Skip to content

Fix @claude branch push authentication#526

Merged
d-morrison merged 1 commit into
mainfrom
claude/fix-pr-branch-push-auth
May 27, 2026
Merged

Fix @claude branch push authentication#526
d-morrison merged 1 commit into
mainfrom
claude/fix-pr-branch-push-auth

Conversation

@d-morrison

@d-morrison d-morrison commented May 27, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #523. The verification PR (#525) confirmed the @claude agent correctly checks out the PR branch and commits (the finding #1 concern), but the push failed on auth:

remote: Invalid username or token. Password authentication is not supported for Git operations.
fatal: Authentication failed for 'https://github.com/UCD-SERG/serocalculator.git/'

After gh pr checkout (and the agent step's own git activity), actions/checkout's persisted credential extraheader isn't applied, so git push origin falls back to unsupported password auth.

Fix: push with an explicit https://x-access-token:${GH_TOKEN}@github.com/... URL in both push steps (PR-branch push and issue-branch push).

Test plan

🤖 Generated with Claude Code

@d-morrison @claude
Fix @claude PR/issue branch push authentication
c6ae5ba 
Verification PR #525 showed the agent correctly checks out the PR branch
and commits, but the push failed: after gh pr checkout (and the agent's
own git activity) actions/checkout's persisted credential isn't applied,
so git push origin fell back to unsupported password auth. Push with an
explicit x-access-token URL instead, for both the PR-branch and
issue-branch push steps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 27, 2026 02:22
@claude

claude Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @d-morrison's task in 1m 7s —— View job

Code Review: PR #526 — Fix @claude branch push authentication

Summary: The fix is correct, minimal, and well-explained. No blocking issues found.

What the PR does

After gh pr checkout (or the agent step's own git activity), the actions/checkout-persisted http.extraheader credential is no longer applied, causing git push origin to fall back to unsupported password auth. The fix replaces both bare git push origin calls with an explicit https://x-access-token:${GH_TOKEN}@github.com/<repo>.git URL — the standard workaround for this class of GitHub Actions auth problem.

Review findings

No blocking issues. The two findings below are observations/minor suggestions only.

1. Token in the push URL — log masking is fine, but worth documenting

.github/workflows/claude.yml lines 270 and 440:

git push "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" ...

GH_TOKEN resolves from secrets.GITHUB_TOKEN, so GitHub Actions will mask the literal token value in log output. The URL won't be persisted to .git/config (it's an inline argument, not a git remote set-url call). This is the canonical pattern and is safe on ephemeral runners.

If you wanted to be extra careful against edge-case exposure (e.g. git printing the URL in a verbose error), you could use git remote set-url to swap the URL in and back out, or a url.<base>.insteadOf config block — but that's a quality-of-life preference, not a security requirement here.

2. Consistency with the git-push.sh helper

The claude-code-action harness ships a git-push.sh helper (used in these task instructions as /home/runner/work/_actions/anthropics/claude-code-action/v1/scripts/git-push.sh). It likely handles this same auth plumbing. Worth checking whether that script would have fixed the PR-branch push too, or whether the two push steps in this file intentionally do their own thing because they happen in workflow post-steps outside the agent's context. No action needed — just something to verify if the fix is ever revisited.

Positive notes

  • Both push sites are updated consistently (PR-branch at line 270, issue-branch at line 440).
  • GH_TOKEN is correctly declared in env: for both steps (lines 247 and 427).
  • Comments at lines 263–269 and 418–421 clearly explain the root cause so future readers don't have to rediscover it.
  • The earlier comment at line 415 ("The checkout uses the persisted GITHUB_TOKEN, so a plain git push origin authenticates.") is correctly updated to remove the now-false claim.
  • Fork guard (lines 257–260) is unaffected — the fork-push warning still fires before the new push URL would be reached, which is the right behavior.

Verdict: Approve and merge. The fix is correct and the PR is clean.

Copilot AI reviewed May 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes authentication failures when the @claude workflow pushes commits back to GitHub after gh pr checkout, by switching both push paths to use an explicit x-access-token HTTPS remote URL instead of relying on actions/checkout persisted credentials.

Changes:

  • Update the PR-branch push step to git push via https://x-access-token:${GH_TOKEN}@github.com/....
  • Update the issue-trigger branch push step to use the same explicit token URL.

@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

@d-morrison d-morrison merged commit 2f07e35 into main May 27, 2026
15 of 17 checks passed
@d-morrison d-morrison deleted the claude/fix-pr-branch-push-auth branch May 27, 2026 02:27
@d-morrison d-morrison mentioned this pull request May 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@d-morrison