Support fetching tokens from an external command#469
Draft
ammachado wants to merge 5 commits into
Draft
Conversation
Documents the Makefile-driven test/lint/RPM workflow, the CLI/config → Stats → plugins architecture, how to add a new plugin, and the unit vs. FMF/tmt test split. rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Add `token_command` as a third token source alongside `token` and `token_file`, so secrets can be pulled from password managers such as BitWarden (`bw get password ...`) or 1Password (`op read op://...`). The command is parsed with shlex (no shell) and its stdout is used as the token; failures raise `ConfigError`. Results are memoized per process so multiple sections sharing a command only invoke the tool once. Setting more than one of `token`, `token_file`, `token_command` is now a hard `ConfigError` (previously the lower-precedence keys were silently ignored). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Restore the original silent-precedence behavior when more than one of `token`, `token_file`, `token_command` is set: `token` wins, then `token_file`, then `token_command`. Keeps the new `token_command` source and its memoization, but avoids breaking configs that happen to set multiple keys. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
The test setUp reaches into `did.base._run_token_command.cache_clear` to reset memoization between tests; that is intentional access to an internal helper, so disable the warning on that line. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Project flake8 config sets `max-doc-length = 72`. Reflow the new `_run_token_command` and `get_token` docstrings plus a few test docstrings to fit the limit; no behavior change. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
token_commandas a third token source alongsidetoken/token_file, so plugins can pull secrets from password managers such as BitWarden (bw get password did-jira) or 1Password (op read op://Personal/Jira/token). The command is parsed withshlex(no shell) and its stripped stdout is used as the token; failures raiseConfigError. Results are memoized per process viafunctools.lru_cacheso multiple config sections sharing a command only invoke the external tool once.token,token_file,token_commandin a section is now a hardConfigError. Previously the lower-precedence keys were silently ignored.jiraandconfluenceplugin docstrings to documenttoken_commandand the mutual-exclusion rule. Other plugins automatically gain the feature through the shareddid.base.get_tokenhelper.CLAUDE.mdwith repo guidance (Makefile commands, three-layer architecture, plugin conventions, unit vs. FMF tests).Test plan
pytest tests/unit/test_base.py::TestGetToken— 13/13 passing (5 new tests for the command source, mutual exclusion, failure modes, and memoization)pytest tests/unit -n autoclean except for pre-existing failures unrelated to token handling (nitrate/psycopg2build needspg_configlocally; oneredminelive-data test).[all]installedtoken_command = printf %s ...and confirm the report runs🤖 Generated with Claude Code