auth repo seeding with github app token

joshp123 · joshp123 · commit 7ede0904a53b · 2026-01-08T15:00:49.000+01:00
diff --git a/nix/modules/clawdinator.nix b/nix/modules/clawdinator.nix
@@ -426,7 +426,8 @@ in
     systemd.services.clawdinator = {
       description = "CLAWDINATOR (Clawdbot gateway)";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      after = [ "network.target" ] ++ lib.optional cfg.githubApp.enable "clawdinator-github-app-token.service";
+      wants = lib.optional cfg.githubApp.enable "clawdinator-github-app-token.service";
 
       environment = {
         CLAWDBOT_CONFIG_PATH = configPath;
@@ -502,6 +503,10 @@ in
 
     systemd.services.clawdinator-github-app-token = lib.mkIf cfg.githubApp.enable {
       description = "CLAWDINATOR GitHub App token refresh";
+      wantedBy = [ "multi-user.target" ];
+      before = [ "clawdinator.service" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
       serviceConfig = {
         Type = "oneshot";
         User = "root";
diff --git a/scripts/seed-repos.sh b/scripts/seed-repos.sh
@@ -3,6 +3,11 @@ set -euo pipefail
 
 list_file="$1"
 base_dir="$2"
+auth_header=""
+
+if [ -n "${GITHUB_TOKEN:-}" ]; then
+  auth_header="Authorization: Bearer ${GITHUB_TOKEN}"
+fi
 
 if [ ! -f "$list_file" ]; then
   echo "seed-repos: missing repo list: $list_file" >&2
@@ -17,19 +22,32 @@ while IFS=$'\t' read -r name url branch; do
 
   dest="$base_dir/$name"
   if [ ! -d "$dest/.git" ]; then
-    if [ -n "${branch:-}" ]; then
-      git clone --depth 1 --branch "$branch" "$url" "$dest"
+    if [ -n "${auth_header}" ] && [[ "$url" == https://github.com/* ]]; then
+      if [ -n "${branch:-}" ]; then
+        git -c http.extraheader="$auth_header" clone --depth 1 --branch "$branch" "$url" "$dest"
+      else
+        git -c http.extraheader="$auth_header" clone --depth 1 "$url" "$dest"
+      fi
     else
-      git clone --depth 1 "$url" "$dest"
+      if [ -n "${branch:-}" ]; then
+        git clone --depth 1 --branch "$branch" "$url" "$dest"
+      else
+        git clone --depth 1 "$url" "$dest"
+      fi
     fi
     continue
   fi
 
-  git -C "$dest" fetch --all --prune
+  origin_url="$(git -C "$dest" config --get remote.origin.url)"
+  if [ -n "${auth_header}" ] && [[ "$origin_url" == https://github.com/* ]]; then
+    git -C "$dest" -c safe.directory="$dest" -c http.extraheader="$auth_header" fetch --all --prune
+  else
+    git -C "$dest" -c safe.directory="$dest" fetch --all --prune
+  fi
   if [ -n "${branch:-}" ]; then
-    git -C "$dest" checkout "$branch"
-    git -C "$dest" reset --hard "origin/$branch"
+    git -C "$dest" -c safe.directory="$dest" checkout "$branch"
+    git -C "$dest" -c safe.directory="$dest" reset --hard "origin/$branch"
   else
-    git -C "$dest" reset --hard "origin/HEAD"
+    git -C "$dest" -c safe.directory="$dest" reset --hard "origin/HEAD"
   fi
 done < "$list_file"
