integrated secret mgt into the gh aw init flow and updated install.md

Author: mnkiefer

.github/aw/github-agentic-workflows.md

@@ -81,7 +81,7 @@ curl -sL https://raw.githubusercontent.com/githubnext/gh-aw/main/install-gh-aw.s
 Run:
 
 ```bash
-gh aw init --mcp
+gh aw init --mcp --tokens --engine copilot
 ```
 
 **What this does:**
@@ -90,6 +90,7 @@ gh aw init --mcp
 - ✅ Creates `.github/aw/github-agentic-workflows.md` with comprehensive gh-aw documentation
 - ✅ Creates `.github/agents/*.agent.md` files with specialized AI assistants for workflow creation and debugging
 - ✅ Updates copilot setup steps to install the gh aw extension and setup the Agentic Workflows MCP server
+- ✅ Validates which secrets are configured and shows commands to set up missing ones
 - ✅ Prepares your repository structure for agentic workflows
 
 **Expected output:**
@@ -99,13 +100,26 @@ gh aw init --mcp
 ✓ Created .github/aw/github-agentic-workflows.md
 ✓ Created .github/agents/create-agentic-workflow.agent.md
 ✓ Created .github/agents/debug-agentic-workflow.agent.md
+
+ℹ Checking recommended gh-aw token secrets in <your-repo>...
+ℹ Checking tokens for engine: copilot
+✗ Required gh-aw token secrets are missing:
+
+ℹ Secret: COPILOT_GITHUB_TOKEN
+ℹ When needed: Copilot workflows (CLI, engine, agent tasks, etc.)
+ℹ Recommended scopes: PAT with Copilot Requests permission and repo access
+⚡ gh aw secret set COPILOT_GITHUB_TOKEN --owner <owner> --repo <repo>
+
+✓ Repository initialized for agentic workflows!
 ```
 
-**✨ Checkpoint:** Verify that `.github/aw/` and `.github/agents/` directories were created with the files listed above.
+**✨ Checkpoint:** Verify that `.github/aw/` and `.github/agents/` directories were created with the files listed above. If you see missing secrets listed, continue to Step 3 to configure them.
 
-## Step 3: Configure AI Engine (GitHub Copilot)
+## Step 3: Configure Missing Secrets
 
-Agentic workflows use AI agents to execute your instructions. The default engine is **GitHub Copilot CLI**.
+If the `gh aw init` command showed missing secrets, you'll need to add them to your repository.
+
+### For GitHub Copilot Engine (COPILOT_GITHUB_TOKEN)
 
 ### Prerequisites
 
@@ -141,7 +155,14 @@ Agentic workflows use AI agents to execute your instructions. The default engine
 
 **⚠️ Security Warning:** Never paste your token in this chat or commit it to your repository.
 
-Add the token to your repository using the GitHub.com user interface:
+Use the new `gh aw secret set` command to add the token securely:
+
+```bash
+# You'll be prompted to enter the token value via stdin
+gh aw secret set COPILOT_GITHUB_TOKEN --owner <your-org> --repo <your-repo>
+```
+
+Or add it via the GitHub.com interface:
 
 1. Navigate to your repository on GitHub.com
 2. Click **Settings** (in the repository menu)
@@ -153,7 +174,13 @@ Add the token to your repository using the GitHub.com user interface:
 
 **Expected result:** You should see `COPILOT_GITHUB_TOKEN` listed in your repository secrets.
 
-**✨ Checkpoint:** Verify the secret was added by checking the Actions secrets page in your repository settings.
+**✨ Checkpoint:** Verify the secret was added by running:
+
+```bash
+gh aw tokens bootstrap --engine copilot
+```
+
+This should now show that all required secrets are present.
 
 **📚 Reference:** [GitHub Copilot CLI documentation](https://docs.github.com/en/copilot/concepts/agents/about-copilot-cli)
 

install.md

@@ -12,7 +12,7 @@ import (
 var initLog = logger.New("cli:init")
 
 // InitRepository initializes the repository for agentic workflows
-func InitRepository(verbose bool, mcp bool, campaign bool, codespaceRepos []string, codespaceEnabled bool) error {
+func InitRepository(verbose bool, mcp bool, campaign bool, tokens bool, engine string, codespaceRepos []string, codespaceEnabled bool) error {
 	initLog.Print("Starting repository initialization for agentic workflows")
 
 	// Ensure we're in a git repository
@@ -138,6 +138,20 @@ func InitRepository(verbose bool, mcp bool, campaign bool, codespaceRepos []stri
 		}
 	}
 
+	// Validate tokens if requested
+	if tokens {
+		initLog.Print("Validating repository secrets for agentic workflows")
+		fmt.Fprintln(os.Stderr, "")
+		
+		// Run token bootstrap validation
+		if err := runTokensBootstrap(engine, "", ""); err != nil {
+			initLog.Printf("Token validation failed: %v", err)
+			// Don't fail init if token validation has issues
+			fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Token validation encountered an issue: %v", err)))
+		}
+		fmt.Fprintln(os.Stderr, "")
+	}
+
 	initLog.Print("Repository initialization completed successfully")
 
 	// Display success message with next steps
@@ -152,6 +166,10 @@ func InitRepository(verbose bool, mcp bool, campaign bool, codespaceRepos []stri
 		fmt.Fprintln(os.Stderr, console.FormatInfoMessage("GitHub Codespaces devcontainer configured"))
 		fmt.Fprintln(os.Stderr, "")
 	}
+	if tokens {
+		fmt.Fprintln(os.Stderr, console.FormatInfoMessage("To configure missing secrets, use: gh aw secret set <secret-name> --owner <owner> --repo <repo>"))
+		fmt.Fprintln(os.Stderr, "")
+	}
 	fmt.Fprintln(os.Stderr, console.FormatInfoMessage("To create a workflow, launch Copilot CLI: npx @github/copilot"))
 	fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Then type /agent and select create-agentic-workflow"))
 	fmt.Fprintln(os.Stderr, "")

pkg/cli/init.go

@@ -25,6 +25,11 @@ This command:
 - Creates the debug agentic workflow agent at .github/agents/debug-agentic-workflow.agent.md
 - Removes old prompt files from .github/prompts/ if they exist
 
+With --tokens flag:
+- Validates which required and optional secrets are configured
+- Provides commands to set up missing secrets for the specified engine
+- Use with --engine flag to check engine-specific tokens (copilot, claude, codex)
+
 With --mcp flag:
 - Creates .github/workflows/copilot-setup-steps.yml with gh-aw installation steps
 - Creates .vscode/mcp.json with gh-aw MCP server configuration
@@ -50,12 +55,15 @@ Examples:
   ` + constants.CLIExtensionPrefix + ` init
   ` + constants.CLIExtensionPrefix + ` init -v
   ` + constants.CLIExtensionPrefix + ` init --mcp
+  ` + constants.CLIExtensionPrefix + ` init --tokens --engine copilot
   ` + constants.CLIExtensionPrefix + ` init --codespaces
   ` + constants.CLIExtensionPrefix + ` init --codespaces repo1,repo2`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			verbose, _ := cmd.Flags().GetBool("verbose")
 			mcp, _ := cmd.Flags().GetBool("mcp")
 			campaign, _ := cmd.Flags().GetBool("campaign")
+			tokens, _ := cmd.Flags().GetBool("tokens")
+			engine, _ := cmd.Flags().GetString("engine")
 			codespaceReposStr, _ := cmd.Flags().GetString("codespaces")
 			codespaceEnabled := cmd.Flags().Changed("codespaces")
 
@@ -72,8 +80,8 @@ Examples:
 				}
 			}
 
-			initCommandLog.Printf("Executing init command: verbose=%v, mcp=%v, campaign=%v, codespaces=%v, codespaceEnabled=%v", verbose, mcp, campaign, codespaceRepos, codespaceEnabled)
-			if err := InitRepository(verbose, mcp, campaign, codespaceRepos, codespaceEnabled); err != nil {
+			initCommandLog.Printf("Executing init command: verbose=%v, mcp=%v, campaign=%v, tokens=%v, engine=%v, codespaces=%v, codespaceEnabled=%v", verbose, mcp, campaign, tokens, engine, codespaceRepos, codespaceEnabled)
+			if err := InitRepository(verbose, mcp, campaign, tokens, engine, codespaceRepos, codespaceEnabled); err != nil {
 				initCommandLog.Printf("Init command failed: %v", err)
 				return err
 			}
@@ -84,6 +92,8 @@ Examples:
 
 	cmd.Flags().Bool("mcp", false, "Configure GitHub Copilot Agent MCP server integration")
 	cmd.Flags().Bool("campaign", false, "Install the Campaign Designer agent for gh-aw campaigns in this repository")
+	cmd.Flags().Bool("tokens", false, "Validate required secrets for agentic workflows")
+	cmd.Flags().String("engine", "", "AI engine to check tokens for (copilot, claude, codex) - requires --tokens flag")
 	cmd.Flags().String("codespaces", "", "Create devcontainer.json for GitHub Codespaces with agentic workflows support. Specify comma-separated repository names in the same organization (e.g., repo1,repo2), or use without value for current repo only")
 	// NoOptDefVal allows using --codespaces without a value (returns empty string when no value provided)
 	cmd.Flags().Lookup("codespaces").NoOptDefVal = " "