Add failing tests for #1632#1645
Draft
prompt-driven-github[bot] wants to merge 3 commits into
Draft
Conversation
Long-running cloud checkup/fix jobs keep posting GitHub progress/state comments with the original GitHub App installation token after its 1-hour expiry, returning HTTP 401 instead of reading the refreshed PDD_GH_TOKEN_FILE. Every authenticated gh/gh api/gh pr/gh issue subprocess in agentic_common.py, agentic_change_orchestrator.py and ci_validation.py is spawned with no env=, so it inherits the frozen launch-time os.environ token. Adds 14 behavioral regression tests proving a refreshed PDD_GH_TOKEN_FILE must override a stale ambient GH_TOKEN for step/PR/final comments, state save/restore sync, the ci_validation gh chokepoint, and change-orchestrator gh calls. Also fixes the source-of-truth prompts to require fresh-token subprocess env injection (_github_token_from_env/_gh_subprocess_env). Tests fail on current code and will pass once the fix is implemented. Fixes #1632 Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds failing regression tests that detect the bug reported in #1632: long-running cloud checkup/fix jobs keep using the original (now-expired) GitHub App installation token for progress/state comments instead of reading the refreshed
PDD_GH_TOKEN_FILE, causingHTTP 401: Bad credentials.Test Files
tests/test_agentic_common.py— centralized helper tests + step/PR/final comment + state save/restore paths (incl. 3 folded-in reproduction tests)tests/test_ci_validation.py—ghchokepoint (_run_command) routes through the refreshed token; localgitstill workstests/test_agentic_change_orchestrator.py—_fetch_issue_updated_at/_check_existing_prghcallsPrompt Files (source-of-truth fixes from Step 7)
pdd/prompts/agentic_common_python.prompt— requires_github_token_from_env()/_gh_subprocess_env()andenv=injection on every authenticatedghsubprocesspdd/prompts/ci_validation_python.promptpdd/prompts/agentic_change_orchestrator_python.promptWhat This PR Contains
Root Cause
GitHub App installation tokens expire 1 hour after creation. Every authenticated
gh/gh api/gh pr/gh issuesubprocess inagentic_common.py(11 sites),agentic_change_orchestrator.py, andci_validation.py::_run_commandis spawned viasubprocess.run(cmd, ...)with noenv=, so it inherits the frozen launch-timeos.environtoken. After the 1-hour TTL these calls replay the stale ambientGH_TOKENand 401 instead of reading the refreshedPDD_GH_TOKEN_FILE.Next Steps
_github_token_from_env()(prefer freshly-readPDD_GH_TOKEN_FILE→GH_TOKEN→GITHUB_TOKEN→PDD_GITHUB_TOKEN) and_gh_subprocess_env()topdd/agentic_common.pyenv=_gh_subprocess_env()through all authenticatedghsubprocesses across the 3 files-k 1632tests passFixes #1632
Generated by PDD agentic bug workflow