Skip to content

fix(workspace): add gh-relay wrapper for auto-refreshing GitHub tokens#100

Merged
khaliqgant merged 2 commits intomainfrom
fix/gh-cli-auth-323
Jan 7, 2026
Merged

fix(workspace): add gh-relay wrapper for auto-refreshing GitHub tokens#100
khaliqgant merged 2 commits intomainfrom
fix/gh-cli-auth-323

Conversation

@agent-relay-rachel
Copy link
Copy Markdown
Contributor

@agent-relay-rachel agent-relay-rachel Bot commented Jan 7, 2026

Summary

  • Fixes gh CLI 401 "Bad credentials" error caused by expired installation tokens
  • Adds gh-relay wrapper script with 55-minute token caching
  • Removes placeholder hosts.yml that caused migration errors

Root Cause

The provisioner sets GH_TOKEN at workspace startup with a GitHub App installation token. These tokens expire after ~1 hour. The gh CLI prefers GH_TOKEN over credential helpers, so it kept using the stale token.

Secondary issue: entrypoint.sh created hosts.yml with oauth_token: placeholder, which caused gh CLI migration errors when combined with GH_TOKEN.

Solution

  1. New gh-relay wrapper (deploy/workspace/gh-relay)

    • Fetches fresh tokens from /api/git/token endpoint
    • Caches tokens for 55 minutes (tokens expire at 1 hour)
    • Falls back gracefully if API unavailable

  2. Updated Dockerfile - Installs wrapper at /usr/local/bin/gh

  3. Updated entrypoint.sh - Removes placeholder hosts.yml creation

Test Plan

  • gh auth status - Shows logged in as agent-relay[bot]
  • gh pr list - Successfully lists PRs
  • gh api repos/AgentWorkforce/relay - Returns repo info
  • Rebuild workspace image and verify fix persists

Closes agent-relay-323

🤖 Generated with Claude Code

Agent Relay and others added 2 commits January 7, 2026 19:09
fix: Add gh CLI token refresh wrapper for workspace containers
6d07ca4 
Fixes agent-relay-323: gh CLI authentication failing with 401 Unauthorized

## Problem
- GitHub App installation tokens expire after ~1 hour
- gh CLI uses stale GH_TOKEN env var directly, bypassing credential helper
- Secondary issue: placeholder hosts.yml caused migration error during startup

## Solution
- Created gh-relay wrapper script with 55-minute token caching
- Wrapper refreshes token via /api/git/token before each invocation
- Updated Dockerfile to install wrapper at /usr/local/bin/gh
- Updated entrypoint.sh to remove placeholder hosts.yml

## Testing
- gh auth status ✓ Logged in as agent-relay[bot]
- gh pr list ✓ Lists PRs successfully
- gh api repos/AgentWorkforce/relay ✓ Returns repo info

## Files Changed
- deploy/workspace/gh-relay (new) - Token refresh wrapper
- deploy/workspace/Dockerfile - Install wrapper
- deploy/workspace/entrypoint.sh - Cleanup hosts.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Backend <noreply@relay.local>
docs: Add trajectory and beads update for agent-relay-323 fix
899be4a
@khaliqgant khaliqgant merged commit 3d54059 into main Jan 7, 2026
6 checks passed
@khaliqgant khaliqgant deleted the fix/gh-cli-auth-323 branch January 7, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@khaliqgant