forked from molecule-ai/molecule-core
cd739ef299
Addresses FLAG 1 and FLAG 2 from the 7-Gate review on PR #20. FLAG 1 (token persisted on disk): Previous: `git clone https://x-access-token:${GITHUB_TOKEN}@github.com/...` wrote the full tokenized URL into /workspace/repo/.git/config as `[remote "origin"] url = …`. Token survived container restarts on any bind-mounted workspace_dir. Fix: after clone, `git remote set-url origin https://github.com/${GITHUB_REPO}.git` scrubs the token from the remote URL. Token is only in the clone command's argv (transient) and not persisted on disk. Falls back to anonymous for public repos. FLAG 2 (docs not updated): Added GITHUB_REPO and GITHUB_TOKEN entries under a new 'GitHub' section in .env.example with notes about (a) what they're read for, (b) that GITHUB_TOKEN should be registered as a global secret via POST /admin/secrets, (c) how it's handled to avoid on-disk persistence. FLAG 3 (per-workspace gating) is deferred to a separate issue — it's a platform design question about secret scope/ACLs, not a template fix. |
||
|---|---|---|
| .. | ||
| backend-engineer | ||
| competitive-intelligence | ||
| dev-lead | ||
| devops-engineer | ||
| frontend-engineer | ||
| market-analyst | ||
| pm | ||
| qa-engineer | ||
| research-lead | ||
| security-auditor | ||
| technical-researcher | ||
| uiux-designer | ||
| .env.example | ||
| org.yaml | ||