Fix invalid YAML from checkout GitHub App token steps in safe_outputs jobs (#40301)

* Initial plan

* Plan regression fix

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Fix duplicate if injection on checkout app token steps

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Plan comment follow-up

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Merge main and refresh checkout pin fixtures

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Add regression coverage for push-to-pull-request-branch checkout app token condition

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

Author: Copilot

pkg/workflow/checkout_step_generator.go

@@ -27,7 +27,8 @@ func wikiRepository(repository string) string {
 // referenced in the corresponding checkout step.
 //
 // The step ID for each checkout is "checkout-app-token-{index}" where index is
-// the position in the ordered checkout list.
+// the position in the ordered checkout list. Each returned slice element is a
+// complete YAML step string, matching injectStepCondition's whole-step contract.
 func (cm *CheckoutManager) GenerateCheckoutAppTokenSteps(c *Compiler, permissions *Permissions) []string {
 	checkoutManagerLog.Printf("Building app token minting steps for %d checkout entries", len(cm.ordered))
 	var steps []string
@@ -38,14 +39,34 @@ func (cm *CheckoutManager) GenerateCheckoutAppTokenSteps(c *Compiler, permission
 		checkoutManagerLog.Printf("Generating app token minting step for checkout index=%d repo=%q", checkoutIndex, entry.key.repository)
 		// Pass empty fallback so the app token defaults to github.event.repository.name.
 		// Checkout-specific cross-repo scoping is handled via the explicit repository field.
-		steps = append(steps, c.buildGitHubAppTokenMintStepWithMeta(
+		steps = append(steps, collapseYAMLLinesIntoSteps(c.buildGitHubAppTokenMintStepWithMeta(
 			entry.githubApp,
 			permissions,
 			"",
 			entry.key.repository,
 			fmt.Sprintf("Generate GitHub App token for checkout (%d)", checkoutIndex),
 			fmt.Sprintf("checkout-app-token-%d", checkoutIndex),
-		)...)
+		))...)
+	}
+	return steps
+}
+
+func collapseYAMLLinesIntoSteps(lines []string) []string {
+	if len(lines) == 0 {
+		return nil
+	}
+
+	var steps []string
+	var current strings.Builder
+	for _, line := range lines {
+		if strings.HasPrefix(line, "      - ") && current.Len() > 0 {
+			steps = append(steps, current.String())
+			current.Reset()
+		}
+		current.WriteString(line)
+	}
+	if current.Len() > 0 {
+		steps = append(steps, current.String())
 	}
 	return steps
 }

pkg/workflow/duplicate_step_validation_integration_test.go

@@ -9,8 +9,10 @@ import (
 	"testing"
 
 	"github.com/github/gh-aw/pkg/stringutil"
-
 	"github.com/github/gh-aw/pkg/testutil"
+	"github.com/goccy/go-yaml"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 // TestDuplicateStepValidation_Integration tests that the duplicate step validation
@@ -188,3 +190,83 @@ compile without duplicate 'Generate GitHub App token' step errors in the activat
 
 	t.Logf("✓ No duplicate token steps: checkout (0) count=%d, checkout (1) count=%d, generic in agent=%d", count0, count1, genericCountInAgent)
 }
+
+// TestDuplicateStepValidation_CheckoutAppTokenCondition_Integration verifies that
+// safe_outputs checkout app-token steps remain valid YAML when PR-producing
+// safe outputs inject a shared condition onto mirrored checkout steps.
+func TestDuplicateStepValidation_CheckoutAppTokenCondition_Integration(t *testing.T) {
+	cases := []struct {
+		name                 string
+		safeOutputConfigLine string
+		outputType           string
+	}{
+		{
+			name:                 "create_pull_request",
+			safeOutputConfigLine: "create-pull-request: {}",
+			outputType:           "create_pull_request",
+		},
+		{
+			name:                 "push_to_pull_request_branch",
+			safeOutputConfigLine: "push-to-pull-request-branch: {}",
+			outputType:           "push_to_pull_request_branch",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			tmpDir := testutil.TempDir(t, "duplicate-checkout-app-token-if-test")
+
+			mdContent := `---
+on:
+  issues:
+    types: [opened]
+engine: claude
+strict: false
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+checkout:
+  github-app:
+    app-id: ${{ secrets.APP_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+safe-outputs:
+  ` + tc.safeOutputConfigLine + `
+---
+
+# Test Workflow
+`
+
+			mdFile := filepath.Join(tmpDir, "test-checkout-app-token-condition.md")
+			err := os.WriteFile(mdFile, []byte(mdContent), 0644)
+			require.NoError(t, err, "Failed to create test file")
+
+			compiler := NewCompiler()
+			err = compiler.CompileWorkflow(mdFile)
+			require.NoError(t, err, "Regression: checkout github-app + PR-producing safe output should compile successfully")
+
+			lockFile := stringutil.MarkdownToLockFile(mdFile)
+			lockContent, err := os.ReadFile(lockFile)
+			require.NoError(t, err, "Failed to read lock file")
+
+			var workflow map[string]any
+			require.NoError(t, yaml.Unmarshal(lockContent, &workflow), "compiled lock file should be valid YAML")
+
+			safeOutputsSection := extractJobSection(string(lockContent), "safe_outputs")
+			stepStart := strings.Index(safeOutputsSection, "      - name: Generate GitHub App token for checkout (0)\n")
+			require.NotEqual(t, -1, stepStart, "safe_outputs job should contain the checkout app-token step")
+
+			stepEnd := strings.Index(safeOutputsSection[stepStart+1:], "\n      - ")
+			if stepEnd == -1 {
+				stepEnd = len(safeOutputsSection)
+			} else {
+				stepEnd += stepStart + 1
+			}
+			stepBlock := safeOutputsSection[stepStart:stepEnd]
+
+			assert.Equal(t, 1, strings.Count(stepBlock, "\n        if: "), "checkout app-token step should have exactly one injected if condition")
+			assert.Contains(t, stepBlock, "id: checkout-app-token-0")
+			assert.Contains(t, stepBlock, tc.outputType)
+		})
+	}
+}