From 1abccc542c3ce704569f4b17bc45ca87d8f8202e Mon Sep 17 00:00:00 2001 From: Graham Savage Date: Wed, 20 May 2026 19:24:11 +0100 Subject: [PATCH] Rename github_token secret to kosli_github_token A reusable workflow (`on: workflow_call`) cannot declare a secret named `github_token` because that name is reserved for the built-in `secrets.GITHUB_TOKEN`. Callers were failing to parse the workflow with: secret name `github_token` within `workflow_call` can not be used since it would collide with system reserved name Rename the input secret to `kosli_github_token` and update the `env.GH_TOKEN` mapping to read from the new name. Callers must update their `secrets:` block to pass `kosli_github_token` instead of `github_token`. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/apply.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml index 4dc478c..b0e0c08 100644 --- a/.github/workflows/apply.yml +++ b/.github/workflows/apply.yml @@ -42,8 +42,8 @@ on: kosli_api_token: description: "Kosli API token. Required when kosli_template_file is set." required: false - github_token: - description: "GitHub token used by `kosli attest pr github` to look up pull requests. Optional; when omitted the pull-request attestation step is skipped." + kosli_github_token: + description: "GitHub token used by `kosli attest pr github` to look up pull requests. Optional; when omitted the pull-request attestation step is skipped. Cannot be named `github_token` because that name is reserved by `workflow_call`." required: false jobs: @@ -81,7 +81,7 @@ jobs: KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} KOSLI_FLOW: terraform-apply-${{ inputs.environment }}-${{ github.event.repository.name }} KOSLI_TRAIL: ${{ github.event.pull_request.head.sha || github.sha }} - GH_TOKEN: ${{ secrets.github_token }} + GH_TOKEN: ${{ secrets.kosli_github_token }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2