Skip to content

fix: support SSH remotes and reliable auth for private repos#123

Open
MalteHerrmann wants to merge 2 commits into
mainfrom
cursor/fix-ssh-private-repo-github-auth
Open

fix: support SSH remotes and reliable auth for private repos#123
MalteHerrmann wants to merge 2 commits into
mainfrom
cursor/fix-ssh-private-repo-github-auth

Conversation

@MalteHerrmann

Copy link
Copy Markdown
Owner

Summary

Fixes issues with private repositories (especially those authenticated via SSH) that caused clu create-pr and clu check-diff to fail. Addresses #122 and the linked #121.

Three root causes were identified and fixed:

  • SSH URLs were unparseable. get_origin() (used by clu init) and get_git_info() (used by create-pr/check-diff) only matched https://github.com/.... The SSH form git@github.com:owner/repo.git never matched (colon vs. slash). Added parse_github_owner_repo() that handles HTTPS, SCP-style SSH, ssh://, and bare URLs (with optional .git/trailing slash), and normalizes origins to canonical HTTPS.
  • Silent unauthenticated fallback. get_github_client() used unwrap_or_default(), silently degrading to an unauthenticated client. GitHub returns 404 Not Found (not 403) for private resources without valid auth — the exact error in Error checking diff on PR #121. The client now surfaces build errors instead of degrading, and the GITHUB_TOKEN is trimmed to avoid Authorization header corruption from trailing whitespace/newlines (e.g. $(op read ...)).
  • Error swallowing in branch_exists_on_remote. Previously used .is_ok(), so auth/network failures looked identical to "branch missing" — the Failed to create PR #122 symptom where a pushed branch keeps being reported as missing. It now returns Result<bool>, treating only genuine 404s as "absent" and propagating other errors with a helpful message.

Changes

  • src/utils/git.rs: new parse_github_owner_repo() + rewired get_origin()/get_git_info(); added unit tests.
  • src/utils/github.rs: token trimming, no silent unauthenticated fallback, branch_exists_on_remote() returns Result<bool>.
  • src/cli/create_pr.rs: updated call sites for the new signature.

Test plan

  • cargo build passes
  • cargo test --lib passes (new URL-parsing tests included; only the pre-existing ANTHROPIC_API_KEY-dependent test fails, unrelated to this change)
  • Verify against an actual private repo (SSH remote + valid GITHUB_TOKEN) that create-pr detects a pushed branch and check-diff works. If Error checking diff on PR #121 persists, confirm the token's scope grants access to that private repo.

Made with Cursor

MalteHerrmann and others added 2 commits June 14, 2026 13:50
Parse owner/repo from HTTPS and SSH GitHub URLs so private repos cloned
via SSH work in init, create-pr, and check-diff. Trim GITHUB_TOKEN and
stop silently falling back to an unauthenticated client, which made
private repositories return misleading 404s. Propagate non-404 errors
from the branch existence check instead of reporting pushed branches as
missing.

Fixes #122, fixes #121

Co-authored-by: Cursor <cursoragent@cursor.com>
@MalteHerrmann MalteHerrmann marked this pull request as ready for review June 15, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant