checkout-credential-review
$
npx mdskill add github/gh-aw/checkout-credential-reviewEnsures secure and correct credential handling for git/gh operations in repository checkouts
- Verifies that credentials are available when needed during checkout operations
- Analyzes code in workflow and action files for credential injection and usage
- Checks for sparseness, shallowness, and credential-free execution requirements
- Provides feedback on credential lifecycle and security compliance
SKILL.md
.github/skills/checkout-credential-reviewView on GitHub ↗
---
name: checkout-credential-review
description: Review code that performs git or gh operations against repository checkouts in gh-aw, checking that the right credentials are available at the right time and that sparseness, shallowness and credential-free factors are properly considered.
---
# Checkout Credential Review
Use this skill when reviewing or writing code in `pkg/workflow/`, `actions/setup/js/`, or compiled `.lock.yml` workflows that runs `git`, `gh`, or any other remote-touching operation against a repository checkout.
## Background
Each entry in a workflow's `checkout:` block may declare its own credentials (`github-token:`, `github-app:`), and the compiler wires those into the corresponding `actions/checkout` step ([pkg/workflow/checkout_step_generator.go](pkg/workflow/checkout_step_generator.go)). Generated checkouts always set `persist-credentials: false`, so the on-disk repo retains **no** credentials after the step finishes — only `actions/checkout`'s own internal token is used during the clone, and it is scrubbed in its post-step.
A separate step that wants to authenticate later must either (a) re-inject a token at command level (e.g. `git -c http.extraheader=...`) or (b) be passed the per-checkout token via env. The compiler does *not* automatically thread per-checkout `github-token`s into downstream steps.
Two important contexts deliberately run with **no git credentials**:
- The **safe-outputs MCP server** and its handlers (`generate_git_bundle.cjs`, `generate_git_patch.cjs`, `create_pull_request.cjs`). Errors in these paths explicitly say "the safe-outputs MCP server has no credentials for private repositories" — fetch/push will fail for private repos.
- The **agent runtime** after `actions/checkout`. The agent prompt in [actions/setup/md/safe_outputs_push_to_pr_branch.md](actions/setup/md/safe_outputs_push_to_pr_branch.md) explicitly tells the model not to attempt `git fetch`, `git pull`, `git push`, or any other authenticated git operation, and to report unavailable branches rather than try to fetch them.
## Review checklist
When you see a new `git`, `gh`, `execFileSync('git'…)`, or compiled `run:` block:
1. **Does it touch a remote?** Local-only commands (`symbolic-ref`, `rev-parse`, `log`, `show`, `merge-base`, `diff`, `status`) need no credentials. Anything in `fetch | pull | push | clone | ls-remote | remote (set-url|add|update)` does, plus on-demand blob fetches in partial clones.
2. **Which checkout is it operating on?** If it's a cross-repo entry from `checkout:`, the relevant credential is *that entry's* `github-token`, not the workflow's default `GITHUB_TOKEN`. Confirm the per-entry token is actually threaded into the step's env (or refuse to do remote operations and degrade gracefully).
3. **Which job/context emits it?** Agent job and safe-outputs MCP server both run without git credentials by design. Any remote git operation there must be wrapped in `try/catch`, fail soft, and surface a clear "no credentials" error rather than a raw git stderr.
4. **Sparse / shallow / monorepo concerns.** Avoid emitting steps that deepen (`git fetch --unshallow`, `--deepen=N`) or widen (`git fetch origin '+refs/heads/*'`) a sparse or shallow checkout of a large monorepo — these need credentials *and* can pull hundreds of MB. Prefer expanding `fetch:` / `fetch-depth:` / `sparse-checkout:` at compile time so it happens during `actions/checkout` with its internal token, never later.
5. **`gh` is REST, not git.** `gh api …` uses whatever `GH_TOKEN` is in the step's env — it does **not** automatically inherit per-checkout PATs. For cross-org private repos, either thread the right token in or accept the call will 404 and handle it.
## Related
- [docs/src/content/docs/reference/checkout.md](docs/src/content/docs/reference/checkout.md) — "Git Credentials After Checkout"
- [docs/sparseness.md](docs/sparseness.md) — sparse/blobless credential lifecycle
- [pkg/workflow/checkout_step_generator.go](pkg/workflow/checkout_step_generator.go) — token wiring per checkout
- [actions/setup/md/safe_outputs_push_to_pr_branch.md](actions/setup/md/safe_outputs_push_to_pr_branch.md) — agent-facing guidance
More from github/gh-aw
- agentic-workflow-designerConversational skill that interviews users to design new agentic workflows
- agentic-workflowsRoute gh-aw workflow design/create/debug/upgrade requests to the right prompts.
- awf-release-integratorUpgrade gh-aw to latest gh-aw-firewall release and identify follow-up spec tasks.
- console-renderingUse Go struct tags to render styled terminal output in gh-aw.
- copilot-reviewTeach Copilot how to plan, address, and respond to pull request review feedback.
- custom-agentsDefine and validate GitHub custom agent files, prompts, and examples.
- debugging-workflowsDebug gh-aw workflows using run logs, audits, and failure triage.
- developerCore developer rules and coding conventions for gh-aw changes.
- Dictation InstructionsInstructions for fixing speech-to-text errors and improving text quality in gh-aw documentation and workflows
- documentationWrite concise Diataxis docs for gh-aw with Starlight markdown conventions.