fix(sync): Use token-authenticated URL for git push to consumer repos#228
Merged
fix(sync): Use token-authenticated URL for git push to consumer repos#228
Conversation
The sync workflow was failing with 'could not read Username for https://github.com' because the consumer repo clone (via gh) doesn't inherit git credentials for push operations. Fix by pushing directly with the token embedded in the URL: git push https://x-access-token:${GH_TOKEN}@github.com/$repo.git This ensures the SYNC_TOKEN is used for authentication when pushing to each consumer repository.
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
Contributor
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes authentication failures in the Maint 68 Sync Consumer Repos workflow that occurred when pushing changes to consumer repositories. The workflow was failing with "could not read Username" errors because cloned repositories didn't inherit git credentials for push operations.
Key Changes:
- Updated git push command to use token-embedded URL for direct authentication
- Added git credential helper configuration (though redundant with the new push approach)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+682
to
+686
| # Configure git with token-based authentication for push | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git config credential.helper store | ||
| echo "https://x-access-token:${GH_TOKEN}@github.com" > ~/.git-credentials |
There was a problem hiding this comment.
The git credential helper configuration is redundant since the push command on line 705 uses a token-embedded URL directly. When using a token-embedded URL, git doesn't need to look up credentials from the credential helper. These lines can be removed to simplify the code and avoid writing credentials to disk unnecessarily.
Suggested change
| # Configure git with token-based authentication for push | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config credential.helper store | |
| echo "https://x-access-token:${GH_TOKEN}@github.com" > ~/.git-credentials | |
| # Configure git identity for commits | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" |
Comment on lines
+682
to
+686
| # Configure git with token-based authentication for push | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git config credential.helper store | ||
| echo "https://x-access-token:${GH_TOKEN}@github.com" > ~/.git-credentials |
There was a problem hiding this comment.
Storing credentials in ~/.git-credentials creates a security risk in GitHub Actions. Even though the runner is ephemeral, credentials should not be written to disk when they can be passed directly in the command (as done on line 705). Additionally, the format is incorrect - the file should contain the full URL including the protocol, but this line is missing the path component after the domain. The correct format would be "https://x-access-token:${GH_TOKEN}@github.com" as a complete line.
Suggested change
| # Configure git with token-based authentication for push | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config credential.helper store | |
| echo "https://x-access-token:${GH_TOKEN}@github.com" > ~/.git-credentials | |
| # Configure git author for commit | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" |
Contributor
Automated Status SummaryHead SHA: 8aedd66
Coverage Overview
Coverage Trend
Updated automatically; will refresh on subsequent CI/Docker completions. Keepalive checklistScopeNo scope information available Tasks
Acceptance criteria
|
Contributor
🤖 Keepalive Loop StatusPR #228 | Agent: Codex | Iteration 0/5 Current State
🔍 Failure Classification| Error type | infrastructure | |
3 tasks
This was referenced Dec 28, 2025
3 tasks
stranske
pushed a commit
that referenced
this pull request
Feb 24, 2026
Five interacting bugs caused the keepalive loop to prematurely stop productive Codex agents on PRs #223, #224, #225, #228: 1. Off-by-one task credit: updateKeepaliveLoopSummary used stale checkbox counts from the evaluate step (before autoReconcile ran). Now re-reads the live PR body after autoReconcile and recalculates rounds_without_task_completion with authoritative counts. 2. agent:retry doesn't reset counters: adding the label bypassed max_iterations but left rounds_without_task_completion and consecutive_zero_activity_rounds at their stale values, causing the agent to hit progress-review or stop after one more quiet round. Now resets both counters when forceRetry is active. 3. totalsStable gate zeroed legitimate credit: when parent-child cascade or manual edits changed the total checkbox count, tasksCompletedSinceLastRound was forced to 0 even when tasks were genuinely completed. Removed the totalsStable gate — any positive unchecked-count delta now counts as progress. 4. Two-round productivity memory: productivityScore only considered last_files_changed and prev_files_changed. An agent with a strong track record was treated as unproductive after 2 quiet rounds. Added a cumulative total_tasks_completed counter that gives credit for historical productivity. 5. Rolling window caps too small: ATTEMPT_HISTORY_LIMIT (5) and ATTEMPTED_TASK_LIMIT (6) caused loss of historical context and re-suggestion of already-tried tasks. Raised both to 20. Also adds an append-only, collapsible Work Log comment per PR that records every keepalive round (agent, action, result, files changed, tasks credited, commit, gate status). This provides complete observability without the 5-entry rolling window limitation. https://claude.ai/code/session_012WnYCcttvFEY3FETnhVcNL
19 tasks
stranske
pushed a commit
that referenced
this pull request
Feb 24, 2026
Addresses 6 root causes identified in PR #228 post-mortem where the coding agent claimed 42/42 tasks complete when multiple acceptance criteria were unmet: Fix 1 - Require verification PASS before stopping: The stop decision now requires the verifier to return PASS. If verification fails, the agent is re-run to fix gaps (up to 2 attempts). Previously, verification was attempted once and ignored on failure. Fix 2 - Raise confidence thresholds in analyzeTaskCompletion: Keyword match threshold raised from 0.35 to 0.50 for HIGH confidence. Now requires 2+ matching words (not just percentage) to avoid single-word false positives. fileMatch tightened to require 2+ keywords or explicit file references. commitMatch requires 2+ substantive words. Fix 3 - Gate cascade logic for acceptance criteria: cascadeParentCheckboxes now detects acceptance criteria section headings and disables cascading within them. Each acceptance criterion must be independently checked — a checked parent no longer auto-checks children in acceptance sections. Fix 5 - Different verifier context: Verification steps now switch to the alternate agent (codex→claude or claude→codex) to avoid the structural problem where the same model that produced the work also verifies it. Configurable via verifier_agent. Fix 6 - Mechanical scope enforcement: New extractScopePatterns/validateScopeCompliance functions parse file patterns from the scope section and validate the PR diff against them. Scope violations block the tasks-complete stop decision. The verifier prompt now includes a mandatory Scope Check section. Fix 7 - Separate task/acceptance criteria tracking: Tasks and acceptance criteria are now counted independently. The stop decision requires BOTH allTasksDone AND allCriteriaMet. Auto-reconciliation only operates on task checkboxes, never acceptance criteria. Also fixes pre-existing duplicate fixAttemptMax declaration in Counter_Risk. https://claude.ai/code/session_01VtzHmRoYTL2kcxaacDgSqQ
stranske
added a commit
that referenced
this pull request
Feb 24, 2026
* fix: prevent premature task completion claims in keepalive loop Addresses 6 root causes identified in PR #228 post-mortem where the coding agent claimed 42/42 tasks complete when multiple acceptance criteria were unmet: Fix 1 - Require verification PASS before stopping: The stop decision now requires the verifier to return PASS. If verification fails, the agent is re-run to fix gaps (up to 2 attempts). Previously, verification was attempted once and ignored on failure. Fix 2 - Raise confidence thresholds in analyzeTaskCompletion: Keyword match threshold raised from 0.35 to 0.50 for HIGH confidence. Now requires 2+ matching words (not just percentage) to avoid single-word false positives. fileMatch tightened to require 2+ keywords or explicit file references. commitMatch requires 2+ substantive words. Fix 3 - Gate cascade logic for acceptance criteria: cascadeParentCheckboxes now detects acceptance criteria section headings and disables cascading within them. Each acceptance criterion must be independently checked — a checked parent no longer auto-checks children in acceptance sections. Fix 5 - Different verifier context: Verification steps now switch to the alternate agent (codex→claude or claude→codex) to avoid the structural problem where the same model that produced the work also verifies it. Configurable via verifier_agent. Fix 6 - Mechanical scope enforcement: New extractScopePatterns/validateScopeCompliance functions parse file patterns from the scope section and validate the PR diff against them. Scope violations block the tasks-complete stop decision. The verifier prompt now includes a mandatory Scope Check section. Fix 7 - Separate task/acceptance criteria tracking: Tasks and acceptance criteria are now counted independently. The stop decision requires BOTH allTasksDone AND allCriteriaMet. Auto-reconciliation only operates on task checkboxes, never acceptance criteria. Also fixes pre-existing duplicate fixAttemptMax declaration in Counter_Risk. https://claude.ai/code/session_01VtzHmRoYTL2kcxaacDgSqQ * chore: sync template scripts --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
stranske
added a commit
that referenced
this pull request
Feb 24, 2026
* fix: prevent premature task completion claims in keepalive loop Addresses 6 root causes identified in PR #228 post-mortem where the coding agent claimed 42/42 tasks complete when multiple acceptance criteria were unmet: Fix 1 - Require verification PASS before stopping: The stop decision now requires the verifier to return PASS. If verification fails, the agent is re-run to fix gaps (up to 2 attempts). Previously, verification was attempted once and ignored on failure. Fix 2 - Raise confidence thresholds in analyzeTaskCompletion: Keyword match threshold raised from 0.35 to 0.50 for HIGH confidence. Now requires 2+ matching words (not just percentage) to avoid single-word false positives. fileMatch tightened to require 2+ keywords or explicit file references. commitMatch requires 2+ substantive words. Fix 3 - Gate cascade logic for acceptance criteria: cascadeParentCheckboxes now detects acceptance criteria section headings and disables cascading within them. Each acceptance criterion must be independently checked — a checked parent no longer auto-checks children in acceptance sections. Fix 5 - Different verifier context: Verification steps now switch to the alternate agent (codex→claude or claude→codex) to avoid the structural problem where the same model that produced the work also verifies it. Configurable via verifier_agent. Fix 6 - Mechanical scope enforcement: New extractScopePatterns/validateScopeCompliance functions parse file patterns from the scope section and validate the PR diff against them. Scope violations block the tasks-complete stop decision. The verifier prompt now includes a mandatory Scope Check section. Fix 7 - Separate task/acceptance criteria tracking: Tasks and acceptance criteria are now counted independently. The stop decision requires BOTH allTasksDone AND allCriteriaMet. Auto-reconciliation only operates on task checkboxes, never acceptance criteria. Also fixes pre-existing duplicate fixAttemptMax declaration in Counter_Risk. https://claude.ai/code/session_01VtzHmRoYTL2kcxaacDgSqQ * fix: increment verification attempt_count and tighten acceptance heading pattern Address two bugs identified in sync PR #244 code review: 1. Verification retry logic never incremented attempt_count, causing infinite retry loops on verification failures. Now both 'verify-acceptance' and 'fix-verification-gaps' reasons increment the counter so the exhausted-retries path is reachable. 2. The /acceptance/i heading pattern was overly broad, matching any heading containing "acceptance" (e.g. "User Acceptance Testing"). Changed to /^acceptance$/i for exact match only. Also updates 3 test expectations to match the stricter task-completion thresholds already in the codebase. https://claude.ai/code/session_01VtzHmRoYTL2kcxaacDgSqQ * fix: remove overly broad /^acceptance$/i heading pattern The bare /^acceptance$/i pattern matched any heading containing only "Acceptance", which could false-positive on headings like "User Acceptance Testing" or "Acceptance Rate Analysis", incorrectly disabling cascade for unrelated sections. The remaining patterns (/acceptance\s*criteria/i, /definition\s*of\s*done/i, /done\s*criteria/i) are specific enough to correctly identify acceptance criteria sections. Addresses Copilot review comment on sync PR #244. https://claude.ai/code/session_01VtzHmRoYTL2kcxaacDgSqQ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated Status Summary
Scope
Tasks
Acceptance criteria
Head SHA: 1acaa14
Latest Runs: ❔ in progress — Gate
Required: gate: ❔ in progress