NO-JIRA: fix(ci): prevent Claude from breaking push credentials in fork PRs#8831
NO-JIRA: fix(ci): prevent Claude from breaking push credentials in fork PRs#8831bryan-cox wants to merge 1 commit into
Conversation
The address-review-comments workflow generates a GitHub App token for pushing to hypershift-community/hypershift fork PRs. actions/checkout configures the credential helper via persist-credentials. However, Claude was overwriting the remote URL with $GH_TOKEN on push timeouts, destroying the working credential config and causing all subsequent pushes to fail with auth errors. Add a verification step after checkout to fail fast if credentials are broken, expose PUSH_TOKEN/PR_REPO/PR_BRANCH env vars so Claude has the correct token available, and add a Claude rule file that instructs it to never modify the git remote URL in CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
📝 WalkthroughWalkthroughThe PR adds a new CI rule file for git push behavior in GitHub Actions, covering remote URL handling, branch selection, timeout retries, and credential-helper reconfiguration on authentication failures. The reusable PR workflow now verifies access to the Sequence Diagram(s)sequenceDiagram
participant Workflow as reusable-claude-on-pr workflow
participant Origin as origin remote
participant RunClaude as Run Claude step
Workflow->>Origin: git ls-remote --exit-code origin HEAD
Origin-->>Workflow: exit code
Workflow->>RunClaude: set PR_REPO, PR_BRANCH, PUSH_TOKEN
Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bryan-cox The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@bryan-cox: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8831 +/- ##
==========================================
- Coverage 42.11% 42.03% -0.09%
==========================================
Files 767 769 +2
Lines 95069 96852 +1783
==========================================
+ Hits 40039 40709 +670
- Misses 52216 53329 +1113
Partials 2814 2814 see 25 files with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/reusable-claude-on-pr.yaml:
- Around line 83-88: The “Verify push credentials” step only validates read
access via git ls-remote in the workflow, so it can succeed even when later git
push fails; update this check in the reusable-claude-on-pr workflow to verify
actual push authorization using the same origin remote, and keep stderr visible
so failures provide diagnostics. Use the existing “Verify push credentials” step
and its git remote/origin setup to replace the read-only probe with a
push-oriented validation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: a0892273-85b0-4bb5-a258-d3562e6db500
📒 Files selected for processing (2)
.claude/rules/ci-git-push.md.github/workflows/reusable-claude-on-pr.yaml
| - name: Verify push credentials | ||
| run: | | ||
| echo "Remote URL: $(git remote get-url origin)" | ||
| echo "Credential helper configured by checkout — testing ls-remote..." | ||
| git ls-remote --exit-code origin HEAD > /dev/null 2>&1 | ||
| echo "Push credentials verified." |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Verify push authorization, not just fetch authorization
Line 87 uses git ls-remote, which only checks read access, so this can pass while later git push still fails (the exact failure mode this PR targets). Also, redirecting stderr to /dev/null removes useful failure diagnostics.
Suggested fix
- name: Verify push credentials
run: |
echo "Remote URL: $(git remote get-url origin)"
- echo "Credential helper configured by checkout — testing ls-remote..."
- git ls-remote --exit-code origin HEAD > /dev/null 2>&1
+ echo "Credential helper configured by checkout — testing push authorization (dry-run)..."
+ git push --dry-run origin "HEAD:${{ steps.pr.outputs.branch }}"
echo "Push credentials verified."📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Verify push credentials | |
| run: | | |
| echo "Remote URL: $(git remote get-url origin)" | |
| echo "Credential helper configured by checkout — testing ls-remote..." | |
| git ls-remote --exit-code origin HEAD > /dev/null 2>&1 | |
| echo "Push credentials verified." | |
| - name: Verify push credentials | |
| run: | | |
| echo "Remote URL: $(git remote get-url origin)" | |
| echo "Credential helper configured by checkout — testing push authorization (dry-run)..." | |
| git push --dry-run origin "HEAD:${{ steps.pr.outputs.branch }}" | |
| echo "Push credentials verified." |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/reusable-claude-on-pr.yaml around lines 83 - 88, The
“Verify push credentials” step only validates read access via git ls-remote in
the workflow, so it can succeed even when later git push fails; update this
check in the reusable-claude-on-pr workflow to verify actual push authorization
using the same origin remote, and keep stderr visible so failures provide
diagnostics. Use the existing “Verify push credentials” step and its git
remote/origin setup to replace the read-only probe with a push-oriented
validation.
|
@bryan-cox: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryThe Root CauseThe failure is a false positive — the PR does not cause any coverage regression. Codecov's default project-level check uses an The PR branch includes 59 commits from Since the PR itself adds zero coverable lines (only a Markdown rule file and a YAML workflow file), it has no ability to influence the coverage percentage in either direction. The check is penalizing this PR for code coverage debt introduced by unrelated merges to Recommendations
Evidence
|
|
This sounds like something that could be fixed in the environment with positive language as opposed to rules that tell it not to do those things that may be brittle/ignored. Do you have an example of this happening? |
Summary
PUSH_TOKEN,PR_REPO, andPR_BRANCHenv vars to the Claude step so it has the correct token for fork pushes (distinct fromGH_TOKEN).claude/rules/ci-git-push.mdinstructing Claude to never modify git remote URLs in CIContext
When the
address-review-commentsworkflow runs on a PR fromhypershift-community/hypershift,actions/checkoutconfigures the credential helper with a GitHub App token viapersist-credentials: true. Claude was overwriting the remote URL with$GH_TOKEN(github.token) when push attempts timed out, destroying the working credential config. All subsequent pushes failed with"Invalid username or token".See PR #8211 comment for the failed run.
Test plan
/address-review-commentson a PR fromhypershift-community/hypershiftand verify push succeedsVerify push credentialsstep passes in the workflow logsopenshift/hypershiftforks) still work🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes