:${token}@${serverHostStripped}/${repoOwner}/${repoName}.git`;

  • safe_outputs_handlers.cjsupload_asset URL construction: replaces broken .replace("github.com", "raw.githubusercontent.com") pattern (fails silently on GHES) with explicit branching: raw.githubusercontent.com for github.com, {server}/{repo}/raw/{branch}/{file} for GHES

  • validate_secrets.cjs — REST API calls use GITHUB_API_URL, GraphQL uses GITHUB_GRAPHQL_URL, settings link uses GITHUB_SERVER_URL

  • autofix_code_scanning_alert.cjs, create_project.cjs, check_workflow_timestamp_api.cjs, merge_remote_agent_github_folder.cjs — Display URLs switched to GITHUB_SERVER_URL

Tests

Added cases to extra_empty_commit.test.cjs and safe_outputs_handlers.test.cjs verifying correct URL generation for both github.com and GHES hosts.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/pkg/tool/linux_amd64/vet git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.name Test User /usr/bin/git /tmp/go-build894git -trimpath 64/bin/go git init�� -lang=go1.17 go /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -bool -buildtags /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu^remote\..*\.gh-resolved$ -ato�� -bool l /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x--jq (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env e63849dIM .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/lib/git-core/git -json GO111MODULE x_amd64/vet /usr/lib/git-core/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260304-155539-27768/test-2618530950 rev-parse .cfg k/gh-aw/gh-aw/pkgit k/gh-aw/gh-aw/pkrev-parse 64/bin/go git conf�� --get remote.origin.url /usr/bin/git /tmp/go-build894git -trimpath 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 626167/b391/impo-buildtags .cfg che/go-build/12/git GOPROXY 64/bin/go git conf�� user.name Test User 3341830/b433/workflow.test /tmp/go-build894git -trimpath 64/bin/go 3341830/b433/workflow.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git tants.go tants_test.go 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha 5539-27768/test-784333436 GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x--jq ortc�� se stmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha eutil.test GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE FpiJ9ENbZatjTay5oJ/BhqTCoRMGewfs-tests -ato�� 3341830/b416/_pkg_.a -buildtags g_.a -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha CA3A/XoVMQpTizkfGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 626167/b415/impo-buildtags /hom�� che/go-build/b1/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool /opt/hostedtoolc-buildtags (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --check '**/*.cjs' '*GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go git -c log.showsignature=false log 64/bin/go -d --format=format:-atomic 6b7f8f2846f5 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --check '**/*.cjs' '*GOINSECURE ache/go/1.25.0/x64/src/internal/GOMOD 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build3133341830/b252/vet.cfg -o /tmp/go-build894626167/b355/_pkgGOINSECURE -trimpath 64/bin/go -d main -lang=go1.25 go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url ache/node/24.13.1/x64/bin/node "prettier" --chegit ache/go/1.25.0/xrev-parse 64/bin/go git t-42�� k/gh-aw/gh-aw/.github/workflows/auto-triage-issues.md remote.origin.url /opt/hostedtoolcache/node/24.13.1/x64/bin/node /tmp/go-build894git -trimpath 64/bin/go node (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 626167/b386/impo-buildtags /usr/bin/git pkg/mod/github.cgit pkg/mod/github.crev-parse 64/bin/go git conf�� user.name Test User e/git-remote-https /tmp/go-build894git -trimpath 64/bin/go e/git-remote-https (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha se .cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� runs/20260304-155539-27768/test-2723272954/.github/workflows /tmp/go-build3133341830/b003/vet.cfg ache/node/24.13.1/x64/bin/node l GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha e63849dIM .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ternal/tools/generate-action-metadata/main.go GO111MODULE tartedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9145/001/stability-test.md GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linuTest User (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet estl�� -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 --quiet 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE OhGqih4/C5EvyQA3x6PSYtu1bbVC env ty-test.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
    • Triggering command: /opt/hostedtoolcache/node/24.13.1/x64/bin/node /opt/hostedtoolcache/node/24.13.1/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js m ules/.bin/git git serv�� -u =main git /tmp/git-patch-ogit git k/node_modules/.HEAD git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha "prettier" --check 'scripts/**/*GOINSECURE bash 64/bin/go tierignore git 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha "prettier" --check 'scripts/**/*GOINSECURE bash 64/bin/go tierignore git 64/bin/go go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore git 64/bin/go go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha echo "��� JavaScript formatting GOINSECURE /opt/hostedtoolcGO111MODULE 64/bin/go tierignore cmd/gh-aw/argume-atomic 64/bin/go go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore git 64/bin/go go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 738624516/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --che-errorsas git 64/bin/go --verify --quiet 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*GOINSECURE git 64/bin/go --verify --quiet 64/bin/go go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3133341830/b383/cli.test /tmp/go-build3133341830/b383/cli.test -test.testlogfile=/tmp/go-build3133341830/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE 626167/b381/impo/tmp/go-build3133341830/b144/vet.cfg -c pkg/mod/github.com/stretchr/testGOINSECURE pkg/mod/github.com/stretchr/testGOMOD 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-buildtags (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Review all uses of https://github.com in safe output JavaScript and ensure it is enterprise ready with non github domain name.

Some additional info from the local agent. Not sure how accurate
Root Cause: Git Authentication Failure

The push_to_pull_request_branch safe-output MCP tool failed because git
credentials weren't available inside the AWF container:

fatal: could not read Username for 'https://github.com': No such device or
address

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Changeset

  • Type: patch
  • Description: Ensure safe output helpers build URLs from the configured GitHub server (GITHUB_SERVER_URL) so GHES hosts no longer try to contact hardcoded github.com addresses.

Generated by Changeset Generator for issue #19621 ·

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "github.com"

See Network Configuration for more information.

✨ PR Review Safe Output Test - Run 22681805201

💥 [THE END] — Illustrated by Smoke Claude ·

@pelikhan
Initial plan: enterprise-ready fixes for hardcoded github.com in safe…
6b7f8f2 
… output JS

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Closed
@pelikhan
fix: enterprise-ready fixes for hardcoded github.com in safe output JS
77224e1 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Review JavaScript for safe output GitHub URL usage Enterprise: replace hardcoded github.com with GITHUB_SERVER_URL in safe output JS Mar 4, 2026
@pelikhan pelikhan marked this pull request as ready for review March 4, 2026 16:13
Copilot AI review requested due to automatic review settings March 4, 2026 16:13
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Makes the “safe output” JavaScript utilities GitHub Enterprise Server (GHES) compatible by removing hardcoded https://github.com usage and instead deriving host/API endpoints from the standard GITHUB_*_URL environment variables.

Changes:

  • Update git remote construction and display links to respect GITHUB_SERVER_URL (fixing auth failures on GHES).
  • Make upload_asset raw-URL generation enterprise-aware (dotcom uses raw.githubusercontent.com, GHES uses same-host /raw/ URLs).
  • Switch secret validation API endpoints to GITHUB_API_URL / GITHUB_GRAPHQL_URL, and add tests for URL generation on both dotcom and GHES.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
actions/setup/js/extra_empty_commit.cjs Builds authenticated git remote using GITHUB_SERVER_URL host instead of hardcoded github.com.
actions/setup/js/extra_empty_commit.test.cjs Adds coverage for default vs GHES GITHUB_SERVER_URL remote URL behavior.
actions/setup/js/safe_outputs_handlers.cjs Reworks upload_asset URL generation to handle dotcom vs GHES raw URL patterns correctly.
actions/setup/js/safe_outputs_handlers.test.cjs Adds tests verifying URL generation for github.com and GHES hosts.
actions/setup/js/validate_secrets.cjs Uses GITHUB_API_URL / GITHUB_GRAPHQL_URL for API checks and GITHUB_SERVER_URL for settings link.
actions/setup/js/merge_remote_agent_github_folder.cjs Replaces hardcoded repo clone URL with GITHUB_SERVER_URL base.
actions/setup/js/create_project.cjs Uses GITHUB_SERVER_URL for generated issue URLs.
actions/setup/js/check_workflow_timestamp_api.cjs Uses GITHUB_SERVER_URL for commit links in step summary output.
actions/setup/js/autofix_code_scanning_alert.cjs Uses GITHUB_SERVER_URL for the created-autofix display URL.
Comments suppressed due to low confidence (2)

actions/setup/js/validate_secrets.cjs:106

  • GITHUB_API_URL may include a non-default port (e.g., https://ghe.example.com:8443/api/v3). Using apiUrl.hostname drops the port, so https.request will connect to the wrong port. Consider passing apiUrl.port into the request options (and/or switching makeRequest to accept a full URL/URL object) so enterprise installs on custom ports work correctly.

This issue also appears on line 163 of the same file.

    const apiUrl = new URL(process.env.GITHUB_API_URL || "https://api.github.com");
    const result = await makeRequest(apiUrl.hostname, `${apiUrl.pathname.replace(/\/$/, "")}/repos/${owner}/${repo}`, {
      "User-Agent": "gh-aw-secret-validation",
      Authorization: `Bearer ${token}`,
      Accept: "application/vnd.github+json",
      "X-GitHub-Api-Version": "2022-11-28",
    });

actions/setup/js/validate_secrets.cjs:167

  • GITHUB_GRAPHQL_URL can include a non-default port; using graphqlUrl.hostname ignores it, so GraphQL validation may hit the wrong port. Include graphqlUrl.port in the https.request options (and consider using graphqlUrl.pathname + graphqlUrl.search if query params are ever present).
      const graphqlUrl = new URL(process.env.GITHUB_GRAPHQL_URL || "https://api.github.com/graphql");
      const options = {
        hostname: graphqlUrl.hostname,
        path: graphqlUrl.pathname,
        method: "POST",

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@pelikhan pelikhan added the smoke label Mar 4, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq 4.52.4
curl 8.5.0
gh 2.87.3
node 20.20.0
python3 3.12.3
go 1.24.13
java 10.0.102
dotnet 10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test ·

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Commit pushed: 09fb33e

Generated by Changeset Generator

@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

@pelikhan Smoke test results for PR #19621:

  1. GitHub MCP ✅ | 2. GH CLI ✅ | 3. Serena MCP ❌ | 4. Playwright ✅
  2. Web Fetch ✅ | 6. File Write ✅ | 7. Bash ✅ | 8. Discussion ✅
  3. Build ✅ | 10. Discussion Create ✅ | 11. Haiku Dispatch ✅ | 12. PR Review ✅

Overall: ⚠️ PARTIAL PASS (11/12) — Serena MCP tools unavailable

📰 BREAKING: Report filed by Smoke Copilot ·

@github-actions github-actions bot removed the smoke label Mar 4, 2026
github-actions[bot]
github-actions bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR correctly replaces hardcoded github.com with GITHUB_SERVER_URL throughout the JS action files, enabling GitHub Enterprise Server compatibility. The changes are consistent and the new tests cover both default and enterprise server URL scenarios. LGTM!

📰 BREAKING: Report filed by Smoke Copilot

actions/setup/js/extra_empty_commit.cjs

// Configure git remote with the token for authentication
const remoteUrl = `https://x-access-token:${token}@github.com/${repoOwner}/${repoName}.git`;
const githubServerUrl = process.env.GITHUB_SERVER_URL || "https://github.com";
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The replace(/^https?:\/\//, "") correctly strips the protocol. This pattern is consistent with the enterprise support approach used elsewhere in this PR.

actions/setup/js/safe_outputs_handlers.cjs
}

// Create entry for safe outputs
const entry = {
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good approach using new URL() for hostname extraction. One minor note: the catch block fallback uses the same pattern as the GHE branch, which is correct. Consider adding a comment explaining the raw.githubusercontent.com vs /raw/ path difference for future maintainers.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Smoke Test Results — Run §22681805201

Test Status
1 GitHub MCP
2 SafeInputs GH CLI
3 Serena MCP
4 Make Build
5 Playwright
6 Tavily Search
7-8 File Write/Bash
9 Discussion
10 Agentic Workflows
11 Update PR
12 PR Review Comments
13 Submit PR Review
14 Resolve Thread ⚠️ Skipped
15 Add Reviewer
16 Push to Branch
17 Close PR ⚠️ Skipped

Overall: PARTIAL (2 skipped, 0 failed)

💥 [THE END] — Illustrated by Smoke Claude ·

github-actions[bot]
github-actions bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-claude

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan