Skip to content

Activation 'needs' does not incorporate jobs in engine.env expressions #30790

Open
Open
Activation 'needs' does not incorporate jobs in engine.env expressions#30790
Labels
ai-inspected
@jeffhandley

Description

@jeffhandley
jeffhandley
opened on May 7, 2026

Follow up to Agent 'needs' does not incorporate jobs in engine.env expressions (#30232), which was fixed in Fix agent job needs not populated from engine.env needs expressions (#30239).

When an engine.env value contains a needs.<job>.outputs.* expression for overriding the COPILOT_GITHUB_TOKEN secret, this results in the activation job step validate-secret with a reference to that job, but the activation job does not gain a needs entry for the job. With the fix in #30239, the agent job has the needs entry as expected.

If the workflow compilation results in the inclusion of a pre_activation job, and the custom job declares a needs: [pre_activation], then the activation job DOES gain the custom job in its needs list. But if no pre_activation job is produced from the compilation, the custom job entry is excluded from the list (and I have not found a way to coerce it to be included). See Including on.needs for custom jobs results in invalid workflow (#30780) for an attempted workaround that led to another issue.

repro-activation-needs-bug.md

---
engine:
  id: copilot
  env:
    COPILOT_GITHUB_TOKEN: ${{ case(needs.custom_token.outputs.use_custom == true, secrets.CUSTOM_TOKEN, secrets.COPILOT_GITHUB_TOKEN) }}

jobs:
  custom_token:
    runs-on: ubuntu-slim
    steps:
      - id: check
        shell: bash
        run: echo "USE_CUSTOM=true" >> "$GITHUB_OUTPUT"
    outputs:
      use_custom: ${{ steps.check.outputs.use_custom }}

on:
  workflow_dispatch:
---

# Repro activation needs bug

Expected Result

# ...
jobs:
  activation:
    needs:
     - custom_token
    runs-on: ubuntu-slim
# ...
  agent:
    needs:
      - activation
      - custom_token
    runs-on: ubuntu-latest
# ...
  custom_token:
    runs-on: ubuntu-slim
# ...

Actual Result

# ...
jobs:
  activation:
    runs-on: ubuntu-slim
# ...
  agent:
    needs:
      - activation
      - custom_token
    runs-on: ubuntu-latest
# ...
  custom_token:
    runs-on: ubuntu-slim
# ...

Workaround
When a pre_activation job is present, and the custom job depends on it, the activation and agent job needs are correct. The cleanest way I've found to coerce a pre_activation job to be added is to add on.permissions: {} to the workflow, resulting in a near no-op pre_activation.

---
engine:
  id: copilot
  env:
    COPILOT_GITHUB_TOKEN: ${{ case(needs.custom_token.outputs.use_custom == true, secrets.CUSTOM_TOKEN, secrets.COPILOT_GITHUB_TOKEN) }}

jobs:
  custom_token:
    needs: [pre_activation]
    runs-on: ubuntu-slim
    steps:
      - id: check
        shell: bash
        run: echo "USE_CUSTOM=true" >> "$GITHUB_OUTPUT"
    outputs:
      use_custom: ${{ steps.check.outputs.use_custom }}

on:
  permissions: {}
  workflow_dispatch:
---

# Repro activation needs bug

This produces output of:

# ...
jobs:
  activation:
    needs:
      - custom_token
      - pre_activation
    if: needs.pre_activation.outputs.activated == 'true'
    runs-on: ubuntu-slim
# ...
  agent:
    needs:
      - activation
      - custom_token
    runs-on: ubuntu-latest
# ...
  custom_token:
    needs: pre_activation
    runs-on: ubuntu-slim
# ...
  pre_activation:
    runs-on: ubuntu-slim
# ...

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-inspected

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions