environment: frontmatter does not propagate to activation job — environment-level secrets fail validation

[AlexDeMichieli]

Problem

When environment: is set in the workflow frontmatter, the compiler only applies it to the agent and safe_outputs jobs. The activation job does not inherit it.

The activation job runs validate_multi_secret.sh COPILOT_GITHUB_TOKEN, which checks if the engine secret is configured. When the secret is stored as an environment-level secret (not repo-level), the activation job can't access it and fails. Since every other job depends on activation, the entire workflow is blocked.

Steps to reproduce

1. Create a workflow with environment: production in the frontmatter
2. Store COPILOT_GITHUB_TOKEN as an environment secret (Settings > Environments > production)
3. Do not set any repo-level secrets
4. Run gh aw compile (v0.68.3)
5. Trigger the workflow
6. activation job fails at "Validate COPILOT_GITHUB_TOKEN secret"

Expected behavior

If environment: is set in the frontmatter, the activation job should either inherit the environment setting or skip the early token validation when an environment is configured.

Context

Enterprise customer whose IAM policy prohibits repo-level secrets. Environment-level secrets are the workaround, but incomplete propagation blocks it.

[pelikhan]

Validate that environment disables the token check in activation job