Fix setup token propagation after config stripping#124
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a regression where GitHub token propagation to selected agents could fail after plugin-config secret-ref maps were stripped by the host. The UI now resolves the GitHub token secret ref from the saved settings/registration state first, keeping plugin-config lookup only as a legacy fallback, and adds a regression test for the 0.9.4 failure mode.
Changes:
- Add
resolveGitHubTokenSecretRefForPropagationto consistently resolve the token secret ref from (1) explicit input, (2) settings-backed ref, then (3) legacy plugin config. - Update setup save + propagation flow to pass/use the settings-backed
githubTokenConfigSyncRefinstead of relying on plugin config. - Add a regression test covering “settings ref present, config refs stripped” behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/ui/index.tsx | Adds secret-ref resolution helper and updates propagation/setup flows to prioritize settings-backed token refs, with config as fallback. |
| tests/plugin.spec.ts | Adds a regression test ensuring the resolver prefers saved settings ref when config refs are missing/stripped. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Root Cause
PRs 122 and 123 correctly stopped writing secret refs back into plugin config when the host rejects plugin secret references. The setup save path for adding propagation agents still tried to rediscover the GitHub token ref from plugin config unless the token was saved in that exact submit flow. In production 0.9.4, that leaves no config ref to read, so the UI throws:
GitHub token propagation requires a GitHub token saved through this settings page.The worker already returns
githubTokenConfigSyncReffromsettings.registration; setup save now uses that state-backed ref directly.Production Evidence
paperclip-github-plugin@0.9.4is installed oncliponaut.duckdns.org.propagateGitHubTokenToSelectedAgents()only checks an explicit option, then/api/plugins/:id/config, then throws the exact production message.Validation
pnpm typecheckpnpm testpnpm buildpnpm test:e2eModel Used
GPT-5.5 (
gpt-5.5), 400k token context window, medium reasoning, with shell, SSH, GitHub CLI, and local patch tool use.