Add GitHub PAT setup and devcontainer auth (safety fixes only)#7
Open
Add GitHub PAT setup and devcontainer auth (safety fixes only)#7
Conversation
…e, atomic sed - Return early in setup_gh_auth() when GH_TOKEN is invalid, skipping the useless gh auth setup-git call - Replace sed -i.bak with grep -v + mktemp/mv to avoid .bak file leaks - Store tokens in macOS Keychain instead of plaintext in shell profile; fall back to plaintext on Linux with a warning - Add source guard to setup-gh-token.sh for testability - Add pytest tests for _warn_broad_token() and setup_gh_auth() - Add bash tests for remove_existing_gh_token() and store_token() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Log stderr from gh auth status on failure for debuggability - Replace grep/head/cut chain with jq in curl fallback for robust JSON parsing in validate_token() - chmod 600 shell profile after writing plaintext token on Linux - Add test for stderr logging and chmod 600 behavior Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
If mv fails, clean up the tmpfile and return non-zero instead of leaving a dangling temp file and continuing with a missing profile. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/setup-gh-token.shfor fine-grained PAT setup with macOS Keychain storage, token validation, and atomic shell-profile editssetup_gh_auth()into.devcontainer/post_install.pyso containers pick upGH_TOKENand rungh auth setup-gitfor HTTPS push/pullweb3-auditorpersona from placeholder to complete (CLAUDE.md, settings)claude-containershell function and devcontainer auth instructionssetup-gh-token.shandpost_install.pyThis is a strict subset of #6 — same four commits, without the additional web3-auditor commands/hooks commit. Open it in case we want to land the safety-related review fixes (PAT validation, Keychain storage, atomic sed,
mverror handling) independently.Test plan
bash tests/test_setup_gh_token.shuv run pytest tests/test_post_install.pyscripts/setup-gh-token.shend-to-end with a fine-grained PATGH_TOKENset; verifygh api userandgit pushboth work🤖 Generated with Claude Code