chore(setup): announce disk writes during GitHub device-code sign-in#4
Merged
Merged
Conversation
The two device-code scripts (github-device-fetch.sh, github-device-poll.sh) write five files to disk during the OAuth sign-in flow: a cookie jar carrying OAuth state, a state env file holding the device + user codes, a transient HTTP response file, and the Coder admin URL and session token under $CODER_CONFIG_DIR. None of the writes were announced to the user. Adds one short stderr echo before each write naming the destination path. No secret values are echoed; only the file paths. Behaviour and stdout protocol are unchanged - the calling agent still parses the env file (fetch) and 'coder whoami' / 'coder users list' (poll) from stdout. Why this matters: static analysis on the registry skills (coder/coder-skill-scanner) flags 'writes sensitive data without explicit user notification' on these scripts. The user-facing improvement (clearer install-time logging) is the actual reason; the analyzer is just the prompt that surfaced it. The skill's SKILL.md guidance against echoing secrets is respected (paths only, no token or cookie values). Verified: 'make lint' green (shellcheck, shfmt, markdownlint, jq, claude plugin validate, emdash, SKILL.md description length).
There was a problem hiding this comment.
Pull request overview
Adds stderr-only logging to the GitHub device-code sign-in setup scripts to explicitly notify users/agents of on-disk writes (cookie jar, device-code env file, polling response capture file, and Coder CLI config files) without changing stdout behavior or exposing secret values.
Changes:
- Log (to stderr) where the GitHub OAuth cookie jar and device-code parameters env file are written during the “fetch” step.
- Log (to stderr) where polling responses are captured, and where the Coder CLI URL/session files are written during the “poll” step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| skills/setup/scripts/github-device-fetch.sh | Adds stderr echo lines announcing cookie jar and device env file writes. |
| skills/setup/scripts/github-device-poll.sh | Adds stderr echo lines announcing response capture and Coder CLI config file writes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bpmct
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
The two device-code scripts write five files during first-user setup — a cookie jar, the device-code env file, a transient HTTP response file, and the Coder URL plus admin session token under
$CODER_CONFIG_DIR— without ever announcing it. This adds one stderrechobefore each write naming the destination path. Paths only, no secret values, stdout protocol unchanged so the calling agent still parsescat "$DEV_FILE"andcoder whoamithe same way.The echo before the poll loop runs once, outside the loop, so the "don't echo inside the polling loop" rule in
references/first-user-github-device.mdstill holds.make lintis green.Why this was needed
coder/coder-skill-scannerflagged eight SQP-2 (writes sensitive data without notification) findings oncoder/setup, but the real reason is just that any install script writing a token to disk should say so out loud.This PR was prepared with help from Coder Agents.