fix: improve git token resolution and resilience in repo pods#525
Merged
jonwiggins merged 1 commit intojonwiggins:mainfrom May 4, 2026
Merged
fix: improve git token resolution and resilience in repo pods#525jonwiggins merged 1 commit intojonwiggins:mainfrom
jonwiggins merged 1 commit intojonwiggins:mainfrom
Conversation
- add fallback to find any available GITHUB_TOKEN when workspace context is missing - propagate workspace context to GitHub token lookup in git-token-service - resolve AAD decryption failures during system-level repo initialization
jonwiggins
added a commit
that referenced
this pull request
May 4, 2026
POST /api/secrets was threading the caller's workspaceId into storeSecret regardless of scope, so picking "Global" in the setup UI wrote contradictory (scope='global', workspace_id='ws-X') rows. AAD-bound retrieval from workspace-less callers (repo-init, /api/internal/git-credentials, the workflow trigger worker) then auth-tag-failed on decrypt — observed as hangs and 500s when adding a repo or starting a session. - storeSecret now rejects scope='global' with a non-null workspaceId - routes/secrets.ts strips workspaceId on the global write path (and treats omitted scope as global up front so the rule applies uniformly) - new healContradictoryGlobalSecrets() runs at boot inside a pg_advisory_lock to re-encrypt existing bad rows under the canonical global AAD; rows shadowed by a true global row are dropped to avoid PG's NULLS-distinct UNIQUE behavior creating duplicates - revert PR #525's "find any GITHUB_TOKEN, borrow its workspace_id" fallback in getServerToken — now unnecessary and itself nondeterministic - audit log + response use effectiveScope (not input.scope) so user→global downgrade in auth-disabled mode is reported truthfully - per-row INFO log on heal so an operator can audit which secrets crossed workspace boundaries The DB-side CHECK constraint is intentionally deferred to a follow-up so it doesn't 500 in-flight POST /api/secrets calls during a rolling deploy of this change.
jplorier
pushed a commit
to jplorier/optio
that referenced
this pull request
May 5, 2026
…gins#525) - add fallback to find any available GITHUB_TOKEN when workspace context is missing - propagate workspace context to GitHub token lookup in git-token-service - resolve AAD decryption failures during system-level repo initialization Co-authored-by: Ramesh Nethi <r.nethi@gogatewayai.com>
jplorier
pushed a commit
to jplorier/optio
that referenced
this pull request
May 5, 2026
…nwiggins#509) POST /api/secrets was threading the caller's workspaceId into storeSecret regardless of scope, so picking "Global" in the setup UI wrote contradictory (scope='global', workspace_id='ws-X') rows. AAD-bound retrieval from workspace-less callers (repo-init, /api/internal/git-credentials, the workflow trigger worker) then auth-tag-failed on decrypt — observed as hangs and 500s when adding a repo or starting a session. - storeSecret now rejects scope='global' with a non-null workspaceId - routes/secrets.ts strips workspaceId on the global write path (and treats omitted scope as global up front so the rule applies uniformly) - new healContradictoryGlobalSecrets() runs at boot inside a pg_advisory_lock to re-encrypt existing bad rows under the canonical global AAD; rows shadowed by a true global row are dropped to avoid PG's NULLS-distinct UNIQUE behavior creating duplicates - revert PR jonwiggins#525's "find any GITHUB_TOKEN, borrow its workspace_id" fallback in getServerToken — now unnecessary and itself nondeterministic - audit log + response use effectiveScope (not input.scope) so user→global downgrade in auth-disabled mode is reported truthfully - per-row INFO log on heal so an operator can audit which secrets crossed workspace boundaries The DB-side CHECK constraint is intentionally deferred to a follow-up so it doesn't 500 in-flight POST /api/secrets calls during a rolling deploy of this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
git clonehangs during repo pod initialization due to AAD (Additional Authenticated Data) decryption failures when a workspace context is missing. This seems to happen after GITHUB tokens started getting stored by default with workspaceId.getServerTokento proactively find any availableGITHUB_TOKENin the database and use its workspace context as a decryption anchor.git-token-serviceto correctly propagateworkspaceIdwhen resolving tokens.Changes
apps/api/src/services/github-token-service.ts: Implemented a "smarter" lookup that identifies any valid token to anchor decryption for system-level requests (likerepo-init.sh).apps/api/src/services/git-token-service.ts: UpdatedgetGitTokento pass through the workspace context.Test Validation
apps/api/src/services/github-token-service.test.tsto include thesecretstable in database mocks..limit(1)and async iterator results for Drizzle queries."falls back to any available PAT when GitHub App not configured (server context, no workspaceId)"to verify the fix.@ts-ignoreto@ts-expect-error).