Bug: duplicate 'Generate GitHub App token' step in activation job when checkout + tools.github used with top-level github-app

[yskopets]

Summary

Workflows that combine all three of the following fail to compile with v0.66.1:

1. A top-level github-app: configuration
2. A checkout: entry for a cross-repository checkout
3. tools.github: (e.g. mode: remote)

The error emitted by the compiler is:

error: failed to generate YAML: failed to build and validate jobs: duplicate step validation failed:
  compiler bug: duplicate step 'Generate GitHub App token' found in job 'activation' (positions 5 and 20)

The phrase "compiler bug" is part of the error string itself — the compiler's own assertion fires on the output it just generated.

Root Cause

PR #24251 moved GitHub App token minting from the agent job to the activation job. It introduced two independent minting operations that both end up in the activation job:

1. github-mcp-app-token — minted for tools.github when the top-level github-app: is used as fallback
2. checkout-app-token-0 — minted for the cross-repo checkout: when the top-level github-app: is used as fallback

Both steps are assigned name: "Generate GitHub App token". The duplicate-name validation then rejects the workflow.

Minimal Reproduction

# workflow.md
github-app:
  app-id: ${{ secrets.APP_ID }}
  private-key: ${{ secrets.APP_PRIVATE_KEY }}
  repositories: ["side-repo", "target-repo"]

checkout:
  - repository: myorg/target-repo
    ref: main

tools:
  github:
    mode: remote
    toolsets: [default]

on:
  schedule: daily
  workflow_dispatch:

engine:
  id: claude

network:
  allowed:
    - defaults

gh aw compile workflow.md
# ✗ workflow.md: compiler bug: duplicate step 'Generate GitHub App token'
#   found in job 'activation' (positions 5 and N)

Expected Behavior

The workflow compiles successfully — as it did with v0.65.5. The two token-minting steps in the activation job should either:

• have distinct names (e.g. "Generate GitHub App token for checkout"), or
• be deduplicated when both operations can share a single token.

Additional Notes

• Workflows with only checkout: or only tools.github: (but not both) compile fine
• Removing the top-level github-app: and specifying it explicitly under tools.github.github-app: does not help — both steps still share the same display name
• All affected workflows continue to run correctly from their v0.65.5 lock files; the issue is compile-only
• Related: Bug: github_mcp_app_token activation output silently skipped — regression introduced in #24251 #24569 (the masked-token job-output regression also introduced by Move github-app token minting to activation job #24251)

Version

gh aw version v0.66.1

---

This issue was generated by Claude Code (claude-sonnet-4-6).

[pelikhan]

@copilot add integration test for this scenario