Skip to content

feat(cloud-codex): inject GITHUB_PAT so Cody can clone/push/open PRs#382

Open
samxu01 wants to merge 1 commit into
mainfrom
feat/cody-github-pat
Open

feat(cloud-codex): inject GITHUB_PAT so Cody can clone/push/open PRs#382
samxu01 wants to merge 1 commit into
mainfrom
feat/cody-github-pat

Conversation

@samxu01
Copy link
Copy Markdown
Contributor

@samxu01 samxu01 commented May 16, 2026

Summary

Gap 1 from the "make collab bulletproof" goal — closing the dev-agent PAT gap so Cody (and any future cloud-codex agent) can do real git work in user-created pods, matching the capability clawdbot moltbots have had all along.

  • GITHUB_PAT and GH_TOKEN env vars added to the cloud-codex agent container, both sourced from `api-keys` secret key `GITHUB_PAT` (the same shared `commonly-github-pat` clawdbot uses).
  • Both marked `optional: true` so the deployment still rolls without the secret pre-staged.
  • Boot script wires the PAT into `git config credential.helper store` against `/state/.git-credentials` (PVC-backed, 0600) when present, so HTTPS clone/push and `gh pr create` work non-interactively.
  • CLAUDE.md note documents the runtime-tier-gating invariant: community moltbots in the openclaw fork never get `GITHUB_PAT` in their env (model gate is the parallel safeguard).

Test plan

  • `helm template test-render k8s/helm/commonly -f .../values.yaml --set agents.cloudCodex.enabled=true --set agents.cloudCodex.agents.cody.podId=...` renders cleanly with the new env block + git-config branch.
  • Post-deploy: `kubectl exec -n commonly-dev deploy/cloud-codex-cody -c agent -- env | grep -E 'GITHUB_PAT|GH_TOKEN'` shows the values populated.
  • Post-deploy: `kubectl logs deploy/cloud-codex-cody` shows `[cloud-codex] git credentials seeded from GITHUB_PAT`.
  • Sam-demo creates a fresh pod, `@cody` builds the signup flow and opens a real PR.

Closes

1 of 4 gaps from the "make collab bulletproof" goal — the last one.

🤖 Generated with Claude Code

@samxu01
feat(cloud-codex): inject GITHUB_PAT so Cody can clone/push/open PRs
a63ec92 
The clawdbot deployment has long shipped GITHUB_PAT pod-wide so
acpx_run sub-agents (Theo/Nova/Pixel/Aria/Ops) can do git work in
user-created pods. The cloud-codex deployment (new 2026-05-15, Cody
runs there) was missing the same env block — Cody couldn't shell out
to git or gh during an agent run.

Adds:
- GITHUB_PAT and GH_TOKEN env vars on the cloud-codex agent
  container, both sourced from `api-keys` secret key `GITHUB_PAT`
  (same secret clawdbot uses). Both marked `optional: true` so the
  deployment still rolls without the secret being present yet.
- Boot-script branch that wires the PAT into
  `git config credential.helper store` against /state/.git-credentials
  (PVC-backed, 0600) when present, so HTTPS clone/push and `gh pr
  create` work non-interactively. Silent no-op when GITHUB_PAT is
  empty, keeping non-dev tiers safe if a future runtime tier
  accidentally points at the same template without the secret.

Per the CLAUDE.md note added in this PR, gating is at the deployment
template tier — community-tier runtimes (community moltbots in the
openclaw fork) never get GITHUB_PAT in their env. The model gate via
`applyOpenClawModelDefaults` is the parallel safeguard for LLM
credentials.

Verified via `helm template` that the GITHUB_PAT block and boot-script
git-config block both render correctly.
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
feat(cloud-codex): inject GITHUB_PAT so Cody can clone/push/open PRs (#…
7769f61 
…382)

clawdbot has long shipped GITHUB_PAT pod-wide so acpx_run sub-agents
(Theo/Nova/Pixel/Aria/Ops) can do git work. cloud-codex deployment
(Cody, new 2026-05-15) was missing the same env block.

Adds:
- GITHUB_PAT and GH_TOKEN env vars on the cloud-codex agent container
  from `api-keys` secret key `GITHUB_PAT` (optional: true).
- Boot-script branch that wires the PAT into `git config
  credential.helper store` against /state/.git-credentials (0600) so
  HTTPS clone/push and `gh pr create` work non-interactively. Silent
  no-op when GITHUB_PAT is empty.

Gating is at the deployment-template tier — community moltbots never
get GITHUB_PAT in their env; the model gate is the parallel safeguard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@samxu01 samxu01 mentioned this pull request May 16, 2026
Open
4 tasks
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
fix(cloud-codex): apt-install git at boot (#383)
1440112 
PR #382 added a boot-script `git config credential.helper store` line
but node:22-bookworm-slim doesn't ship git — the agent container
crash-looped with exit 127 ("command not found"), masked by `set -e`.
Cody was DOA after #382.

Extends the existing ca-certificates idempotent-install branch to also
apt-install git when missing. Same pattern, same boot cost.

Hotfix to unbreak Cody.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@samxu01 samxu01 mentioned this pull request May 16, 2026
Open
2 tasks
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
fix(cloud-codex): trim trailing newline from GITHUB_PAT before embedd…
4a4c71c 
…ing in git creds (#384)

The shared commonly-github-pat secret value carries a trailing newline
that broke git's credential URL parser when PR #382's boot script
interpolated it directly. Trim \n/\r before printing the URL. Verified
by hand-patching the live cody pod: clone via PAT succeeds afterward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 16, 2026
Open
Open
Open
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
revert: #388 cloud-codex MCP wiring — codex CLI exec doesn't consume …
8d8bf37 
…MCP servers

Verified empirically 2026-05-15 after merging #388: codex CLI 0.125.0
recognizes [mcp_servers.commonly] in config.toml (`codex mcp list`
shows it enabled), but `codex exec` does NOT actually connect to or
expose tools from configured MCP servers. The model's tool list stays
limited to codex's built-in tools (web, image_gen, exec_command,
apply_patch, ...). list_mcp_resources returns empty regardless.

Per docs/MCP_INTEGRATION.md, the supported codex pattern is to wrap
codex AS an MCP server (codex-as-mcp), not to have codex consume MCP
servers. So #388 adds noise without effect.

For Cody to actually call commonly_react_to_message autonomously, the
real options are:
  - Switch her adapter from codex → claude-code or another MCP-
    consuming host (architectural decision).
  - Add the reaction tool to the openclaw extension's commonly_*
    block (separate Team-Commonly/openclaw PR; out of the
    "make-collab-bulletproof" goal's "no openclaw-coupled fixes"
    constraint).

Keeping the four ship-PRs (#379/#380/#381/#382 + #383/#384/#385/#386
follow-ups) in place — they're all correct. Just removing #388.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samxu01