fix(vcs): clear stale git credentials before GitHub push#80
Open
fshehadeh-sfl wants to merge 3 commits into
Open
fix(vcs): clear stale git credentials before GitHub push#80fshehadeh-sfl wants to merge 3 commits into
fshehadeh-sfl wants to merge 3 commits into
Conversation
The agent container shares /workspace with gh/copilot CLI tooling, which may leave a residual http.<host>.extraheader or credential.helper configured against the same token used by the Copilot integration. This shadows the explicit URL credentials used by pushDirectInVolume() and GitHub rejects the push with a generic auth error, even when the push token itself is valid. Clear any stale extraheader and disable credential.helper for the push invocation so only the explicit token in the push URL is used.
There was a problem hiding this comment.
Pull request overview
This PR hardens the GitHub VCS “push-from-volume” path against residual Git credential configuration left behind in the shared /workspace volume (e.g., http.<url>.extraheader and credential helpers), which can override the explicit token-in-URL used for pushes and cause intermittent GitHub auth failures.
Changes:
- In
pushDirectInVolume(), clears anyhttp.https://<host>/.extraheaderentry before pushing and disablescredential.helperfor that push invocation. - Adds unit coverage for the new pre-push cleanup behavior and the volume-push failure path.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/vcs/githubVcsConnector.ts | Unsets stale Git http.*.extraheader for the push host and disables credential.helper for the push command in volume-based pushes. |
| tests/unit/githubVcsConnector.test.ts | Adds tests asserting the cleanup commands are included for volume pushes and that volume push failures throw. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes intermittent
Invalid username or token. Password authentication is not supported for Git operations.failures when pushing code-gen changes to GitHub, even with a valid, freshly-reconnected push token.Root cause
The agent's coding session shares the same Docker volume (
/workspace) withgh/Copilot CLI tooling, which has its ownGITHUB_TOKEN(belonging to the Copilot integration, a different token than the GitHub push integration). That tooling can leave a residualhttp.<host>.extraheaderand/or a configuredcredential.helperin/workspace/.git/config. Git sendshttp.extraheaderregardless of URL-embedded credentials, so the stale header shadows the explicit push credentials inpushDirectInVolume()and GitHub rejects the request with a generic auth error — independent of whether the push token itself is valid.Confirmed empirically: a manual OAuth device-flow +
git pushwith the identical client/scope/URL format, run outside any container, succeeded — proving the push token and GitHub-side permissions were never the problem.Fix
pushDirectInVolume()(src/vcs/githubVcsConnector.ts) now, before pushing:http.<host>.extraheaderfor the target hostcredential.helperfor that single push invocation (git -c credential.helper=)This forces git to rely solely on the explicit token embedded in the push URL, regardless of what
gh/Copilot CLI may have configured during the agent's run.Validation
npm run typecheck— zero errorsnpm run lint— cleannpx vitest run tests/unit/githubVcsConnector.test.ts— 18 passed (2 new: asserts the cleanup commands are present, and that volume push failures still throw a redacted error)