Skip to content

Migrate GH-AW reviewer to PAT pool#394

Draft
vitek-karas wants to merge 1 commit into
dotnet:mainfrom
vitek-karas:feature/gh-aw-pat-pool
Draft

Migrate GH-AW reviewer to PAT pool#394
vitek-karas wants to merge 1 commit into
dotnet:mainfrom
vitek-karas:feature/gh-aw-pat-pool

Conversation

@vitek-karas

@vitek-karas vitek-karas commented Jun 26, 2026

Copy link
Copy Markdown
Member

Summary

  • migrate the Android Tools GH-AW reviewer workflow to the Copilot PAT pool model
  • add the shared PAT pool import and README under .github/workflows/shared/
  • add validate-pat-pool.yml so the PAT pool can be checked independently
  • recompile the generated lock workflow and update .github/aw/actions-lock.json

Validation

  • gh aw compile .github/workflows/android-tools-reviewer.md --schedule-seed dotnet/android-tools --approve
  • dotnet build Xamarin.Android.Tools.sln
  • dotnet test tests\Microsoft.Android.Build.BaseTasks-Tests\Microsoft.Android.Build.BaseTasks-Tests.csproj
  • dotnet test tests\Xamarin.Android.Tools.AndroidSdk-Tests\Xamarin.Android.Tools.AndroidSdk-Tests.csproj still has the pre-existing JdkDirectory_JavaHome("JI_JAVA_HOME") failure in both the feature worktree and the clean main checkout because JAVA_HOME is set in the local environment

Security review note

I reviewed the newly introduced secret references, action revisions, and generated workflow manifest changes from the PAT pool migration.

Secrets

Added restricted secrets:

  • COPILOT_PAT_0
  • COPILOT_PAT_1
  • COPILOT_PAT_2
  • COPILOT_PAT_3
  • COPILOT_PAT_4
  • COPILOT_PAT_5
  • COPILOT_PAT_6
  • COPILOT_PAT_7
  • COPILOT_PAT_8
  • COPILOT_PAT_9

These are only used to select a PAT slot number inside the isolated pat_pool job and then resolve the selected slot through a case(...) expression in engine.env, matching the documented pattern in dotnet/vitals PAT pool guidance and the example in dotnet/xharness#1626.

Actions and generated runtime updates

  • github/gh-aw-actions/setup updated from v0.79.8 to v0.80.9 (8c7d04ebf1ece56cd381446125da3e0f6896294a)
  • generated workflow containers updated to the compiler-selected set from gh aw v0.80.9:
    • ghcr.io/github/gh-aw-firewall/agent:0.27.7
    • ghcr.io/github/gh-aw-firewall/api-proxy:0.27.7
    • ghcr.io/github/gh-aw-firewall/squid:0.27.7
    • ghcr.io/github/gh-aw-mcpg:v0.3.27
    • ghcr.io/github/gh-aw-node
    • ghcr.io/github/github-mcp-server:v1.4.0

I reviewed these as safe because they are generated by the official gh aw compiler during recompilation of the existing workflow, align with the PAT pool migration shape used in dotnet/runtime#129840, and do not introduce any custom third-party action beyond the standard GitHub / gh-aw generated set already used by this workflow.

Redirect changes

No redirect changes were introduced.

@vitek-karas
Migrate GH-AW reviewer to PAT pool
be21b15 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonathanpeppers jonathanpeppers Awaiting requested review from jonathanpeppers jonathanpeppers will be requested when the pull request is marked ready for review jonathanpeppers is a code owner
@simonrozsival simonrozsival Awaiting requested review from simonrozsival simonrozsival will be requested when the pull request is marked ready for review simonrozsival is a code owner
Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review
1 more reviewer
@jeffhandley jeffhandley jeffhandley approved these changes
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vitek-karas @jeffhandley