fix(dso-7nos): add ACLI auth login step to bridge workflows

JoeOakhartNava · claude · JoeOakhartNava · commit 91044fb74530 · 2026-03-22T21:40:51.000-07:00
ACLI Go binary requires explicit `acli jira auth login --site --email
--token` before any Jira API calls. The legacy Java ACLI read credentials
from env vars automatically, but the Go binary stores auth in a config
file after login.

Changes:
- Add "Authenticate ACLI" step to both inbound and outbound bridge
  workflows, piping JIRA_API_TOKEN to acli auth login via stdin
- Simplify AcliClient._run() to delegate to _run_acli() since auth
  is now handled at the workflow level
- Add design note to dso-7nos: tickets branch must be synced from main
  for code changes to take effect in bridge workflows

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/inbound-bridge.yml b/.github/workflows/inbound-bridge.yml
@@ -115,6 +115,19 @@ jobs:
           fi
           ln -sf "$HOME/.acli/acli" /usr/local/bin/acli
 
+      - name: Authenticate ACLI
+        run: |
+          # ACLI Go binary requires explicit auth login (no env var auto-detection).
+          # Pipe the API token to stdin via --token flag.
+          echo "$JIRA_API_TOKEN" | acli jira auth login \
+            --site "$JIRA_URL" \
+            --email "$JIRA_USER" \
+            --token
+        env:
+          JIRA_URL: ${{ vars.JIRA_URL }}
+          JIRA_USER: ${{ vars.JIRA_USER }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
       - name: Run inbound bridge
         id: run-bridge
         run: |
diff --git a/.github/workflows/outbound-bridge.yml b/.github/workflows/outbound-bridge.yml
@@ -109,6 +109,17 @@ jobs:
           fi
           ln -sf "$HOME/.acli/acli" /usr/local/bin/acli
 
+      - name: Authenticate ACLI
+        run: |
+          echo "$JIRA_API_TOKEN" | acli jira auth login \
+            --site "$JIRA_URL" \
+            --email "$JIRA_USER" \
+            --token
+        env:
+          JIRA_URL: ${{ vars.JIRA_URL }}
+          JIRA_USER: ${{ vars.JIRA_USER }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
       - name: Run outbound bridge
         id: run-bridge
         run: |
diff --git a/.tickets/.sync-state.json b/.tickets/.sync-state.json
@@ -449,8 +449,8 @@
     "last_synced": "2026-03-19T18:38:35Z",
     "local_hash": "14c516947a151a3db8bdec4010e2fd6e"
   },
-  "last_pull_timestamp": "2026-03-23T04:29:36Z",
-  "last_sync_commit": "bc822f030eb394ef13e5f0bd21e64707e0885fcf",
+  "last_pull_timestamp": "2026-03-23T04:34:32Z",
+  "last_sync_commit": "4c6ef71950fbe947a5818805e055ecc831a7e618",
   "w21-5cqr": {
     "jira_hash": "bce29d76f01c58613ee99cb1dd03920d",
     "jira_key": "DIG-61",
diff --git a/.tickets/dso-7nos.md b/.tickets/dso-7nos.md
@@ -25,3 +25,7 @@ Phase 2: Add ACLI version/hash configuration to the project setup guided prompts
 
 ## Notes
 Originally tracked as bug dso-7nos (ACLI_VERSION unset). Upgraded to epic per user request to automate the full configuration lifecycle.
+
+**2026-03-23T04:39:18Z**
+
+Design decision: The Inbound Bridge workflow checks out ref:tickets — not main. This means all code (including bridge scripts and workflow changes) must be present on the tickets branch. Currently achieved by pushing main → tickets to sync. Long-term, the workflow should be restructured to checkout main for code and only use the tickets branch for .tickets-tracker/ data — this avoids coupling code deployment to the tickets branch sync cycle.
diff --git a/plugins/dso/scripts/acli-integration.py b/plugins/dso/scripts/acli-integration.py
@@ -229,34 +229,14 @@ def __init__(
         self._acli_cmd = acli_cmd
 
     def _run(self, cmd: list[str]) -> subprocess.CompletedProcess[str]:
-        """Run an ACLI command with credentials injected into env."""
-        base = self._acli_cmd if self._acli_cmd is not None else _DEFAULT_ACLI_CMD
-        full_cmd = base + cmd
-        env = _build_env()
-        env["JIRA_URL"] = self.jira_url
-        env["JIRA_USER"] = self.user
-        env["JIRA_API_TOKEN"] = self.api_token
-
-        last_error: subprocess.CalledProcessError | None = None
-        for attempt in range(_MAX_ATTEMPTS):
-            try:
-                return subprocess.run(
-                    full_cmd,
-                    capture_output=True,
-                    text=True,
-                    check=True,
-                    env=env,
-                )
-            except subprocess.CalledProcessError as exc:
-                last_error = exc
-                if exc.returncode == _AUTH_FAILURE_CODE:
-                    raise
-                if attempt < _MAX_ATTEMPTS - 1:
-                    delay = 2 ** (attempt + 1)
-                    time.sleep(delay)
-
-        assert last_error is not None
-        raise last_error
+        """Run an ACLI command.
+
+        ACLI Go reads auth from its config file (set by ``acli auth login``).
+        Credentials stored on self are available for callers that need them
+        (e.g., direct REST calls), but are not injected into the subprocess
+        environment — ACLI does not read env vars for auth.
+        """
+        return _run_acli(cmd, acli_cmd=self._acli_cmd)
 
     def search_issues(
         self,
