🔧 Fix GH_AW_CI_TRIGGER_TOKEN emit scope and update docs

[dsyme]

Summary

• Moved GH_AW_CI_TRIGGER_TOKEN from job-level env to step-level env in the safe outputs handler step, so it is only emitted when create-pull-request or push-to-pull-request-branch is actually configured — reducing unnecessary secret exposure across all workflows.
• Updated all locked workflow files to reflect the corrected placement of GH_AW_CI_TRIGGER_TOKEN (removed from job env:, added to the handler step env:).
• Improved documentation across triggering-ci, auth-projects, github-tools, assign-to-copilot, and faq pages — fixing heading levels, adding missing code snippets, and clarifying the magic secret pattern.

[Copilot]

Pull request overview

This PR reduces unnecessary exposure of GH_AW_CI_TRIGGER_TOKEN by moving its emission from job-level env to the specific safe-outputs handler step (and only when PR-creation-related safe outputs are configured), and updates docs + locked workflows to match.

Changes:

• Emit GH_AW_CI_TRIGGER_TOKEN at step scope within the “Process Safe Outputs” handler manager step, conditioned on create-pull-request / push-to-pull-request-branch configuration.
• Remove GH_AW_CI_TRIGGER_TOKEN from job-level env: in locked workflows and add it to the handler step where PR creation/branch push safe outputs are configured.
• Documentation updates across several reference pages to clarify setup and improve formatting/snippets.

Reviewed changes

Copilot reviewed 158 out of 158 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/compiler_safe_outputs_steps.go	Adds conditional step-level emission of GH_AW_CI_TRIGGER_TOKEN for the handler-manager step.
pkg/workflow/compiler_safe_outputs_job.go	Removes job-level emission of GH_AW_CI_TRIGGER_TOKEN (now step-scoped).
docs/src/content/docs/reference/triggering-ci.mdx	Updates CI-triggering guidance and snippets (NOTE: secret-name mismatch found).
docs/src/content/docs/reference/github-tools.md	Refines headings and adds magic-secret snippet for GitHub tools token.
docs/src/content/docs/reference/faq.md	Adds quick guidance mentioning GH_AW_CI_TRIGGER_TOKEN.
docs/src/content/docs/reference/auth-projects.mdx	Reworks PAT/magic-secret instructions and adds snippets/videos.
docs/src/content/docs/reference/assign-to-copilot.mdx	Refines headings and adds magic-secret snippet for agent token.
.github/workflows/workflow-skill-extractor.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env (not needed by its safe outputs config).
.github/workflows/workflow-normalizer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env (not needed by its safe outputs config).
.github/workflows/workflow-health-manager.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/workflow-generator.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/weekly-issue-summary.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/weekly-editors-health-check.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/video-analyzer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env (not needed by its safe outputs config).
.github/workflows/unbloat-docs.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/ubuntu-image-analyzer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/typist.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/tidy.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/test-project-url-default.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/test-dispatcher.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/test-create-pr-error-handling.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/terminal-stylist.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/technical-doc-writer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/super-linter.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/sub-issue-closer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/step-name-alignment.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/static-analysis-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/stale-repo-identifier.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-test-tools.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-temporary-id.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-project.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/smoke-multi-pr.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/smoke-gemini.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-copilot.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-copilot-arm.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-codex.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/smoke-claude.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/smoke-agent.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/slide-deck-maintainer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/sergo.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/semantic-function-refactor.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/security-review.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/security-compliance.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/scout.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/schema-consistency-checker.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/safe-output-health.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/research.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/repository-quality-improver.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/repo-tree-map.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/repo-audit-analyzer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/release.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/refiner.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/q.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/python-data-charts.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/prompt-clustering-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/pr-triage-agent.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/pr-nitpick-reviewer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/portfolio-analyst.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/poem-bot.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/plan.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/pdf-summary.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/org-health-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/notion-issue-summary.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/mergefest.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/mcp-inspector.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/lockfile-stats.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/layout-spec-maintainer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/jsweep.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/issue-triage-agent.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/issue-monster.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/issue-arborist.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/instructions-janitor.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/hourly-ci-cleaner.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/grumpy-reviewer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/gpclean.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/go-pattern-detector.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/go-logger.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/go-fan.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/glossary-maintainer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/github-mcp-tools-report.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/github-mcp-structural-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/functional-pragmatist.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/firewall-escape.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/example-workflow-analyzer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/duplicate-code-detector.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/draft-pr-cleanup.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/docs-noob-tester.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/discussion-task-miner.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/dictation-prompt.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/developer-docs-consolidator.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/dev.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/dev-hawk.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/dependabot-go-checker.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/dependabot-burner.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/delight.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/deep-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-workflow-updater.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-team-status.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-team-evolution-insights.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-syntax-error-quality.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-semgrep-scan.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-security-red-team.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-secrets-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-safe-output-optimizer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-repo-chronicle.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/daily-regulatory.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-performance-summary.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-observability-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-news.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-malicious-code-scan.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-issues-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-firewall-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-file-diet.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-fact.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-doc-updater.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/daily-copilot-token-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-compiler-quality.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-code-metrics.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-cli-tools-tester.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-cli-performance.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-choice-test.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/daily-assign-issue-to-user.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/craft.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/copilot-session-insights.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/copilot-pr-merged-report.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/copilot-cli-deep-research.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/copilot-agent-analysis.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/contribution-check.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/commit-changes-analyzer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/code-simplifier.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/code-scanning-fixer.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/cloclo.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/cli-version-checker.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/cli-consistency-checker.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/claude-code-user-docs-review.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/ci-doctor.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/ci-coach.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/changeset.lock.yml	Moves GH_AW_CI_TRIGGER_TOKEN from job env to the “Process Safe Outputs” step env.
.github/workflows/breaking-change-checker.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/brave.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/bot-detection.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/blog-auditor.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/auto-triage-issues.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/audit-workflows.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/artifacts-summary.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/archie.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/ai-moderator.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/agent-persona-explorer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.
.github/workflows/agent-performance-analyzer.lock.yml	Removes job-level GH_AW_CI_TRIGGER_TOKEN env.

Comments suppressed due to low confidence (1)

docs/src/content/docs/reference/triggering-ci.mdx:76

• In the “magic secret” section, the snippet uses gh aw secrets set MY_CI_TRIGGER_PAT ..., but this section is specifically about setting the magic secret GH_AW_CI_TRIGGER_TOKEN. Update the command (or the surrounding text) so the secret name matches.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.