fix: add auth and error handling to build-test workflows (#514)

- Add env.GH_TOKEN using GH_AW_GITHUB_MCP_SERVER_TOKEN secret
- Change git clone to gh repo clone (uses GH_TOKEN automatically)
- Add explicit failure handling instructions in prompts
- Workflows fail visibly when clone/build/test fails

Affected workflows: build-test-{java,rust,node,go,cpp,deno,bun}

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: Mossaka

.github/workflows/build-test-bun.lock.yml

@@ -33,6 +33,8 @@ safe-outputs:
     run-failure: "**Build Test Failed** [{workflow_name}]({run_url}) - See logs for details"
 timeout-minutes: 15
 strict: true
+env:
+  GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
 ---
 
 # Build Test: Bun
@@ -48,7 +50,8 @@ strict: true
    export PATH="$BUN_INSTALL/bin:$PATH"
    ```
 
-2. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-bun.git /tmp/test-bun`
+2. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-bun /tmp/test-bun`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
 
 3. **Test Projects**:
    - `elysia`: `cd /tmp/test-bun/elysia && bun install && bun test`
@@ -72,3 +75,13 @@ Add a comment to the current pull request with a summary table:
 
 If ALL tests pass, add the label `build-test-bun` to the pull request.
 If ANY test fails, report the failure with error details.
+
+## Error Handling
+
+**CRITICAL**: This workflow MUST fail visibly when errors occur:
+
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **Bun install failure**: Call `safeoutputs-missing_tool` with "BUN_INSTALL_FAILED: [error message]"
+3. **Test failure**: Report in comment table with FAIL status and include failure details
+
+DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-bun.md

@@ -31,6 +31,8 @@ safe-outputs:
     run-failure: "**Build Test Failed** [{workflow_name}]({run_url}) - See logs for details"
 timeout-minutes: 30
 strict: true
+env:
+  GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
 ---
 
 # Build Test: C++
@@ -41,7 +43,8 @@ strict: true
 
 Clone and test the following projects from the test repository:
 
-1. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-cpp.git /tmp/test-cpp`
+1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-cpp /tmp/test-cpp`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
 
 2. **Test Projects**:
    - `fmt`:
@@ -77,3 +80,13 @@ Add a comment to the current pull request with a summary table:
 
 If ALL builds pass, add the label `build-test-cpp` to the pull request.
 If ANY build fails, report the failure with error details.
+
+## Error Handling
+
+**CRITICAL**: This workflow MUST fail visibly when errors occur:
+
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **CMake failure**: Report in comment table with ❌ and include error output
+3. **Build failure**: Report in comment table with ❌ and include failure details
+
+DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-cpp.lock.yml

@@ -35,6 +35,8 @@ safe-outputs:
     run-failure: "**Build Test Failed** [{workflow_name}]({run_url}) - See logs for details"
 timeout-minutes: 15
 strict: true
+env:
+  GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
 ---
 
 # Build Test: Deno
@@ -50,7 +52,8 @@ strict: true
    export PATH="$DENO_INSTALL/bin:$PATH"
    ```
 
-2. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-deno.git /tmp/test-deno`
+2. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-deno /tmp/test-deno`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
 
 3. **Test Projects**:
    - `oak`: `cd /tmp/test-deno/oak && deno test`
@@ -73,3 +76,13 @@ Add a comment to the current pull request with a summary table:
 
 If ALL tests pass, add the label `build-test-deno` to the pull request.
 If ANY test fails, report the failure with error details.
+
+## Error Handling
+
+**CRITICAL**: This workflow MUST fail visibly when errors occur:
+
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **Deno install failure**: Call `safeoutputs-missing_tool` with "DENO_INSTALL_FAILED: [error message]"
+3. **Test failure**: Report in comment table with FAIL status and include failure details
+
+DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-cpp.md

@@ -35,6 +35,8 @@ safe-outputs:
     run-failure: "**Build Test Failed** [{workflow_name}]({run_url}) - See logs for details"
 timeout-minutes: 15
 strict: true
+env:
+  GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
 ---
 
 # Build Test: Go
@@ -45,7 +47,8 @@ strict: true
 
 Clone and test the following projects from the test repository:
 
-1. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-go.git /tmp/test-go`
+1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-go /tmp/test-go`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
 
 2. **Test Projects**:
    - `color`: `cd /tmp/test-go/color && go mod download && go test ./...`
@@ -71,3 +74,13 @@ Add a comment to the current pull request with a summary table:
 
 If ALL tests pass, add the label `build-test-go` to the pull request.
 If ANY test fails, report the failure with error details.
+
+## Error Handling
+
+**CRITICAL**: This workflow MUST fail visibly when errors occur:
+
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **Download failure**: Report in comment table with ❌ and include error output
+3. **Test failure**: Report in comment table with FAIL status and include failure details
+
+DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-deno.lock.yml

@@ -35,6 +35,8 @@ safe-outputs:
     run-failure: "**Build Test Failed** [{workflow_name}]({run_url}) - See logs for details"
 timeout-minutes: 15
 strict: true
+env:
+  GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
 ---
 
 # Build Test: Java
@@ -45,7 +47,8 @@ strict: true
 
 Clone and test the following projects from the test repository:
 
-1. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-java.git /tmp/test-java`
+1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-java /tmp/test-java`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
 
 2. **Test Projects**:
    - `gson`: `cd /tmp/test-java/gson && mvn compile && mvn test`
@@ -69,3 +72,13 @@ Add a comment to the current pull request with a summary table:
 
 If ALL tests pass, add the label `build-test-java` to the pull request.
 If ANY test fails, report the failure with error details.
+
+## Error Handling
+
+**CRITICAL**: This workflow MUST fail visibly when errors occur:
+
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **Build failure**: Report in comment table with ❌ and include error output
+3. **Test failure**: Report in comment table with FAIL status and include failure details
+
+DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.