Safe Output custom token source

[strawgate]

Right now, safe outputs support github_token and an app with a private key, etc.

Large Enterprises(tm) like mine use Vault to store/generate app github_tokens instead of allowing us to put the app's private key in the repository (which is what the current app implementation requires I think)

A new setup-steps field on safe-outputs that injects steps at the start of the consolidated safe-outputs job (same slot where the App token minting goes):

safe-outputs:
  setup-steps:
    - name: Fetch GitHub Token from Vault
      id: vault-token
      uses: elastic/ci-gh-actions/fetch-github-token@v1.1
      with:
        vault-instance: "ci-prod"
  github-token: "${{ steps.vault-token.outputs.token }}"
  create-issue:
  add-comment:

or maybe just call it steps to match the agent?

Note: jobs that's already on safe-output won't work because you cant pass secrets between jobs!

This would:

Insert the steps at the beginning of the safe_outputs job (after setup/downloads, same insertion point as App token minting)

Let github-token reference ${{ steps.vault-token.outputs.token }} since it's the same job
Follow the established pattern — the App token minting already does exactly this, just with a hardcoded action

Be a relatively small compiler change (in my pure imagination) — the insertion logic in buildConsolidatedSafeOutputsJob around lines 241-280 already handles this for App tokens

[pelikhan]

You can do

jobs:
  safe_outputs:
    steps:
      ...

and it should be injected in the safe_outputs job

[strawgate]

failed to add safe job safe_outputs: job 'safe_outputs' already exists

naming a safe-job safe_outputs (or safe-outputs) collides with the consolidated safe-outputs job that the compiler generates. The job manager treats it as you wanting to add a job and rejects duplicates.

claude says getting it to work this way wouldnt be too hard:

But the idea of special-casing safe_outputs as a job name in the compiler orchestration is interesting. In compiler_safe_output_jobs.go, right between building the consolidated job (line 32) and building safe-jobs (line 47), you could:

Check if any safe-job is named safe_outputs
Extract its steps
Inject them into the consolidated job's steps array (at the same insertion point as App token minting)
Remove it from the safe-jobs map so buildSafeJobs doesn't try to add it

though i think you could just put them at the beginning and not insert them magically before app token minting

[strawgate]

okay maybe that's wrong... i think i was trying jobs under safe-output and not root-level jobs, trying this again

[strawgate]

@pelikhan same problem with the root jobs key

[pelikhan]

#18460