Skip to content

Add secrets diagnostics workflow for repository health monitoring #9850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 5 commits into from
Jan 13, 2026
Merged

Add secrets diagnostics workflow for repository health monitoring #9850

pelikhan merged 5 commits into from
Jan 13, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 13, 2026
edited
Loading

Implements automated diagnostics for repository secrets to proactively identify configuration issues and API access failures.

Implementation

Diagnostic Script (.github/scripts/secrets-diagnostics.cjs)

  • Tests 8 secrets via native HTTPS API calls (GitHub REST/GraphQL, Anthropic, OpenAI, Brave, Notion)
  • Generates markdown report with status (success/failure/not-set/skipped), API responses, and actionable recommendations
  • Zero dependencies, 10s timeout per call, color-coded console output

Workflow (.github/workflows/secrets-diagnostics.yml)

  • Triggers: workflow_dispatch + weekly schedule (Mon 9AM UTC)
  • Outputs: Step summary + artifact (30d retention)
  • Read-only permissions, never fails pipeline

Report Structure

## Summary
- Total Tests: 9
- ✅ Successful: 5
- ❌ Failed: 1
- ⚪ Not Set: 3

## Detailed Results

### GH_AW_GITHUB_TOKEN
#### GitHub REST API
- **Status:** ✅ success
- **Message:** REST API access successful
- **Details:**
  ```json
  {"statusCode": 200, "repoName": "githubnext/gh-aw"}

Recommendations

Failed Tests

  • OPENAI_API_KEY - Invalid key (401)

## Secrets Tested

- **GitHub**: `GH_AW_GITHUB_TOKEN`, `GH_AW_GITHUB_MCP_SERVER_TOKEN`, `GH_AW_PROJECT_GITHUB_TOKEN`
- **AI Engines**: `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GH_AW_COPILOT_TOKEN`
- **Integrations**: `BRAVE_API_KEY`, `NOTION_API_TOKEN`

## Extension Pattern

Add new secret tests in three locations:

```javascript
// 1. Test function in secrets-diagnostics.cjs
async function testNewAPI(token) {
  if (!token) return { status: 'not_set', message: 'Token not set' };
  const result = await makeRequest('api.example.com', '/v1/auth', {
    'Authorization': `Bearer ${token}`
  });
  return result.statusCode === 200
    ? { status: 'success', message: 'Authenticated' }
    : { status: 'failure', message: `Status ${result.statusCode}` };
}

// 2. Call in runDiagnostics()
const newResult = await testNewAPI(process.env.NEW_SECRET);
results.push({ secret: 'NEW_SECRET', test: 'API Auth', ...newResult });

// 3. Workflow env
env:
  NEW_SECRET: ${{ secrets.NEW_SECRET }}

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

Original prompt

Create an action workflow (non-agentic) that runs diagnostic tests for each secret used in the repo that generate a diagnostic report about the current support status.

The action should be a JavaScript script that check each known secret and validates that it is properly configured (to some extent).

For example, for GH_AW_GITHUB_TOKEN , test a readonly REST and GraphQL query against the current repo. Report the api status code.

Collect results in a diagnostics.md file that will get uploaded to an artifact and as a step summary's.

Cover all the known secrets including agentic engine secrets.

If the secrets are not set, just mention it and go on.

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits January 13, 2026 18:02
@pelikhan
Add secrets diagnostic workflow and script
899e84d 
- Create JavaScript diagnostic script (.github/scripts/secrets-diagnostics.cjs)
  - Tests GH_AW_GITHUB_TOKEN with REST and GraphQL APIs
  - Tests GH_AW_GITHUB_MCP_SERVER_TOKEN and GH_AW_PROJECT_GITHUB_TOKEN
  - Tests GH_AW_COPILOT_TOKEN (Copilot CLI availability)
  - Tests ANTHROPIC_API_KEY, OPENAI_API_KEY, BRAVE_API_KEY, NOTION_API_TOKEN
  - Generates detailed markdown report with status for each secret
  - Provides recommendations for not-set and failed secrets
- Create GitHub Actions workflow (.github/workflows/secrets-diagnostics.yml)
  - Runs on workflow_dispatch and weekly schedule (Mondays at 9 AM UTC)
  - Executes diagnostic script with all known secrets
  - Uploads diagnostics.md as artifact (30-day retention)
  - Displays report in step summary
  - Informational only - does not fail on secret issues

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add documentation for secrets diagnostics workflow
5784f5c 
- Create comprehensive README for the workflow
- Document all tested secrets and their purposes
- Explain test result statuses and report structure
- Include usage instructions and troubleshooting guide
- Provide examples for adding new secrets

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix YAML formatting - remove trailing spaces
a09aaf8 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add action workflow for running diagnostic tests on secrets Add secrets diagnostics workflow for repository health monitoring Jan 13, 2026
Copilot AI requested a review from pelikhan January 13, 2026 18:09
pelikhan
pelikhan reviewed Jan 13, 2026
View reviewed changes
.github/workflows/secrets-diagnostics.md Outdated
@@ -0,0 +1,199 @@
# Secrets Diagnostics Workflow
Copy link
Contributor

@pelikhan pelikhan Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot delete this file

Copy link
Contributor Author

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 37bfc6f

@pelikhan
Delete secrets diagnostics documentation file
37bfc6f 
As requested in PR review feedback.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan January 13, 2026 18:20
@pelikhan pelikhan marked this pull request as ready for review January 13, 2026 18:27
@pelikhan pelikhan merged commit 16ea7fd into main Jan 13, 2026
@pelikhan pelikhan deleted the copilot/add-diagnostic-workflow-for-secrets branch January 13, 2026 18:27
@github-actions github-actions bot mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan