feat(workspace): add /configs/.github-token static-token fallback

When platform /github-installation-token returns 500 (GitHub App unconfigured or token expired), operators can place a PAT in /configs/.github-token to keep git/ gh ops running. This is a pure additive step-4 fallback — cache is NEVER written for static tokens so recovery always reads fresh. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 22:46:14 +00:00 · 2026-05-08 22:46:14 +00:00 · d03fec794e
commit d03fec794e
parent c94ead1953
1 changed files with 15 additions and 2 deletions
--- a/workspace/scripts/molecule-git-token-helper.sh
+++ b/workspace/scripts/molecule-git-token-helper.sh
@ -46,8 +46,10 @@
 # 2. Fetch fresh token from platform API.
 # 3. If platform is unreachable, fall back to GITHUB_TOKEN / GH_TOKEN
 #    env var (set at container start, valid for up to 60 min).
-# 4. If all fail, exit 1 so git falls through to the next credential
-#    helper in the chain (if any).
+# 4. If all fail, fall back to a static PAT written by the infra operator
+#    at ${CONFIGS_DIR}/.github-token (helps when platform
+#    /github-installation-token returns 500 due to GitHub App misconfiguration).
+#    Cache is NEVER written for static tokens — recovery is always fresh.
 #
 # # gh CLI integration
 #
@ -222,6 +224,17 @@ _fetch_token() {
        return 0
    fi

+    # 4. Fall back to static token file (written by infra operator).
+    static_token_file="${CONFIGS_DIR:-/configs}/.github-token"
+    if [ -f "${static_token_file}" ]; then
+        static_token=$(cat "${static_token_file}" | tr -d '[:space:]')
+        if [ -n "${static_token}" ]; then
+            echo "[molecule-git-token-helper] API unreachable, falling back to static token file" >&2
+            echo "${static_token}"
+            return 0
+        fi
+    fi
+
    echo "[molecule-git-token-helper] all token sources exhausted" >&2
    return 1
 }