Skip to content

fix: Keep org-specific token rotation isolated#555

Merged
edgarrmondragon merged 4 commits intoMeltanoLabs:mainfrom
stray-nick:fix-org-specific-token-rotation-v1264
Apr 28, 2026
Merged

fix: Keep org-specific token rotation isolated#555
edgarrmondragon merged 4 commits intoMeltanoLabs:mainfrom
stray-nick:fix-org-specific-token-rotation-v1264

Conversation

@stray-nick
Copy link
Copy Markdown
Contributor

@stray-nick stray-nick commented Apr 25, 2026
edited
Loading

Summary

Keep token rotation scoped to the current organization when that organization has its own configured token pool.

GitHub App installation tokens are org-scoped. If a stream is reading private repositories for one org and get_next_auth_token() falls through to another org's installation token, GitHub can return misleading 404 Not Found responses for repositories that do exist and are accessible with the correct org token.

What changed

  • get_next_auth_token() now prefers the current organization's token managers when current_organization has a configured token pool.
  • Fallback to org-agnostic or other-org tokens is still allowed when the current organization has no configured token pool.
  • Added regression tests for both paths:
    • org-specific token rotation stays inside the current org's pool.
    • missing org-specific pools still use the existing fallback behavior.

Validation

uv run pytest tests/test_authenticator.py
# 44 passed

@stray-nick stray-nick marked this pull request as ready for review April 25, 2026 12:03
@stray-nick stray-nick requested a review from a team as a code owner April 25, 2026 12:03
@stray-nick stray-nick changed the title fix: keep org-specific token rotation isolated fix: Keep org-specific token rotation isolated Apr 25, 2026
@stray-nick stray-nick marked this pull request as draft April 25, 2026 13:31
@edgarrmondragon edgarrmondragon added the enhancement New feature or request label Apr 27, 2026
TrishGillett
TrishGillett reviewed Apr 27, 2026
View reviewed changes
Comment thread tap_github/authenticator.py
TrishGillett
TrishGillett approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@TrishGillett TrishGillett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@stray-nick @TrishGillett
Update tap_github/authenticator.py per suggestion
e4b4fce 
Co-authored-by: Trish Gillett-Kawamoto <trish.gillett@shopify.com>
@stray-nick stray-nick marked this pull request as ready for review April 27, 2026 22:45
edgarrmondragon
edgarrmondragon approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@edgarrmondragon edgarrmondragon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks folks!

@edgarrmondragon edgarrmondragon added this pull request to the merge queue Apr 28, 2026
Merged via the queue into MeltanoLabs:main with commit 713c124 Apr 28, 2026
7 checks passed
@stray-nick
Copy link
Copy Markdown
Contributor Author

stray-nick commented Apr 28, 2026

Appreciate it, Edgar!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edgarrmondragon edgarrmondragon edgarrmondragon approved these changes

+1 more reviewer

@TrishGillett TrishGillett TrishGillett approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stray-nick @TrishGillett @edgarrmondragon