Normalize GitHub auth in generated pod spec for workspace secretRef

[kelos-bot]

What type of PR is this?

/kind bug

What this PR does / why we need it:

When a Workspace has secretRef configured, Kelos should normalize GitHub auth in the generated pod spec so it works for both the built-in images and custom images.

This PR makes two changes to internal/controller/job_builder.go:

1. Sets GH_CONFIG_DIR=/workspace/.gh-config on the main agent container when workspace.secretRef is set. This gives gh a clean config directory on the shared workspace volume, so it does not read stale auth from ~/.config/gh/hosts.yml or any image-baked home-directory state. This works for both built-in and custom images without requiring image-specific entrypoint changes.

2. Clears inherited credential helpers before setting the workspace helper. The clone command now uses -c credential.helper= -c credential.helper='<helper>' to first reset inherited helpers, and the persisted repo config uses --unset-all then --add to ensure a clean state. The helper persistence now runs only after a successful clone, so a partial clone failure cannot be masked by a later config command. The same pattern is applied to the branch-setup fetch command.

Which issue(s) this PR is related to:

Fixes #579

Special notes for your reviewer:

• The GH_CONFIG_DIR env var is only set on the main container (not init containers), since init containers don't run gh commands.
• The GH_CONFIG_DIR is NOT set when there is no secretRef, so workspaces without auth injection are unaffected.
• Integration coverage was updated for the added GH_CONFIG_DIR env var and the new helper script shape.
• make test and make test-integration both pass locally after the review follow-up.
• No CRD or API changes are required.

Does this PR introduce a user-facing change?

Fix worker pods preferring stale gh CLI auth over injected workspace token by setting GH_CONFIG_DIR to a clean directory on the workspace volume and clearing inherited git credential helpers.

---

Summary by cubic

Normalize GitHub auth for workspaces with secretRef by setting a clean gh config dir and clearing inherited git credential helpers. Fixes #579 and ensures consistent auth for both built‑in and custom images.

• Bug Fixes
  • Set GH_CONFIG_DIR=/workspace/.gh-config on the main agent container when workspace.secretRef is present. No change for init containers or workspaces without secretRef.
  • Clear inherited git credential helpers before applying the workspace helper. Clone and branch-setup use -c credential.helper= then -c credential.helper='<helper>', and repo config uses --unset-all then --add to persist the helper.

^{Written for commit 2a0e39d. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="internal/controller/job_builder.go">

<violation number="1" location="internal/controller/job_builder.go:347">
P1: The new shell chain can hide clone failures because `--add credential.helper` runs unconditionally after `;`. Keep helper reconfiguration inside the `&&` success path.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}