Checkout Credential Review

Use this skill when reviewing or writing code in pkg/workflow/, actions/setup/js/, or compiled .lock.yml workflows that runs git, gh, or any other remote-touching operation against a repository checkout.

Background

Each entry in a workflow's checkout: block may declare its own credentials (github-token:, github-app:), and the compiler wires those into the corresponding actions/checkout step (pkg/workflow/checkout_step_generator.go). Generated checkouts always set persist-credentials: false, so the on-disk repo retains no credentials after the step finishes — only actions/checkout's own internal token is used during the clone, and it is scrubbed in its post-step.

A separate step that wants to authenticate later must either (a) re-inject a token at command level (e.g. git -c http.extraheader=...) or (b) be passed the per-checkout token via env. The compiler does not automatically thread per-checkout github-tokens into downstream steps.

Two important contexts deliberately run with no git credentials:

• The safe-outputs MCP server and its handlers (generate_git_bundle.cjs, generate_git_patch.cjs, create_pull_request.cjs). Errors in these paths explicitly say "the safe-outputs MCP server has no credentials for private repositories" — fetch/push will fail for private repos.
• The agent runtime after actions/checkout. The agent prompt in actions/setup/md/safe_outputs_push_to_pr_branch.md explicitly tells the model not to attempt git fetch, git pull, git push, or any other authenticated git operation, and to report unavailable branches rather than try to fetch them.

Review checklist

When you see a new git, gh, execFileSync('git'…), or compiled run: block: