fix(workspace): gh CLI wrapper so gh always uses the live App token#114
Merged
Conversation
The refresh daemon keeps /home/dev/.credentials/.github-token current and BASH_ENV + the ~/.profile hook re-export GH_TOKEN for NEW shells, so `git push` (file-based credential helper) and fresh `bash -c` subshells always work. But a long-lived process — notably the Claude Code harness — captures GH_TOKEN into its env once at startup and can never be updated by a file rewrite afterward. `gh` prefers that env var over everything else, so ~an hour into a session it starts returning 401 "Bad credentials" even though the token file is valid. Add a tiny `gh` shim at $HOME/.local/bin/gh (first on PATH) that re-reads the token file on every call and execs the real /usr/bin/gh. This is the file-backed guarantee git already has, extended to gh, and survives token rotation without any shell-env freshness assumptions. Created at boot alongside the daemon. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ghkeeps returning 401 "Bad credentials" ~an hour into a session, even thoughgit pushworks fine and the token file is valid.Root cause (confirmed on a live pod): the GitHub App installation token rotates ~hourly; the refresh daemon (#48 / f85c53b) keeps
/home/dev/.credentials/.github-tokenfresh andgit's file-based credential helper reads it live — so git push always works.BASH_ENV+ the~/.profilehook also re-exportGH_TOKENfor new shells. But a long-lived process — notably the Claude Code harness — capturesGH_TOKENinto its env once at startup, and nothing can update an already-running process's env afterward.ghprefers that env var, so it goes stale and 401s while everything else is fine.The BASH_ENV/profile-hook approach (f85c53b) is correct but structurally can't fix a long-lived consumer — only its child shells get the refreshed value.
Fix
Create a tiny
ghshim at$HOME/.local/bin/gh(first on PATH) at boot, beside the daemon launch. It re-reads the token file on every invocation and execs the real/usr/bin/gh:This gives
ghthe same file-backed guaranteegitalready has, independent of any process's frozen env. Real binary is pinned to an absolute path so it can't recurse into the shim.Verification
Reproduced + fixed live in a running workspace: bare
gh api repos/imran31415/commentsreturned 401 with the harness's stale env token; after dropping this shim on PATH, baregh api/gh pr view/gh pr mergeall succeed reading the live file token. No change needed forgit push.🤖 Generated with Claude Code