fix: coderabbit pulse gh auth fails in cron (no keyring access)

[marcusquinn]

Summary

• Fix coderabbit-pulse-helper.sh failing every 2 minutes in cron because it relied solely on gh auth status (requires macOS keyring, unavailable in cron)
• Check GH_TOKEN env var before falling back to gh auth status, matching the pattern already used by supervisor-helper.sh and issue-sync-helper.sh
• Improve status display to show auth method (GH_TOKEN vs keyring)

Root Cause

The supervisor's GH_TOKEN resolution chain (env > cache > gh auth token > gopass > credentials.sh) correctly populates GH_TOKEN and caches it. But coderabbit-pulse-helper.sh was the only script that didn't check GH_TOKEN before calling gh auth status, causing it to fail in cron where the macOS keyring is inaccessible.

Summary by CodeRabbit

• Refactor

  • Restructured code formatting, organization, and control flow throughout helper scripts for enhanced readability and maintainability while preserving all existing functionality.

• New Features

  • Added support for GH_TOKEN environment variable to enable GitHub API authentication using credentials passed through environment variables.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Walkthrough

The shell script refactors function bodies with multiline local variable blocks and improved formatting throughout. Notably, GitHub API authentication handling is enhanced to accept GH_TOKEN environment variables, and the command runner introduces explicit option parsing for --repo, --force, and --quiet flags. Core logic paths remain unchanged.

Changes

Cohort / File(s)

Summary

Shell Script Refactoring & Auth Enhancement .agents/scripts/coderabbit-pulse-helper.sh

Comprehensive reformatting with multiline local variable declarations; helper functions (print_info, print_success, print_warning, print_error) restructured for readability. Enhanced GitHub authentication in run_gh_api_review to support GH_TOKEN environment variable. cmd_run updated with explicit option parsing (--repo, --force, --quiet). All functions preserve original behavior and control flow logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

💬 A script refined with care and grace,
Local vars now hold their rightful place,
GitHub tokens flow through cleaner air,
Options parsed with DevOps flair,
Zero debt, A-grade all the way! 🚀

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main fix: adding GH_TOKEN environment variable support to resolve GitHub authentication failures in cron environments where keyring access is unavailable.
Docstring Coverage	✅ Passed	Docstring coverage is 81.25% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/cron-gh-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 0 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 12 19:52:14 UTC 2026: Code review monitoring started
Thu Feb 12 19:52:14 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 0

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 0
• VULNERABILITIES: 0

Generated on: Thu Feb 12 19:52:17 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.agents/scripts/coderabbit-pulse-helper.sh:
- Around line 139-141: The function run_gh_api_review currently only reads local
output_file="$1" but is called with three args (repo_path, output_file,
repo_id); change run_gh_api_review to accept explicit parameters (e.g., local
repo_path="$1" local output_file="$2" local repo_id="$3") and update all
references inside the function that rely on caller scope (uses of repo_id in the
body) to use the new local repo_id variable; ensure the call site passes the
three arguments in the correct order ("$repo_path" "$output_file" "$repo_id") so
the JSON write and other operations target the intended output path and repo id.
- Around line 74-85: The SSH remote parsing never runs because you overwrite
remote_url before checking its original form; preserve the original value (e.g.,
save remote_url to orig_remote or pre_strip) before you strip the .git suffix
into cleaned, then change the SSH-detection conditional to compare cleaned
against the preserved original (use the preserved var in the glob test instead
of "$remote_url") so the `${cleaned#*:}` branch executes for SSH URLs and
get_repo_id returns owner/repo.

🧹 Nitpick comments (1)

.agents/scripts/coderabbit-pulse-helper.sh (1)

147-153: Core fix looks correct — redundant redirect on line 150.

The GH_TOKEN-first authentication check is the right approach for cron environments. However, &>/dev/null 2>&1 is redundant — &>/dev/null already redirects both stdout and stderr. The trailing 2>&1 is a no-op.

✨ Remove redundant redirect

-	if [[ -z "${GH_TOKEN:-}" ]] && ! gh auth status &>/dev/null 2>&1; then
+	if [[ -z "${GH_TOKEN:-}" ]] && ! gh auth status &>/dev/null; then

As per coding guidelines, "Run ShellCheck with zero violations on all scripts in .agents/scripts/"

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: SSH remote URL is never correctly parsed to owner/repo.

Line 80 compares $cleaned (.git already stripped) against $remote_url (still contains .git), so the glob "$remote_url"* can never match when the URL was SSH-format. The SSH-specific ${cleaned#*:} cleanup on line 82 is therefore dead code, and get_repo_id will return git@github.com:owner/repo for SSH remotes — breaking every downstream gh command that expects owner/repo.

Save the pre-removal value and compare against that instead:

🐛 Proposed fix

 	# Remove protocol (https://github.com/ or git@github.com:)
-	cleaned="${cleaned#*://*/}" # https://host/owner/repo -> owner/repo
-	if [[ "$cleaned" == "$remote_url"* ]]; then
+	local cleaned_before="$cleaned"
+	cleaned="${cleaned#*://*/}" # https://host/owner/repo -> owner/repo
+	if [[ "$cleaned" == "$cleaned_before" ]]; then
 		# SSH format: git@host:owner/repo
 		cleaned="${cleaned#*:}"
 	fi

🤖 Prompt for AI Agents

In @.agents/scripts/coderabbit-pulse-helper.sh around lines 74 - 85, The SSH
remote parsing never runs because you overwrite remote_url before checking its
original form; preserve the original value (e.g., save remote_url to orig_remote
or pre_strip) before you strip the .git suffix into cleaned, then change the
SSH-detection conditional to compare cleaned against the preserved original (use
the preserved var in the glob test instead of "$remote_url") so the
`${cleaned#*:}` branch executes for SSH URLs and get_repo_id returns owner/repo.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: run_gh_api_review receives wrong arguments — output_file gets the repo path.

run_gh_api_review declares only one parameter (output_file="$1", line 140), but the call site on line 313 passes three arguments: "$repo_path" "$output_file" "$repo_id". This means $1 inside the function is the repo path, not the output file. The JSON written on line 205 will target the wrong path.

Additionally, $repo_id is used throughout the function body (lines 162, 166, 170, 176, 201) via dynamic scoping from the caller rather than as an explicit parameter — this is fragile.

🐛 Proposed fix — accept all needed parameters explicitly

 run_gh_api_review() {
-	local output_file="$1"
+	local repo_path="$1"
+	local output_file="$2"
+	local repo_id="$3"

Or, fix the call site to match the current single-parameter signature:

-	elif run_gh_api_review "$repo_path" "$output_file" "$repo_id"; then
+	elif run_gh_api_review "$output_file"; then

If choosing the second option, document that $repo_id is expected from the caller's scope, though the first option (explicit params) is strongly preferred for maintainability.

As per coding guidelines, "Use local var="$1" pattern in shell scripts"

Also applies to: 313-313

🤖 Prompt for AI Agents

In @.agents/scripts/coderabbit-pulse-helper.sh around lines 139 - 141, The
function run_gh_api_review currently only reads local output_file="$1" but is
called with three args (repo_path, output_file, repo_id); change
run_gh_api_review to accept explicit parameters (e.g., local repo_path="$1"
local output_file="$2" local repo_id="$3") and update all references inside the
function that rely on caller scope (uses of repo_id in the body) to use the new
local repo_id variable; ensure the call site passes the three arguments in the
correct order ("$repo_path" "$output_file" "$repo_id") so the JSON write and
other operations target the intended output path and repo id.