Add env support to dependencies configuration and upgrade microsoft/apm to v0.8.2

[Copilot]

The dependencies object format lacked a way to pass environment variables to the microsoft/apm-action pack step, making it impossible to configure private registries or inject tokens without workarounds.

Changes

• APMDependenciesInfo — Added Env map[string]string field
• extractAPMDependenciesFromFrontmatter — Parses env map from object-format dependencies; non-string values are skipped with a debug log; env count added to extraction log
• GenerateAPMPackStep — Injects user env vars (sorted for determinism) into the pack step's env: block, merged alongside GITHUB_TOKEN when github-app is also configured; user-supplied GITHUB_TOKEN is silently skipped when github-app is configured to prevent duplicate YAML keys
• DefaultAPMVersion — Upgraded from v0.8.0 to v0.8.2
• microsoft/apm-action — Upgraded from v1.3.1 to v1.3.4 (SHA 83d54a6c7941049210433b16c8dfac573665b12a); includes SARIF/markdown audit report support and fixes for GITHUB_TOKEN passthrough and preservation

Usage

dependencies:
  packages:
    - microsoft/apm-sample-package
  env:
    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
    REGISTRY: https://registry.example.com

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

---

---

✨ PR Review Safe Output Test - Run 23274525021

💥 [THE END] — Illustrated by Smoke Claude · ◷

---

---

✨ PR Review Safe Output Test - Run 23294151374

💥 [THE END] — Illustrated by Smoke Claude · ◷

[pelikhan]

Upgrade to microsoft/apm v0.8.2

[pelikhan]

@copilot upgrade microsoft/apm and its actions

[Copilot]

@copilot upgrade microsoft/apm and its actions

Done in f8d55c1:

• DefaultAPMVersion: v0.8.0 → v0.8.2
• microsoft/apm-action: v1.3.1 → v1.3.2 (SHA 24f26ec) — includes the new SARIF/markdown audit report feature
• Recompiled all 175 workflows with the updated action pin

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw re-workflows.md ndor/bin/grep grep -l onPin ills/error-recovery-patterns/SKILL.md 64/bin/grep onPin .md cal/bin/grep grep (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw re-workflows.md cal/bin/grep grep -l onPin ills/error-recovery-patterns/SKILL.md de/node/bin/grep onPin .md rgo/bin/grep grep (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw re-workflows.md p/bin/grep grep -l onPin ills/error-recovery-patterns/SKILL.md ache/node/24.14.0/x64/bin/grep onPin lag.md (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha on_pins\|GetActiremote.origin.url k/gh-aw/gh-aw/skills/skillz-integration/SKILL.md $name) { hasDiscussionsEnabled } } onPin t.md x86_64/grep grep -l on_pins\|GetActionPin k/gh-aw/gh-aw/DEVGUIDE.md 64/bin/bash onPin toring.md /home/REDACTED/.co/home/REDACTED/work/gh-aw/gh-aw/.github/workflows grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha on_pins\|GetActionPin k/gh-aw/gh-aw/skills/skillz-integration/SKILL.md $name) { hasDiscussionsEnabled } } onPin laceholder.md /home/REDACTED/.co-c grep -l on_pins\|GetActionPin k/gh-aw/gh-aw/DEVGUIDE.md r: $owner, name: $name) { hasDiscussionsEnabled } } onPin toring.md 0/x64/bin/grep grep (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha onPin ills/gh-agent-session/SKILL.md /home/REDACTED/.local/bin/grep onPin nts-bug.md /home/REDACTED/.co--noprofile grep -l onPin ills/temporary-id-safe-output/SKILL.md ep onPin ut-secrecy-integ-1 0/x64/bin/grep grep (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility on_pins\|GetActiremote.origin.url k/gh-aw/gh-aw/skills/reporting/SKILL.md r: $owner, name: $name) { hasDiscussionsEnabled } } onPin pressions.md 0/x64/bin/grep grep -l on_pins\|GetActiremote.origin.url k/gh-aw/gh-aw/skills/github-discauto x_amd64/compile onPin -for-ghe.md cal/bin/grep x_amd64/compile (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha onPin ills/github-mcp-server/SKILL.md ep onPin nfig.md 0/x64/bin/grep grep -l onPin ills/console-rendering/SKILL.md nfig/composer/vendor/bin/grep onPin -permissions.md cal/bin/grep grep (http block)
• https://api.github.com/repos/microsoft/apm-action/git/ref/tags/v1.3.2
  • Triggering command: /usr/bin/curl curl -sf REDACTED grep -l onPin pt/SKILL.md ndor/bin/grep onPin s.md rep grep -l onPin e-query/SKILL.md-j cal/bin/grep onPin -port.md 64/bin/grep grep (http block)
• https://api.github.com/repos/microsoft/apm-action/git/refs/tags/v1.3.2
  • Triggering command: /usr/bin/curl curl -sf REDACTED -H Accept: application/json onPin refactoring/SKILL.md /home/REDACTED/.local/bin/grep onPin mmatic-events.md--norc /usr/bin/grep grep -l onPin KILL.md ep onPin moke-test.md 0/x64/bin/grep grep (http block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)
• https://api.github.com/repos/microsoft/apm-action/releases/latest
  • Triggering command: /usr/bin/gh gh api /repos/microsoft/apm-action/releases/latest --jq .tag_name onPin hangeset/patch-refactor-safe-outputs-prompt.md rep onPin uts-http-timeoutrev-parse ndor/bin/grep grep -l onPin uery/SKILL.md 64/bin/grep onPin po-allowlist.md cal/bin/grep grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/microsoft/apm-action/releases/latest grep -l onPin (http block)
  • Triggering command: /usr/bin/curl curl -sf REDACTED grep -l onPin rn-safety/SKILL.md rgo/bin/grep onPin ns-20260304.md de/node/bin/grep--slice=azure-walinuxagent-logcollector.slice grep -l onPin pt/SKILL.md p/bin/grep onPin ommand.md bin/grep grep (http block)
• https://api.github.com/repos/microsoft/apm-action/tags
  • Triggering command: /usr/bin/gh gh api /repos/microsoft/apm-action/tags --jq .[0].name onPin hangeset/patch-refactor-safe-outputs-prompt.md 64/bin/grep onPin uts-http-timeoutrev-parse grep grep -l onPin uery/SKILL.md de/node/bin/grep onPin po-allowlist.md rgo/bin/grep grep (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[Copilot]

Pull request overview

Adds support for specifying environment variables under the dependencies frontmatter configuration so they can be passed to the microsoft/apm-action pack step, and upgrades the default APM CLI/action versions.

Changes:

• Extend APMDependenciesInfo and frontmatter extraction to parse a dependencies.env map (skipping non-string values).
• Update APM pack-step generation to include the parsed env vars in a deterministic (sorted) order, alongside the GitHub App token env when configured.
• Bump pinned versions: APM CLI default to v0.8.2 and microsoft/apm-action to v1.3.2 (SHA-pinned), with related lockfile updates and new tests.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/frontmatter_types.go	Adds Env map[string]string to APM dependency config.
pkg/workflow/frontmatter_extraction_metadata.go	Parses dependencies.env from object-format frontmatter and logs env count.
pkg/workflow/apm_dependencies.go	Emits env: block for APM pack step including GitHub App token + user env vars (sorted).
pkg/workflow/apm_dependencies_test.go	Adds unit tests for env extraction + pack-step env rendering and determinism.
pkg/workflow/apm_dependencies_compilation_test.go	Adds integration compilation coverage for env vars appearing in the lock file.
pkg/constants/constants.go	Bumps DefaultAPMVersion to v0.8.2.
pkg/workflow/data/action_pins.json	Updates pin for microsoft/apm-action@v1.3.2 SHA.
.github/aw/actions-lock.json	Updates internal actions lock for microsoft/apm-action@v1.3.2 SHA.
.github/workflows/smoke-claude.lock.yml	Updates smoke workflow lock to APM v0.8.2 and action SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

Smoke Test Results — Run §23273976334

✅ GitHub MCP | ✅ GH CLI | ❌ Serena MCP | ✅ Playwright | ✅ Web Fetch | ✅ File Write | ✅ Bash | ✅ Discussion | ✅ Build | ✅ Discussion Create | ✅ Haiku Dispatch | ✅ PR Review

Overall: FAIL — Serena activate_project/find_symbol tools unavailable in Copilot context.
PR author: @Copilot · Assignees: @pelikhan, @Copilot

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions]

Smoke test review of PR #21687. The env support for APM dependencies is well-implemented with sorted keys for determinism and comprehensive test coverage. One potential concern: env values are written to YAML without quoting, which could produce invalid YAML if values contain special characters.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

YAML values are written here without quoting. If a user passes a value containing YAML special characters (e.g., a colon followed by a space, a #, or curly braces), the generated workflow file could be invalid. Consider wrapping the value in quotes or using a YAML-safe formatter: fmt.Sprintf(" %s: %q", k, apmDeps.Env[k]) or at least single-quoting values that contain special chars.

[github-actions]

Nice, clean addition. The sorted-key determinism in GenerateAPMPackStep ensures reproducible compiled output, which is great for lock file stability.

[github-actions]

Agreed! Deterministic ordering is essential for stable diffs in generated YAML. Great to see this covered by a test.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Commit pushed: f21e690

Generated by Changeset Generator

[pelikhan]

@copilot update Microsoft/apm again

[Copilot]

@copilot update Microsoft/apm again

Done in 950cfd1:

• microsoft/apm-action: v1.3.2 → v1.3.4 (SHA 83d54a6) — this version specifically fixes "preserve caller's GITHUB_TOKEN when already set in environment"

Also addressed the two code review issues in the same commit:

• Skip user-supplied GITHUB_TOKEN key when github-app is configured (prevents duplicate YAML keys)
• Fixed test ordering assertion to verify indices are != -1 before comparing positions

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha guration^{commitremote.origin.url (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.4
curl	✅	8.5.0
gh	✅	2.87.3
node	✅	20.20.1
python3	✅	3.12.3
go	✅	1.24.13
java	✅	10.0.102
dotnet	✅	10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ◷

[github-actions]

Smoke Test

PRs: #21768 [docs] Update glossary - daily scan; #21750 slides: add Software Engineer → Agentic Engineer, Agentic Human Processes, and two Mermaid diagrams
GitHub MCP: ✅
Serena activate+find_symbol(>=3): ✅
Playwright title contains "GitHub": ✅
Web-fetch contains "GitHub": ✅
File write+cat (/tmp/gh-aw/agent/smoke-test-codex-23294150850.txt): ✅
Bash build (GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build): ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex · ◷

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• ab.chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"

See Network Configuration for more information.

[github-actions]

Smoke test results for PR #21687 (author: copilot-swe-agent, assignees: pelikhan, Copilot):

Test	Result
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena MCP	❌
Playwright	✅
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ⚠️ PARTIAL PASS (Serena MCP tools unavailable)

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions]

Clean implementation of env support for APM dependencies. Deduplication logic for GITHUB_TOKEN is correct and the sorted output ordering ensures deterministic YAML generation. Tests are thorough covering the new cases.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

The new Env field is well-placed in the struct. Documenting it as "Optional environment variables to set on the APM pack step" makes intent clear. Consistent with the existing comment style in the struct.

[github-actions]

Good defensive check — skipping GITHUB_TOKEN when a GitHub App token is already being injected prevents duplicate env key conflicts. The sort.Strings(keys) call ensures deterministic output ordering across Go map iterations. 👍

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Run 23294151374 — PARTIAL (2 skipped, all others passed)

Core tests #1–11: ✅✅✅✅✅✅✅✅✅✅✅
PR review tests: ✅ #12 ✅ #13 ✅ #14 ⚠️ #15 ✅ #16 ✅ #17 ⚠️ #18

⚠️ #15: No threads to resolve · ⚠️ #18: No suitable test PR to close

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Good addition of the Env field to APMDependenciesInfo. Using map[string]string is appropriate here since env vars are key-value pairs. The comment clearly explains its purpose.

[github-actions]

Using sort.Strings(keys) ensures deterministic output ordering for env vars — great practice for generated YAML to keep diffs clean and avoid spurious recompilations.

[github-actions]

Commit pushed: f7a42f7

Generated by Changeset Generator