Skip to content

fix(#2814): retry git fetch without token on auth failure#2815

Merged
ggallen merged 2 commits into
mainfrom
agent/2814-gitfetch-auth-fallback
Jul 1, 2026
Merged

fix(#2814): retry git fetch without token on auth failure#2815
ggallen merged 2 commits into
mainfrom
agent/2814-gitfetch-auth-fallback

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown
Contributor

When FetchTree is called with a token scoped to repo A but the target repository is public repo B, GitHub rejects the authenticated request instead of allowing anonymous access. This regression was introduced in PR #2736 which replaced the GitHub Contents API with git sparse checkout.

Add an unauthenticated retry fallback in FetchTree: when git fetch fails with an auth-related error (401, 403, "could not read Username", etc.) and a token was provided, retry the fetch without the Authorization header. If the retry succeeds, subsequent git commands (checkout) also run unauthenticated.

This restores cross-repo skill directory fetching for config-registered agents (ADR-0058) whose skills live in a different public repo than the minted token's scope.

Note: pre-commit could not run in the sandbox due to a shellcheck installation failure (network policy). go vet and all unit tests pass.


Closes #2814

Post-script verification

  • Branch is not main/master (agent/2814-gitfetch-auth-fallback)
  • Secret scan passed (gitleaks — ce784b4ead93663aeaa35fd150fd9da7b2d27227..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

When FetchTree is called with a token scoped to repo A but the
target repository is public repo B, GitHub rejects the
authenticated request instead of allowing anonymous access.
This regression was introduced in PR #2736 which replaced the
GitHub Contents API with git sparse checkout.

Add an unauthenticated retry fallback in FetchTree: when git
fetch fails with an auth-related error (401, 403, "could not
read Username", etc.) and a token was provided, retry the
fetch without the Authorization header. If the retry succeeds,
subsequent git commands (checkout) also run unauthenticated.

This restores cross-repo skill directory fetching for
config-registered agents (ADR-0058) whose skills live in a
different public repo than the minted token's scope.

Note: pre-commit could not run in the sandbox due to a
shellcheck installation failure (network policy). go vet
and all unit tests pass.

Closes #2814
@fullsend-ai-coder fullsend-ai-coder Bot requested a review from a team as a code owner July 1, 2026 02:20
@fullsend-ai-coder fullsend-ai-coder Bot added the ready-for-review Agent PR ready for human review label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

E2E tests did not run

E2E tests run automatically for org/repo members and collaborators on pull requests.

For other contributors, a maintainer must add the ok-to-test label after the latest push.

See E2E testing guide for details.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Site preview

Preview: https://ccdbf58a-site.fullsend-ai.workers.dev

Commit: 20a791fcaac834a7c44bf9dcf506e1f86d9a0179

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@ggallen

ggallen commented Jul 1, 2026

Copy link
Copy Markdown
Member

/fs-fix fix so the code coverage test passes, making sure coverage >= 80%

@fullsend-ai-coder

fullsend-ai-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Finished Fix · ✅ Success · Started 2:34 AM UTC · Completed 2:45 AM UTC
Commit: e6b1ae3 · View workflow run →

…shold

Add TestFetchTree_AuthFallbackHTTP which uses a local HTTPS test server
(via git-http-backend) that rejects authenticated requests with 403,
exercising the auth-retry fallback path in FetchTree (lines 83-91).
This raises patch coverage from ~75% to 100% on the changed lines.

Addresses review feedback on #2815
@fullsend-ai-coder

Copy link
Copy Markdown
Contributor Author

🔧 Fix agent — iteration 1 (human-triggered)

Added an integration test using a local HTTPS git server that rejects authenticated requests, exercising the auth fallback retry path in FetchTree. All changed lines in gitfetch.go now have test coverage. Overall package coverage rose from 85.2% to 87.7%.

Fixed (1):

  1. patch coverage below 80% threshold on auth fallback lines: Added TestFetchTree_AuthFallbackHTTP test that uses a local HTTPS server (via git-http-backend + httptest.NewTLSServer) to reject authenticated requests with 403, forcing FetchTree to exercise the auth-retry fallback path (lines 83-91). This raises patch coverage on changed lines from ~75% to 100%.

Tests: passed

Updated by fullsend fix agent

@ggallen ggallen added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 3ac16b3 Jul 1, 2026
15 checks passed
@ggallen ggallen deleted the agent/2814-gitfetch-auth-fallback branch July 1, 2026 02:59
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 3:03 AM UTC · Completed 3:13 AM UTC
Commit: 20a791f · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2815 — fix(#2814): retry git fetch without token on auth failure

Timeline: Issue #2814 was filed at 02:04 UTC reporting that git fetch fails when GH_TOKEN is scoped to a different repo than the skill source. The triage agent ran immediately (02:04), followed by the code agent (02:10), which opened PR #2815 at 02:20 with auth-fallback retry logic and unit tests. However, patch coverage was below the 80% threshold, so the human (ggallen) triggered /fs-fix at 02:31 to improve coverage. The fix agent added an HTTP-based integration test by 02:42, bringing coverage to 100% on changed lines. The human approved at 02:49, and the PR merged at 02:59 — 55 minutes end-to-end.

Workflow quality: Overall strong. The code agent produced a correct fix with good error-pattern matching and a clean retry mechanism. The fix agent's contribution (a real HTTPS server test exercising the fallback path) was high-quality. The total rework was one fix agent iteration, triggered by the human, not by review feedback.

Improvement opportunities identified (all already tracked):

  1. Code agent should meet coverage threshold before opening PR — The code agent's initial commit had ~75% patch coverage, requiring human intervention to trigger the fix agent. This is already tracked in #2810 ("Code agent should validate patch coverage meets repo threshold before opening PR").

  2. Review agent never dispatched — No review agent ran on this agent-authored PR. The pull_request_target shim runs completed successfully, but no review.yml run was created in the dispatch repo. This is likely the authorization gate issue described in #2674 ("dispatch: ADR 0054 authorization gate blocks review dispatch for coder-bot PRs"). The related issue #2637 ("Review agent should always leave a visible trace on agent-authored PRs") also applies.

  3. Silent review skip — The review dispatch was skipped with no user-visible feedback, which is tracked in #2724 ("Post user-visible feedback when /fs-review dispatch is skipped").

No new proposals filed — all identified improvements are already covered by open issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-review Agent PR ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

gitfetch: skill directory fetch fails when GH_TOKEN is scoped to a different repo than the skill source

1 participant