Skip to content

fix(miner): thread githubToken/apiBaseUrl into the PR-disposition poll#5320

Merged
JSONbored merged 1 commit into
mainfrom
fix/loop-pr-disposition-github-token
Jul 12, 2026
Merged

fix(miner): thread githubToken/apiBaseUrl into the PR-disposition poll#5320
JSONbored merged 1 commit into
mainfrom
fix/loop-pr-disposition-github-token

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

Follow-up to #5303 (merged before this fix could land on the branch, per the review comment below): runLoop's call to pollPrDispositionFn was only ever passed options.prDispositionOptions, so the production loop command never actually threaded a GitHub token or apiBaseUrl into the PR-disposition poller — unlike runDiscoveryOnce's own call, which already does. Unlike runDiscover, pollPrDisposition has no process.env.GITHUB_TOKEN fallback of its own, so every real PR-disposition poll ran unauthenticated: hitting GitHub's much lower unauthenticated rate limit, and failing outright against any private repo.

packages/gittensory-miner/lib/loop-cli.js:370 calls pollPrDispositionFn(claimed.repoFullName, prNumber, options.prDispositionOptions ?? {}), so the production loop command never passes githubToken or apiBaseUrl into the new PR-disposition poller

Fix

Resolves githubToken once at the CLI-entrypoint layer (mirroring manage-poll.js's own runManagePoll, which reads process.env.GITHUB_TOKEN at the top level and threads it down explicitly to every real GitHub caller), and passes it into both the discovery call and the disposition poll. prDispositionOptions can still override it, matching the existing precedence pattern.

Test plan

  • New regression assertion: pollPrDispositionSpy is called with expect.objectContaining({ githubToken: "ghp_loop_test" }), resolved from env.GITHUB_TOKEN — fails without the fix, passes with it.
  • npx vitest run test/unit — 735 files / 14,561 tests pass
  • npx tsc --noEmit -p . --incremental false (fresh, no cache) — clean
  • npm run test:engine-parity — pass
  • npm run --prefix packages/gittensory-miner build — pass
  • git diff --check — clean

Advances #5135

pollPrDispositionFn was called with only options.prDispositionOptions,
so the production `loop` command never actually passed a GitHub
token or apiBaseUrl into the poller -- unlike runDiscoveryOnce's own
call, which already threads them through. pollPrDisposition (unlike
runDiscover) has no process.env.GITHUB_TOKEN fallback of its own, so
every real PR-disposition poll would have silently run unauthenticated,
hitting GitHub's much lower rate limit and failing outright against
any private repo.

Resolves githubToken once at the CLI-entrypoint layer (mirroring
manage-poll.js's own runManagePoll), and threads it into both the
discovery call and the disposition poll -- prDispositionOptions can
still override it, matching the existing precedence pattern.
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 851c665 Commit Preview URL

Branch Preview URL
Jul 12 2026, 01:54 PM

@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.37%. Comparing base (dc6fa7a) to head (851c665).
⚠️ Report is 8 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5320   +/-   ##
=======================================
  Coverage   94.37%   94.37%           
=======================================
  Files         474      474           
  Lines       40128    40128           
  Branches    14631    14631           
=======================================
  Hits        37871    37871           
  Misses       1582     1582           
  Partials      675      675           
Flag Coverage Δ
shard-1 46.28% <ø> (-0.28%) ⬇️
shard-2 34.74% <ø> (+0.06%) ⬆️
shard-3 32.17% <ø> (+0.07%) ⬆️
shard-4 32.09% <ø> (-0.15%) ⬇️
shard-5 33.38% <ø> (-0.11%) ⬇️
shard-6 45.14% <ø> (+0.30%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 14:15:11 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
This PR threads a githubToken resolved once from options.githubToken ?? env.GITHUB_TOKEN into both the discovery call and the previously-unauthenticated pollPrDispositionFn call in loop-cli.js's runLoop, matching the precedent pattern in manage-poll.js. The claimed bug is real and verifiable: before this diff, line 370 (now ~388) only spread options.prDispositionOptions into pollPrDispositionFn, never options.githubToken or options.apiBaseUrl, so a real loop run would poll PR disposition unauthenticated even when a token was configured. The fix correctly resolves githubToken once at the entrypoint (env read via options.env ?? process.env, matching existing DI conventions in the file), and the regression test asserts pollPrDispositionSpy is called with expect.objectContaining({ githubToken: "ghp_loop_test" }), which fails without the fix and passes with it — a real, non-fabricated regression test since apiBaseUrl and prDispositionOptions can still override.

Nits — 5 non-blocking
  • The spread order `{ githubToken, apiBaseUrl, ...(options.prDispositionOptions ?? {}) }` at loop-cli.js:388 lets prDispositionOptions silently override githubToken/apiBaseUrl with no logging — worth a one-line comment noting this is intentional override precedence (as the PR description says), matching what's already stated for discovery.
  • Consider also asserting apiBaseUrl threading in the same regression test for symmetry with the githubToken assertion, since both were previously dropped.
  • nit: packages/gittensory-miner/lib/loop-cli.js:238 has a long explanatory comment that repeats the PR description; consider trimming it to the local invariant so the hot path stays easier to scan.
  • nit: test/unit/miner-loop-cli.test.ts:237 only asserts `githubToken`, so the new `apiBaseUrl` threading and `prDispositionOptions` override precedence are not directly pinned.
  • packages/gittensory-miner/lib/loop-cli.js:238 could keep the comment to the exact behavior: `const githubToken = options.githubToken ?? env.GITHUB_TOKEN ?? "";` is the CLI-level fallback for callees without their own env read.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 44 registered-repo PR(s), 36 merged, 476 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 44 PR(s), 476 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 44 PR(s), 476 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 12, 2026
@JSONbored JSONbored merged commit 776d59c into main Jul 12, 2026
20 checks passed
@JSONbored JSONbored deleted the fix/loop-pr-disposition-github-token branch July 12, 2026 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

Development

Successfully merging this pull request may close these issues.

1 participant