fix: GitHub token refresh — add WorkspaceAuth path for credential helper (#1068)

PR #729 tightened AdminAuth to require ADMIN_TOKEN, breaking the workspace credential helper which called /admin/github-installation-token with a workspace bearer token. Tokens expired after 60 min with no refresh. Fix: Add /workspaces/:id/github-installation-token under WorkspaceAuth so any authenticated workspace can refresh its GitHub token. Keep the admin path as backward-compatible alias. Update molecule-git-token-helper.sh to use the workspace-scoped path when WORKSPACE_ID is set. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-20 08:30:02 -07:00 · 2026-04-20 08:30:02 -07:00 · b1bb5f838a
commit b1bb5f838a
parent 16a245f96a
2 changed files with 14 additions and 1 deletions
--- a/workspace-server/internal/router/router.go
+++ b/workspace-server/internal/router/router.go
@ -376,7 +376,13 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 	// (dev / self-hosted without GITHUB_APP_ID).
 	{
 		ghTokH := handlers.NewGitHubTokenHandler(wh.TokenRegistry())
+		// #1068: moved from AdminAuth to allow any authenticated workspace to
+		// refresh its GitHub token. The credential helper in containers calls
+		// this endpoint with a workspace bearer token — AdminAuth (PR #729)
+		// rejects those, breaking token refresh after 60 min.
+		// Keep the old path as an alias for backward compat.
 		r.GET("/admin/github-installation-token", middleware.AdminAuth(db.DB), ghTokH.GetInstallationToken)
+		wsAuth.GET("/github-installation-token", ghTokH.GetInstallationToken)
 	}

 	// Terminal — shares Docker client with provisioner
--- a/workspace/scripts/molecule-git-token-helper.sh
+++ b/workspace/scripts/molecule-git-token-helper.sh
@ -53,7 +53,14 @@ set -euo pipefail
 PLATFORM_URL="${PLATFORM_URL:-http://platform:8080}"
 CONFIGS_DIR="${CONFIGS_DIR:-/configs}"
 TOKEN_FILE="${CONFIGS_DIR}/.auth_token"
-ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+# #1068: use workspace-scoped path (WorkspaceAuth) instead of admin path
+# (AdminAuth rejects workspace bearer tokens since PR #729).
+WORKSPACE_ID="${WORKSPACE_ID:-}"
+if [ -n "$WORKSPACE_ID" ]; then
+    ENDPOINT="${PLATFORM_URL}/workspaces/${WORKSPACE_ID}/github-installation-token"
+else
+    ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+fi

 # _fetch_token — internal helper; also callable directly from cron.
 # Outputs the raw token string on success; exits non-zero on failure.