add better tests for the github permissions by derekmisler · Pull Request #131 · docker/cagent-action

derekmisler · 2026-04-15T14:32:23Z

Related Issues

Closes: https://github.com/docker/gordon/issues/390

Summary

Fixes GitHub App token generation to dynamically fetch installation permissions instead of hardcoding them, adds comprehensive test coverage for the permissions flow, and restructures CI workflows for better separation of concerns.

Permission handling (`src/app-token.ts`)

Replaces the hardcoded permissions map with a dynamic lookup via appOctokit.apps.getInstallation() — the token now always reflects what the org has actually granted, so permissions never drift out of sync with the App's settings.

Test restructuring

Deleted lint-actions.yml — lint, typecheck, and unit tests are consolidated into test.yml
New test-e2e.yml — E2E tests (prompt sanitization, output extraction, job summary, security, exploits, pirate agent, invalid agent) run as a separate workflow
New vitest.integration.config.ts + pnpm test:integration — integration tests (real GitHub App API calls) are isolated from unit tests
Updated app-token.test.ts — proper mocks for the new installation-permission flow, plus a test that verifies permissions are passed through to createAppAuth
New app-token.integration.test.ts — live tests that verify App identity resolution, installation permission fetching, and token generation against the real API (credentials via env vars or 1Password CLI)

Release workflow (`release.yml`)

Reordered jobs: publish-agent → update-self-refs → update-consumers → notify for a logical dependency chain
notify now waits for all post-release jobs and is skipped on pre-release
Pre-release description updated to mention Slack skip

Agent model upgrade (`review-pr/agents/pr-review.yaml`)

sonnet model updated from claude-sonnet-4-5 → claude-sonnet-4-6 with 64k max tokens
Replaced haiku with sonnet-thinking (claude-sonnet-4-6 + adaptive/high thinking budget)
drafter agent switched to sonnet-thinking for better bug hypothesis generation

Tooling

New scripts/debug-permissions.ts for locally inspecting GitHub App and installation permissions

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.

Signed-off-by: Derek Misler <derek.misler@docker.com>

derekmisler · 2026-04-15T14:34:53Z

I just reordered these steps in a logical way

derekmisler · 2026-04-15T14:35:05Z

i just renamed this one

derekmisler · 2026-04-15T14:35:25Z

just renamed this one

derekmisler · 2026-04-15T14:35:46Z

i added a separate "integration test" job

derekmisler · 2026-04-15T14:36:32Z

+ * Credentials are resolved in order:
+ *   1. GITHUB_APP_ID / GITHUB_APP_PRIVATE_KEY env vars (if set)
+ *   2. 1Password CLI (`op read`)


allows me to run them locally, which is nice.

derekmisler · 2026-04-15T14:38:58Z

-        issues: 'write',
-        pull_requests: 'write',
-        statuses: 'write',
-        variables: 'read',


this line was the whole reason for this PR. it's supposed to be action_variables, not variables (even though it's called "Variables" in the GitHub UI). so anyway, i'm just fetching all the permissions from GH and passing them along to this token generation step, so we won't have typos in the future.

add better tests for the github permissions

6a7ebfc

Signed-off-by: Derek Misler <derek.misler@docker.com>

derekmisler self-assigned this Apr 15, 2026

derekmisler requested a review from a team April 15, 2026 14:34

derekmisler marked this pull request as ready for review April 15, 2026 14:34