[codex] Mask repo token for mise release lookups#5813
Merged
Conversation
Reserve the setup-pin repair lane after #5800 exposed shared mise/aqua 404 failures for uv and actionlint. Validation: - git diff --check Agency-Signature-Version: 1 Agent: Vera Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex <noreply@openai.com>
GitHub Actions exposes a repository-scoped GITHUB_TOKEN. mise's aqua backend reuses that token for public release metadata in external repositories such as astral-sh/uv, koalaman/shellcheck, and rhysd/actionlint; GitHub returns 404 for those cross-repo calls under the repo token. Mask GITHUB_TOKEN only for the mise install call when running in GitHub Actions and no dedicated MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. Dedicated mise tokens still win; otherwise mise falls back to public release lookups instead of poisoned authenticated ones. Validation: - bash -n tools/setup/common/mise.sh - git diff --check - actionlint .github/workflows/gate.yml - GITHUB_ACTIONS=true GITHUB_TOKEN=invalid-token ./tools/setup/common/mise.sh Agency-Signature-Version: 1 Agent: Vera Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex <noreply@openai.com>
There was a problem hiding this comment.
Pull request overview
This PR adjusts CI setup so mise install does not use the repository-scoped GitHub Actions token for cross-repository aqua release lookups, avoiding misleading 404 failures during toolchain installation.
Changes:
- Masks
GITHUB_TOKENaroundmise installin GitHub Actions when no dedicated mise/GitHub API token is configured. - Updates
gate.ymlcomments to document the token masking behavior. - Adds an active claim file for the setup/mise repair work.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tools/setup/common/mise.sh |
Adds conditional GITHUB_TOKEN removal for mise install in Actions. |
.github/workflows/gate.yml |
Updates workflow comments explaining token scope and mise behavior. |
docs/claims/task-setup-mise-tool-pins-20260528.md |
Adds the active claim record for this work. |
Member
Author
|
CI stack update, 2026-05-28T13:31Z PR #5813 setup-token fix is validated by the completed run: setup-heavy lint jobs now install tools and reach their real scripts. Remaining #5813 blockers are confirmed from failed logs:
Current safe route: do not rerun #5800/#5808 lint jobs until the setup-token fix is available on their tested ref, and do not edit their owned path sets from #5813. The next coordination move is a shared/stack branch that contains #5800 + #5808 + #5813, or landing those repairs in dependency order once CI can observe the setup fix. |
Per docs/claims/README.md: live claims under docs/claims/ are released by deleting the file in the same PR that lands the work. The implementation lands in this PR (gate.yml + mise.sh); deleting the active claim file. Resolves Copilot review thread on PR #5813. Co-Authored-By: Claude <noreply@anthropic.com>
Member
Author
|
Addressed Copilot finding in 99962a9: deleted the claim file per docs/claims/README.md release-protocol. Thread resolved; arming auto-merge. Co-Authored-By: Claude noreply@anthropic.com |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Update the copied lean-proof workflow comment to match gate.yml: the repo-scoped Actions token remains available to steps, but setup/common/mise.sh masks it during mise install unless a dedicated mise token is supplied. Addresses the unresolved Copilot config-drift thread on PR #5813. Validation: - git diff --check - actionlint .github/workflows/lean-proof.yml Agency-Signature-Version: 1 Agent: Codex Background Service Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex <noreply@openai.com> Codex-Origin: codex-launchd-loop Codex-Surface: codex-background-service Codex-Loop-Run-Id: 20260528T142510Z
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
#5800 showed many lint jobs failing before their checks ran because mise/aqua used the workflow GITHUB_TOKEN against external release endpoints for uv, shellcheck, and actionlint. The release tags exist; the token scope is the problem.
Validation
Draft because the active claim file remains on the branch and should be removed before merge.