fix(runner): update GITHUB_TOKEN for gh CLI after credential refresh#1185
Open
ambient-code[bot] wants to merge 1 commit intomainfrom
Open
fix(runner): update GITHUB_TOKEN for gh CLI after credential refresh#1185ambient-code[bot] wants to merge 1 commit intomainfrom
ambient-code[bot] wants to merge 1 commit intomainfrom
Conversation
…1135) When GITHUB_TOKEN expires mid-session, the refresh_credentials MCP tool refreshes backend credentials and writes the fresh token to a file that the git credential helper reads. However, the gh CLI prioritises the GITHUB_TOKEN env var (stale in the subprocess) over all other credential sources, causing 401 errors. Add a gh CLI wrapper script (same pattern as the existing git credential helper) that reads the fresh token from /tmp/.ambient_github_token and exports GH_TOKEN before exec-ing the real gh binary. The wrapper is installed by populate_runtime_credentials() and prepended to PATH so it intercepts all gh invocations in the subprocess. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ghCLI operations fail with 401 after mid-session credential refresh because the subprocess'sGITHUB_TOKENenv var is staleghCLI wrapper script (/tmp/bin/gh) that reads the fresh token from/tmp/.ambient_github_tokenand exportsGH_TOKENbefore exec-ing the realghbinarypopulate_runtime_credentials()and prepended toPATHso it intercepts allghinvocations in the CLI subprocessHow it works
The CLI subprocess environment is fixed at spawn time. When
refresh_credentialsruns mid-session,os.environ["GITHUB_TOKEN"]is updated in the runner process but NOT in the subprocess. The git credential helper already solved this forgitby reading from a token file. This PR applies the same solution forgh:install_gh_wrapper()writes a shell script to/tmp/bin/gh/tmp/.ambient_github_token(already written on every refresh)GH_TOKEN(which takes precedence overGITHUB_TOKEN)ghbinary, skipping its own directoryTest plan
test_install_creates_executable_wrapper— verifies the wrapper is created and executabletest_install_prepends_to_path— verifies/tmp/binis prepended toPATHtest_install_is_idempotent— verifies repeated calls don't duplicate PATH entriestest_populate_installs_gh_wrapper— verifiespopulate_runtime_credentials()installs the wrapper🤖 Generated with Claude Code