fix(auth): fall back to GitHub App installation token when user has no OAuth#34
Merged
Conversation
…o OAuth Tasks created by users who signed in via non-GitHub providers (Google/OIDC) were failing with `agent_no_output`. The credential helper called /api/internal/git-credentials, which returned 500 because getTokenForUser only fell back to PAT (`user OAuth → PAT → throw`) and never tried the installed GitHub App. Without a PAT configured, the helper returned nothing, git prompted for credentials on a non-TTY stdin, and the agent's entrypoint died on `set -e` before the agent could start. Reorder the fallback chain to `user OAuth → App installation → PAT` (the order the existing docstring and error message already implied). Folds `getPatFallback` and `getServerToken` into a single `fallbackToAppOrPat` helper used by both user-scoped and server-scoped lookups, removing two layers of indirection. Also stops the recurring `Secret not found` errors from pr-watcher and reconcile-snapshot that hit the same code path on every poll cycle.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tasks created by users who signed in via non-GitHub providers (Google/OIDC) were failing with
agent_no_output. The credential helper called /api/internal/git-credentials, which returned 500 because getTokenForUser only fell back to PAT (user OAuth → PAT → throw) and never tried the installed GitHub App. Without a PAT configured, the helper returned nothing, git prompted for credentials on a non-TTY stdin, and the agent's entrypoint died onset -ebefore the agent could start.Reorder the fallback chain to
user OAuth → App installation → PAT(the order the existing docstring and error message already implied). FoldsgetPatFallbackandgetServerTokeninto a singlefallbackToAppOrPathelper used by both user-scoped and server-scoped lookups, removing two layers of indirection.Also stops the recurring
Secret not founderrors from pr-watcher and reconcile-snapshot that hit the same code path on every poll cycle.Summary
Changes
Testing
pnpm turbo test)pnpm turbo typecheck)Related
Closes #
Screenshots