From c509eca31d77b728f00a71887fb55210c1e12cc7 Mon Sep 17 00:00:00 2001 From: Molecule AI DevOps Engineer Date: Fri, 17 Apr 2026 06:27:08 +0000 Subject: [PATCH] fix(template): copy molecule-git-token-helper.sh into image and fix path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two bugs prevented the git credential helper (merged in #567) from ever running at workspace boot: 1. Dockerfile never COPY'd scripts/molecule-git-token-helper.sh into the image — only gh-wrapper.sh was copied from scripts/. Result: the helper binary did not exist in any built container image. 2. entrypoint.sh looked for the helper at /workspace-template/scripts/... but /workspace-template/ is not a path that exists inside the container (WORKDIR is /app, no /workspace-template mount). The `if [ -f ... ]` guard silently fell through to the WARNING branch on every boot since #567 merged — the helper was never registered. Fix: - Add `COPY scripts/molecule-git-token-helper.sh ./scripts/` to Dockerfile so the script lands at /app/scripts/ in the image (matching WORKDIR /app) - Update HELPER_SCRIPT path in entrypoint.sh from /workspace-template/scripts/... to /app/scripts/... After this fix, every workspace container registers the helper at boot via: git config --global credential.https://github.com.helper \ "!/app/scripts/molecule-git-token-helper.sh" Closes #613. Co-Authored-By: Claude Sonnet 4.6 --- workspace-template/Dockerfile | 7 +++++++ workspace-template/entrypoint.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/workspace-template/Dockerfile b/workspace-template/Dockerfile index dfc78ff2..7306db35 100644 --- a/workspace-template/Dockerfile +++ b/workspace-template/Dockerfile @@ -49,6 +49,13 @@ RUN ln -s /app/a2a_cli.py /usr/local/bin/a2a && chmod +x /app/a2a_cli.py /app/a2 COPY scripts/gh-wrapper.sh /usr/local/bin/gh RUN chmod +x /usr/local/bin/gh +# Copy the git credential helper so entrypoint.sh can register it at boot. +# molecule-git-token-helper.sh fetches a fresh GitHub App installation token +# from the platform on every git push/fetch, preventing stale-token failures +# after the ~60 min GitHub App token TTL (issue #613 / #547). +COPY scripts/molecule-git-token-helper.sh ./scripts/ +RUN chmod +x ./scripts/molecule-git-token-helper.sh + # Dirs and permissions RUN mkdir -p /workspace /plugins /home/agent/.claude /home/agent/.config /home/agent/.local && \ chown -R agent:agent /app /home/agent /workspace diff --git a/workspace-template/entrypoint.sh b/workspace-template/entrypoint.sh index 54236e5f..8c260ccf 100644 --- a/workspace-template/entrypoint.sh +++ b/workspace-template/entrypoint.sh @@ -70,7 +70,7 @@ echo "Runtime: $RUNTIME" # unreachable. # # Idempotent — safe to re-run on restart. -HELPER_SCRIPT="/workspace-template/scripts/molecule-git-token-helper.sh" +HELPER_SCRIPT="/app/scripts/molecule-git-token-helper.sh" if [ -f "${HELPER_SCRIPT}" ]; then git config --global \ "credential.https://github.com.helper" \