fix(#2814): retry git fetch without token on auth failure#2815
Conversation
When FetchTree is called with a token scoped to repo A but the target repository is public repo B, GitHub rejects the authenticated request instead of allowing anonymous access. This regression was introduced in PR #2736 which replaced the GitHub Contents API with git sparse checkout. Add an unauthenticated retry fallback in FetchTree: when git fetch fails with an auth-related error (401, 403, "could not read Username", etc.) and a token was provided, retry the fetch without the Authorization header. If the retry succeeds, subsequent git commands (checkout) also run unauthenticated. This restores cross-repo skill directory fetching for config-registered agents (ADR-0058) whose skills live in a different public repo than the minted token's scope. Note: pre-commit could not run in the sandbox due to a shellcheck installation failure (network policy). go vet and all unit tests pass. Closes #2814
E2E tests did not runE2E tests run automatically for org/repo members and collaborators on pull requests. For other contributors, a maintainer must add the See E2E testing guide for details. |
Site previewPreview: https://ccdbf58a-site.fullsend-ai.workers.dev Commit: |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
/fs-fix fix so the code coverage test passes, making sure coverage >= 80% |
|
🤖 Finished Fix · ✅ Success · Started 2:34 AM UTC · Completed 2:45 AM UTC |
…shold Add TestFetchTree_AuthFallbackHTTP which uses a local HTTPS test server (via git-http-backend) that rejects authenticated requests with 403, exercising the auth-retry fallback path in FetchTree (lines 83-91). This raises patch coverage from ~75% to 100% on the changed lines. Addresses review feedback on #2815
🔧 Fix agent — iteration 1 (human-triggered)Added an integration test using a local HTTPS git server that rejects authenticated requests, exercising the auth fallback retry path in FetchTree. All changed lines in gitfetch.go now have test coverage. Overall package coverage rose from 85.2% to 87.7%. Fixed (1):
Tests: passed Updated by fullsend fix agent |
|
🤖 Finished Retro · ✅ Success · Started 3:03 AM UTC · Completed 3:13 AM UTC |
Retro: PR #2815 — fix(#2814): retry git fetch without token on auth failureTimeline: Issue #2814 was filed at 02:04 UTC reporting that Workflow quality: Overall strong. The code agent produced a correct fix with good error-pattern matching and a clean retry mechanism. The fix agent's contribution (a real HTTPS server test exercising the fallback path) was high-quality. The total rework was one fix agent iteration, triggered by the human, not by review feedback. Improvement opportunities identified (all already tracked):
No new proposals filed — all identified improvements are already covered by open issues. |
When FetchTree is called with a token scoped to repo A but the target repository is public repo B, GitHub rejects the authenticated request instead of allowing anonymous access. This regression was introduced in PR #2736 which replaced the GitHub Contents API with git sparse checkout.
Add an unauthenticated retry fallback in FetchTree: when git fetch fails with an auth-related error (401, 403, "could not read Username", etc.) and a token was provided, retry the fetch without the Authorization header. If the retry succeeds, subsequent git commands (checkout) also run unauthenticated.
This restores cross-repo skill directory fetching for config-registered agents (ADR-0058) whose skills live in a different public repo than the minted token's scope.
Note: pre-commit could not run in the sandbox due to a shellcheck installation failure (network policy). go vet and all unit tests pass.
Closes #2814
Post-script verification
agent/2814-gitfetch-auth-fallback)ce784b4ead93663aeaa35fd150fd9da7b2d27227..HEAD)