fix test token scoping: override GITHUB_TOKEN via OIDC in ensureGitHubToken
the runner's GITHUB_TOKEN (scoped to pullfrog/app) was leaking into test subprocesses targeting pullfrog/test-repo, causing 400s from the Pullfrog API on run-context fetches. instead of deleting GITHUB_TOKEN from the subprocess env, ensureGitHubToken now always mints a fresh OIDC token scoped to GITHUB_REPOSITORY when OIDC is available — replacing any inherited token with a correctly-scoped one. also adds an informative throw in acquireTokenViaGitHubApp when GITHUB_APP_ID/GITHUB_PRIVATE_KEY are missing. Made-with: Cursor
This commit is contained in:
committed by
pullfrog[bot]
parent
4a8c432a48
commit
250fe7eaa1
@@ -25898,10 +25898,15 @@ var findInstallationId = async (jwt, repoOwner, repoName) => {
|
||||
);
|
||||
};
|
||||
async function acquireTokenViaGitHubApp(opts) {
|
||||
if (!process.env.GITHUB_APP_ID || !process.env.GITHUB_PRIVATE_KEY) {
|
||||
throw new Error(
|
||||
"cannot acquire token via GitHub App: GITHUB_APP_ID and GITHUB_PRIVATE_KEY must be set"
|
||||
);
|
||||
}
|
||||
const repoContext = parseRepoContext();
|
||||
const config = {
|
||||
appId: process.env.GITHUB_APP_ID,
|
||||
privateKey: process.env.GITHUB_PRIVATE_KEY?.replace(/\\n/g, "\n"),
|
||||
privateKey: process.env.GITHUB_PRIVATE_KEY.replace(/\\n/g, "\n"),
|
||||
repoOwner: repoContext.owner,
|
||||
repoName: repoContext.name
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user