[REMOTE-1370] Phase 2: driver-side git credential refresh#10150
Closed
jasonkeung wants to merge 2 commits intomasterfrom
Closed
[REMOTE-1370] Phase 2: driver-side git credential refresh#10150jasonkeung wants to merge 2 commits intomasterfrom
jasonkeung wants to merge 2 commits intomasterfrom
Conversation
Implements Phase 2 of REMOTE-1370 (refresh GitHub token at runtime)
in the warp repo:
- Add taskGitCredentials to schema.graphql and client-schema.ts, with
types verified against the staging server
- Add task_git_credentials.rs GraphQL query (cynic), following the
pattern of task_secrets.rs
- Add GitCredential struct and get_task_git_credentials to the AIClient
trait with a ServerApi implementation
- Add driver/git_credentials.rs with:
- Atomic writes to ~/.git-credentials and ~/.config/gh/hosts.yaml
- One-time git config setup (credential.helper store, url.insteadOf)
- Git user identity configuration from server-returned username/email
- refresh_loop(): infinite async loop that re-fetches credentials
every 50 minutes and overwrites the credential files
- Extend fetch_secrets_and_attachments to call taskGitCredentials in
parallel with existing fetches; write credentials and setup git
config at startup
- Add a futures::select! refresh loop in run_internal for both the Oz
and ThirdParty harness paths; the refresh future is dropped when the
harness completes
Note: schema.graphql was manually updated to add only the
taskGitCredentials types (verified against staging). Other schema
changes present on staging (VOYAGE_4_512, freeAvailableModels removal,
etc.) are intentionally excluded as they require separate PRs.
Co-Authored-By: Oz <oz-agent@warp.dev>
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Phase 2 of REMOTE-1370: adds the driver-side changes needed to fetch GitHub credentials at runtime and refresh them periodically, keeping long-running cloud agents authenticated for their full duration.
What:
taskGitCredentialsGraphQL query on the client, verified against the staging server (Phase 1 schema types)driver/git_credentials.rsmodule that writes~/.git-credentialsand~/.config/gh/hosts.yamlatomically, configures git identity andcredential.helper store, and provides an infiniterefresh_loopfuturefetch_secrets_and_attachmentsnow callstaskGitCredentialsin parallel with existing fetches and writes credentials + git config at startuprun_internalnow races harness execution against the credential refresh loop viafutures::select!for both the Oz and ThirdParty harness paths; the refresh future is dropped automatically when the harness completesWhy: GitHub tokens expire after 1 hour. Before this change there was no way to refresh them in a running sandbox, so any agent run longer than 1 hour lost GitHub access silently.
Note on schema.graphql: The
taskGitCredentialstypes were added manually (not viayarn generate) because other staging schema changes were present and need separate PRs. The types were verified by runningyarn generate -p stagingand confirming they match exactly.This PR should not merge until Phase 1 (warp-server) is deployed and stable.
See
specs/REMOTE-1370/TECH.mdin warp-server for the full design.Linked Issue
Linear: REMOTE-1370
Testing
cargo nextest run --no-fail-fast -p warp)cargo fmtandcargo clippycleanAgent Mode
Conversation: https://staging.warp.dev/conversation/e16dc3e2-8e2f-4499-8c9b-59b200e17c50
Co-Authored-By: Oz oz-agent@warp.dev