feat(#256): add GH_TOKEN validation to pre-retro.sh#262
feat(#256): add GH_TOKEN validation to pre-retro.sh#262fullsend-ai-coder[bot] wants to merge 2 commits into
Conversation
Validate GH_TOKEN with gh auth status before the sandbox starts. When the token is invalid, exit 1 with an ::error:: annotation, saving the cost of a full agent run (model inference, sandbox creation, teardown). When GH_TOKEN is unset, emit a ::warning:: and continue with limited functionality. This follows the pattern from pre-review.sh which performs token-dependent pre-flight checks. Closes #256
E2E tests did not runE2E tests run automatically for org/repo members and collaborators on pull requests. For other contributors, a maintainer must add the See E2E testing guide for details. |
|
🤖 Finished Review · ❌ Failure · Started 12:55 PM UTC · Completed 12:55 PM UTC |
|
/fs-review |
|
🤖 Finished Review · ✅ Success · Started 3:57 PM UTC · Completed 4:05 PM UTC |
Review — ApproveThe change correctly addresses issue #256 by adding GH_TOKEN validation to The test file covers the key scenarios (valid token, invalid token, absent token, on-demand trigger, automatic trigger) using a mock
FindingsLow — PR body description mismatch ( Low — Low — Pattern divergence ( Low — Labels: PR modifies retro agent pre-script under internal/scaffold/fullsend-repo/scripts/ Previous runReview — request-changesPR: feat(#256): add GH_TOKEN validation to pre-retro.sh The change adds a Findings🔴 High — Fail-fast gap on absent GH_TOKENFile: When : "${GH_TOKEN:?GH_TOKEN is required}"The entire sandbox run is wasted — model inference, compute, teardown — on a run that can never post results. This is the exact failure mode issue #256 aimed to prevent, and it occurs on the most expensive path (absent token → full sandbox → guaranteed post-script failure). Remediation: Change the else
echo "::error::GH_TOKEN is not set — retro agent requires GitHub API access"
exit 1
fiUpdate the header comment to move 🟡 Medium — Missing test fileFile:
🟡 Medium — Plan document stalenessFile: The plan document lists 🔵 Low —
|
|
/fs-fix |
|
🤖 Finished Fix · ✅ Success · Started 5:38 PM UTC · Completed 5:47 PM UTC |
- Fail hard (exit 1) when GH_TOKEN is unset instead of warning and continuing — prevents wasting a full sandbox run that will always fail in post-retro.sh (closes the fail-fast gap from issue #256) - Move GH_TOKEN from optional to required in header comment - Add ::add-mask:: to redact token from CI logs (defense-in-depth) - Suppress gh auth status stdout (>/dev/null 2>&1) - Add comment noting gh auth status checks auth, not scopes - Add pre-retro-test.sh covering valid/invalid/absent token paths Addresses review feedback on #262
🔧 Fix agent — iteration 1 (human-triggered)Addressed all 6 review findings. Core fix: GH_TOKEN is now required (exit 1 if absent), closing the fail-fast gap from #256. Added ::add-mask::, suppressed gh auth stdout, added scope-limitation comment, and created pre-retro-test.sh with 5 test cases. Plan doc already correct — no change needed. Fixed (6):
Tests: passed Updated by fullsend fix agent |
|
🤖 Finished Review · ✅ Success · Started 5:50 PM UTC · Completed 5:59 PM UTC |
Superseded by updated review
| exit 1 | ||
| fi | ||
| echo "::add-mask::${GH_TOKEN}" | ||
| if ! gh auth status >/dev/null 2>&1; then |
There was a problem hiding this comment.
[low] observability
gh auth status stderr suppressed (>/dev/null 2>&1) hides diagnostics that distinguish token expiry from revocation. Consider capturing stderr for a more informative error annotation.
Suggested fix: Replace with: if ! auth_err=$(gh auth status 2>&1); then echo "::error::GH_TOKEN validation failed — ${auth_err}"; exit 1; fi
| echo "::error::GH_TOKEN is not set — retro agent requires GitHub API access" | ||
| exit 1 | ||
| fi | ||
| echo "::add-mask::${GH_TOKEN}" |
There was a problem hiding this comment.
[low] workflow-command-injection
echo "::add-mask::${GH_TOKEN}" is theoretically vulnerable to newline-based workflow command injection. Risk is negligible: token is OIDC-minted (infrastructure-controlled), and this pattern is already used in post-retro.sh, post-review.sh, post-fix.sh, post-code.sh, and prepare-sandbox-credentials.sh.
Validate GH_TOKEN with gh auth status before the sandbox starts. When the token is invalid, exit 1 with an ::error:: annotation, saving the cost of a full agent run (model inference, sandbox creation, teardown). When GH_TOKEN is unset, emit a ::warning:: and continue with limited functionality.
This follows the pattern from pre-review.sh which performs token-dependent pre-flight checks.
Closes #256
Post-script verification
agent/256-gh-token-validation-retro)c776c248ac9a91f10998ca7107e974a6c9d76514..HEAD)