From 21a2def2a6454713acf5e5b11e46d498276f5fd9 Mon Sep 17 00:00:00 2001 From: fullsend-code <278716306+fullsend-ai-coder[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 17:34:29 +0000 Subject: [PATCH] fix(#511): add GH_TOKEN validation to pre-retro.sh Add a gh auth status check after URL validation in pre-retro.sh to fail fast when GH_TOKEN is invalid. This prevents wasting compute on sandbox creation and model inference when the token cannot authenticate. Behavior: - GH_TOKEN set and valid: logs success, continues - GH_TOKEN set and invalid: exits 1 with ::error:: - GH_TOKEN unset: logs ::warning::, continues Add pre-retro-test.sh with mock gh to verify all three cases. Closes #511 --- .../fullsend-repo/scripts/pre-retro-test.sh | 119 ++++++++++++++++++ .../fullsend-repo/scripts/pre-retro.sh | 15 ++- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 internal/scaffold/fullsend-repo/scripts/pre-retro-test.sh diff --git a/internal/scaffold/fullsend-repo/scripts/pre-retro-test.sh b/internal/scaffold/fullsend-repo/scripts/pre-retro-test.sh new file mode 100644 index 000000000..42436cf07 --- /dev/null +++ b/internal/scaffold/fullsend-repo/scripts/pre-retro-test.sh @@ -0,0 +1,119 @@ +#!/usr/bin/env bash +# pre-retro-test.sh — Test pre-retro.sh GH_TOKEN validation. +# +# Uses a mock gh command to simulate auth success/failure. +# Run from the repo root: bash internal/scaffold/fullsend-repo/scripts/pre-retro-test.sh + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PRE_SCRIPT="${SCRIPT_DIR}/pre-retro.sh" +FAILURES=0 + +TMPDIR="$(mktemp -d)" +trap 'rm -rf "${TMPDIR}"' EXIT + +# --- Helpers --- + +# build_mock creates a mock gh binary. +# Arguments: +# $1 — exit code for "gh auth status" (0 = valid, 1 = invalid) +build_mock() { + local auth_exit="$1" + local mock_bin="${TMPDIR}/bin" + + rm -rf "${mock_bin}" + mkdir -p "${mock_bin}" + + cat > "${mock_bin}/gh" < "${TMPDIR}/stdout.log" 2>&1 || exit_code=$? + + if [[ ${exit_code} -ne ${expect_exit} ]]; then + echo "FAIL: ${test_name} — expected exit ${expect_exit}, got ${exit_code}" + cat "${TMPDIR}/stdout.log" + FAILURES=$((FAILURES + 1)) + return + fi + + if ! grep -qF "${expected_stdout}" "${TMPDIR}/stdout.log" 2>/dev/null; then + echo "FAIL: ${test_name} — expected stdout '${expected_stdout}' not found" + echo "Actual stdout:" + cat "${TMPDIR}/stdout.log" + FAILURES=$((FAILURES + 1)) + return + fi + + echo "PASS: ${test_name}" +} + +# --- Test cases --- + +# GH_TOKEN valid → pass through with success message. +run_test_stdout "valid-token-passes" \ + 0 \ + "GH_TOKEN validated successfully." \ + 0 \ + "GH_TOKEN=fake-valid-token" + +# GH_TOKEN invalid → exit 1 with error. +run_test_stdout "invalid-token-fails" \ + 1 \ + "GH_TOKEN is invalid" \ + 1 \ + "GH_TOKEN=bad-token" + +# GH_TOKEN unset → warn, don't fail. +run_test_stdout "no-token-warns" \ + 0 \ + "GH_TOKEN is not set" \ + 0 \ + "GH_TOKEN=" + +# GH_TOKEN valid → still shows retro target after validation. +run_test_stdout "valid-token-continues-to-completion" \ + 0 \ + "Pre-retro validation complete." \ + 0 \ + "GH_TOKEN=fake-valid-token" + +# --- Summary --- + +echo "" +if [[ ${FAILURES} -gt 0 ]]; then + echo "${FAILURES} test(s) failed" + exit 1 +fi +echo "All tests passed" diff --git a/internal/scaffold/fullsend-repo/scripts/pre-retro.sh b/internal/scaffold/fullsend-repo/scripts/pre-retro.sh index 9ee8b9eab..0a8c95ecd 100755 --- a/internal/scaffold/fullsend-repo/scripts/pre-retro.sh +++ b/internal/scaffold/fullsend-repo/scripts/pre-retro.sh @@ -2,13 +2,15 @@ # pre-retro.sh — Validate inputs for the retro agent. # # Runs on the host via the harness pre_script mechanism. Validates the -# originating URL (PR or issue) and logs the trigger context. +# originating URL (PR or issue), checks GH_TOKEN validity, and logs +# the trigger context. # # Required env vars: # ORIGINATING_URL — HTML URL of the PR or issue that triggered retro # # Optional env vars: # RETRO_COMMENT — The /retro comment text (empty for automatic triggers) +# GH_TOKEN — GitHub token for API access set -euo pipefail @@ -20,6 +22,17 @@ if [[ ! "${ORIGINATING_URL}" =~ ^https://github\.com/[a-zA-Z0-9._-]+/[a-zA-Z0-9. exit 1 fi +# Validate GH_TOKEN before starting the sandbox. +if [[ -n "${GH_TOKEN:-}" ]]; then + if ! gh auth status 2>/dev/null; then + echo "::error::GH_TOKEN is invalid — retro agent requires GitHub API access" + exit 1 + fi + echo "GH_TOKEN validated successfully." +else + echo "::warning::GH_TOKEN is not set — retro agent will have limited functionality" +fi + echo "::notice::Retro target: ${ORIGINATING_URL}" if [[ -n "${RETRO_COMMENT:-}" ]]; then