fix test token scoping: override GITHUB_TOKEN via OIDC in ensureGitHubToken
the runner's GITHUB_TOKEN (scoped to pullfrog/app) was leaking into test subprocesses targeting pullfrog/test-repo, causing 400s from the Pullfrog API on run-context fetches. instead of deleting GITHUB_TOKEN from the subprocess env, ensureGitHubToken now always mints a fresh OIDC token scoped to GITHUB_REPOSITORY when OIDC is available — replacing any inherited token with a correctly-scoped one. also adds an informative throw in acquireTokenViaGitHubApp when GITHUB_APP_ID/GITHUB_PRIVATE_KEY are missing. Made-with: Cursor
This commit is contained in:
committed by
pullfrog[bot]
parent
4a8c432a48
commit
250fe7eaa1
@@ -216,10 +216,6 @@ export async function runAgentStreaming(options: RunStreamingOptions): Promise<A
|
||||
GITHUB_OUTPUT: githubOutputFile,
|
||||
};
|
||||
|
||||
// clear CI runner's GITHUB_TOKEN so ensureGitHubToken() mints a
|
||||
// properly scoped token for the target GITHUB_REPOSITORY via OIDC
|
||||
delete subEnv.GITHUB_TOKEN;
|
||||
|
||||
const child = spawn("node", ["play.ts", "--raw", JSON.stringify(fixture)], {
|
||||
cwd: actionDir,
|
||||
env: subEnv as Record<string, string>,
|
||||
|
||||
Reference in New Issue
Block a user