You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ref: make api_client the single source of truth for the auth token
Token state used to live in two places: the api_client carried it for
GraphQL Authorization headers, while OrchestratorConfig.token (and its
clone in ExecutorConfig.token) carried it for upload Authorization
headers. The two were filled from different paths and could drift —
notably in CI with OIDC, where set_oidc_token mutated config but the
api_client kept its original token.
Centralize on the api_client:
- CodSpeedAPIClient now exposes token() and set_token() and is the
single mutation point for the credentials.
- RunEnvironmentProvider::set_oidc_token(&mut ExecutorConfig) becomes
refresh_token(&mut CodSpeedAPIClient). GHA implements it; other
providers inherit the no-op default.
- The Buildkite "token required" check moves from try_from(config) to
check_oidc_configuration(api_client) — token presence is the
api_client's authority now.
- Token resolution happens once at CLI entry in build_api_client(&cli):
--token / CODSPEED_TOKEN takes precedence; the persisted CLI config is
only loaded as fallback.
- token field deleted from OrchestratorConfig and ExecutorConfig. The
uploader's Authorization header and the tokenless metadata flag both
read from api_client.token().
- &mut CodSpeedAPIClient is plumbed through cli/run/exec → Orchestrator
→ upload_all so refresh_token can mutate in place.
Refs COD-2628
Co-Authored-By: Claude <noreply@anthropic.com>
0 commit comments