Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Github api token caching: race condition in installation token refresh
Evidence: src/lib/github.ts lines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). The refreshIfNeeded() and getGitHubToken() functions are not mutex-protected. If two concurrent requests enter refreshIfNeeded() when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initial ensureInit() could leave useGitHubApp=false after a transient failure, silently falling back to PAT auth.
Matched top finding
Evidence: src/lib/github.ts lines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). The refreshIfNeeded() and getGitHubToken() functions are not mutex-protected. If two concurrent requests enter refreshIfNeeded() when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initial ensureInit() could leave useGitHubApp=false after a transient failure, silently falling back to PAT auth.
Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Github api token caching: race condition in installation token refresh
Evidence:
src/lib/github.tslines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). TherefreshIfNeeded()andgetGitHubToken()functions are not mutex-protected. If two concurrent requests enterrefreshIfNeeded()when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initialensureInit()could leaveuseGitHubApp=falseafter a transient failure, silently falling back to PAT auth.Matched top finding
Evidence:
src/lib/github.tslines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). TherefreshIfNeeded()andgetGitHubToken()functions are not mutex-protected. If two concurrent requests enterrefreshIfNeeded()when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initialensureInit()could leaveuseGitHubApp=falseafter a transient failure, silently falling back to PAT auth.