Add OTLP github-app pre-setup token minting, setup input wiring, and OIDC permission validation

[Copilot]

This change adds OTLP runtime auth configuration in frontmatter so workflows can mint a bearer credential for telemetry export before actions/setup, then pass it into setup for OTLP Authorization header injection early in job execution.

• Frontmatter + schema

  • Added observability.otlp.github-app with support for:
    • GitHub App credentials (app-id/client-id + private-key) to mint a token via actions/create-github-app-token
    • Implicit OIDC mode when the github-app block is present without credentials
  • Simplified OTLP github-app schema by removing the OTLP-specific oneOf branch and removing audience support.
  • Removed legacy type: github-oidc syntax support for OTLP github-app.
  • Updated typed config/docs/schema to recognize this github-app auth block and helper flow.

• Workflow generation

  • Added a compiler-generated pre-setup mint step (mint-otlp-oidc-token) that now:
    • mints via actions/create-github-app-token when OTLP github-app credentials are provided
    • mints via actions/github-script + core.getIDToken(...) for OIDC mode
  • Wired setup step inputs/env to receive the minted token:
    • action mode: with.otlp-oidc-token
    • script mode: INPUT_OTLP_OIDC_TOKEN
  • Added validation that permissions.id-token: write is required for OTLP OIDC mode.

• Setup action behavior

  • Added new setup input otlp-oidc-token in actions/setup/action.yml.
  • In action_setup_otlp.cjs, when provided, merges Authorization=****** into OTEL_EXPORTER_OTLP_HEADERS (without overriding an existing Authorization header) and exports it via GITHUB_ENV.
  • Also merges Authorization into each GH_AW_OTLP_ENDPOINTS endpoint headers value (without overriding existing Authorization) and persists updated endpoints via GITHUB_ENV, so setup/conclusion span export paths use the minted token.

• Docs + tests

  • Updated syntax docs to show OTLP github-app credential usage and OIDC permission guidance.
  • Added/updated test coverage for endpoint header propagation through GH_AW_OTLP_ENDPOINTS, OIDC permission validation behavior, OTLP GitHub App helper extraction, schema acceptance of implicit OIDC (github-app: {}), schema rejection of OTLP github-app.audience, schema rejection of legacy type: github-oidc, and integration fixtures asserting emitted actions/create-github-app-token usage.

• Example

  observability:
    otlp:
      endpoint: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
      github-app:
        app-id: ${{ vars.APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}

[pelikhan]

@copilot rename auth to github-app

[Copilot]

Updated in 4d286c7. OTLP frontmatter now uses github-app instead of auth (docs, schema, typed config, and related tests).

[Copilot]

Pull request overview

This PR adds an observability.otlp.auth frontmatter block to support minting a GitHub Actions OIDC token before actions/setup, then wiring that token into the setup action/script so OTLP exports can include an Authorization: Bearer <token> header early in job execution.

Changes:

• Extend workflow frontmatter/types/schema/docs to support observability.otlp.auth.type: github-oidc (+ optional audience).
• Generate a compiler-managed pre-setup step (mint-otlp-oidc-token) and pass its output into setup (action + script modes).
• Update setup action runtime to accept otlp-oidc-token and merge it into OTEL_EXPORTER_OTLP_HEADERS.

Show a summary per file

File	Description
pkg/workflow/setup_step_version_test.go	Adds compiler tests asserting the OIDC mint step is injected and ordered before setup (action + script modes).
pkg/workflow/observability_otlp.go	Adds helpers to detect github-oidc auth and read optional audience from parsed/raw frontmatter.
pkg/workflow/observability_otlp_test.go	Adds unit tests for the new OTLP auth parsing helpers.
pkg/workflow/frontmatter_types.go	Introduces OTLPAuthConfig and wires it into OTLPConfig.
pkg/workflow/compiler_yaml_step_generation.go	Emits the pre-setup OIDC mint step and wires its token into setup inputs/env.
pkg/workflow/codex_engine.go	Formatting-only change in env map alignment.
pkg/parser/schemas/main_workflow_schema.json	Extends the JSON schema with observability.otlp.auth.
actions/setup/js/action_setup_otlp.test.cjs	Adds tests for OIDC token -> header injection behavior.
actions/setup/js/action_setup_otlp.cjs	Merges OIDC token into OTEL_EXPORTER_OTLP_HEADERS and writes it to GITHUB_ENV.
actions/setup/index.js	Plumbs otlp-oidc-token input to setup.sh and the OTLP span sender.
actions/setup/action.yml	Adds the new otlp-oidc-token action input.
.github/workflows/dead-code-remover.lock.yml	Regenerated lock workflow metadata/manifest.
.github/aw/syntax.md	Documents the new observability.otlp.auth fields and example usage.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 12/13 changed files
• Comments generated: 4

[github-actions]

@copilot review all comments
Please address the unresolved OTLP feedback and re-request review.

Generated by 👨‍🍳 PR Sous Chef · gpt54 14.6M · ◷

[github-actions]

Please fix the OTLP header propagation gap in GH_AW_OTLP_ENDPOINTS, then re-request review.

Generated by 👨‍🍳 PR Sous Chef · gpt54 14.6M · ◷

[pelikhan]

@copilot review all comments and reviews

[Copilot]

@copilot review all comments and reviews

Addressed the actionable review items in commits f2b547b and 33994c6:

• OTLP OIDC token now propagates into GH_AW_OTLP_ENDPOINTS endpoint headers (and persists via GITHUB_ENV) so setup/conclusion spans use Authorization headers.
• Added compiler validation requiring permissions.id-token: write when observability.otlp.github-app.type: github-oidc is configured.
• Added tests for endpoint header propagation and permission validation.
• Updated syntax docs to call out the id-token: write requirement.

[pelikhan]

@copilot reuse Go type to represent GitHub-app data and helper functions to generate action create GitHub app step . Type GitHub-oidc is implicit and does not need to be in frontmatter .

[github-actions]

🛠️ Agentic Maintenance updated this pull request branch.

View workflow run

[pelikhan]

@copilot the sample should look like this:

observability:
  otlp:
    endpoint: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
    github-app:
      app-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}

[Copilot]

@copilot the sample should look like this:

...

Updated in bda3c0c. The OTLP github-app sample now uses app-id and private-key as requested, and the integration workflow fixture/test coverage was updated to validate actions/create-github-app-token wiring for that shape.

[pelikhan]

@copilot remove type: github-oidc syntax support, no legacy support.

[Copilot]

Implemented in d6b640b (with follow-up commits in this stack): removed OTLP observability.otlp.github-app.type: github-oidc legacy syntax support from main_workflow_schema.json, updated syntax docs to describe implicit OIDC without type, and added parser schema tests to ensure audience-only config is accepted while legacy type syntax is rejected.

[pelikhan]

@copilot simplify GitHub-app type in schema. Remove oneof, audience,

[Copilot]

@copilot simplify GitHub-app type in schema. Remove oneof, audience,

Done in 81dd667. I simplified observability.otlp.github-app in the schema by removing the OTLP-specific oneOf branch and dropping audience support, while keeping implicit OIDC via an empty github-app object. I also updated parser schema tests accordingly to validate implicit OIDC and reject audience/legacy type.

[github-actions]

``
@copilot review all comments

Please address the unresolved OIDC/token wiring feedback and validate the id-token: write permission before minting.

Generated by 👨‍🍳 PR Sous Chef · gpt54 3.6M · ◷