Merge pull request #20 from Molecule-AI/chore/template-private-repo-clone

chore(template): authenticated git clone in initial_prompt when GITHUB_TOKEN is set
2026-04-13 21:33:06 -07:00 · 2026-04-13 21:33:06 -07:00 · 4ffc0eb5ad
commit 4ffc0eb5ad
parent 897fa73952 cd739ef299
2 changed files with 14 additions and 1 deletions
--- a/.env.example
+++ b/.env.example
@ -31,6 +31,10 @@ PLUGINS_DIR=                   # Path to plugins/ directory (default: /plugins i
 # Observability (Awareness)
 # AWARENESS_URL=                         # If set, injected into workspace containers along with a deterministic AWARENESS_NAMESPACE derived from workspace ID. Enables the cross-session memory MCP server.

+# GitHub
+# GITHUB_REPO=owner/repo                 # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-monorepo). Read inside workspace containers.
+# GITHUB_TOKEN=                          # Personal access token / installation token used by agents that clone private repos. Register as a global secret via POST /admin/secrets for propagation to workspace env. Token is used in-URL during clone and then scrubbed from .git/config via `git remote set-url`.
+
 # Webhooks
 # GITHUB_WEBHOOK_SECRET=                 # HMAC secret used to verify incoming GitHub webhook payloads at /webhooks/github.

--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@ -16,7 +16,16 @@ defaults:
  # be ready yet. Keep it local: clone, read, memorize. Wait for tasks.
  initial_prompt: |
    You just started. Set up your environment silently — do NOT contact other agents yet.
-    1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
+    1. Clone the repo (authenticated when GITHUB_TOKEN is available, anonymous otherwise).
+       When a token is present, use it in-URL ONLY for the clone, then immediately scrub
+       the remote URL so the token is never persisted to /workspace/repo/.git/config:
+       if [ -n "$GITHUB_TOKEN" ]; then
+         git clone "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git" /workspace/repo 2>/dev/null \
+           && (cd /workspace/repo && git remote set-url origin "https://github.com/${GITHUB_REPO}.git") \
+           || (cd /workspace/repo && git pull)
+       else
+         git clone "https://github.com/${GITHUB_REPO}.git" /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
+       fi
    2. Set up git hooks: cd /workspace/repo && git config core.hooksPath .githooks
    3. Read /workspace/repo/CLAUDE.md to understand the project
    4. Read your system prompt at /configs/system-prompt.md to understand your role