fixup: refresh auth info when not in GitLab CI

[cole-h]

Summary by CodeRabbit

• Improvements
  • Updated background token refresh behavior for CI environment handling.

[coderabbitai]

Warning

Review limit reached

@cole-h, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 12 minutes, and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab06ea99-6872-4d24-a87b-9e60df5cccee

📥 Commits

Reviewing files that changed from the base of the PR and between e921fb3 and fe0fc91.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• magic-nix-cache/src/flakehub.rs

📝 Walkthrough

Walkthrough

In init_cache within flakehub.rs, the condition controlling background token-refresh worker startup is changed from environment.is_github_actions() to !environment.is_gitlab_ci(). The two workers (FlakeHubAuthSource::Netrc and FlakeHubAuthSource::DeterminateNixd) are otherwise unchanged; only the guard condition and its surrounding comments are updated.

Changes

Token Refresh Worker Condition

Layer / File(s)	Summary
Token refresh worker startup guard magic-nix-cache/src/flakehub.rs	init_cache replaces the is_github_actions() check with !is_gitlab_ci(), broadening the condition under which background token-refresh workers are started, along with updated comments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through CI land,
Not just GitHub — now understand:
GitLab alone must sit this out,
All others spin the refresh bout.
🐇 Token fresh, no need to doubt!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: modifying auth token refresh behavior to exclude GitLab CI environments.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fixup-auth-refresh

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

magic-nix-cache/src/flakehub.rs (1)

99-110: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

refresh_github_actions_jwt_worker will fail repeatedly in non-GitHub Actions environments.

With the guard changed to !environment.is_gitlab_ci(), the Netrc path now spawns refresh_github_actions_jwt_worker in Buildkite and "Other" environments. However, this worker relies on GitHub Actions-specific environment variables (ACTIONS_ID_TOKEN_REQUEST_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL) that won't exist outside GitHub Actions. The worker will sleep 2 minutes, fail to read the env vars, log an error, sleep 10 seconds, and repeat indefinitely—spamming logs and wasting cycles.

Consider either:

1. Keep the GitHub Actions check specifically for the Netrc path (preserving the original behavior for this case), or
2. Have the worker detect missing env vars at startup and exit gracefully.

Option 1: Add inner guard for Netrc path

     if !environment.is_gitlab_ci() {
         match auth_method {
             super::FlakeHubAuthSource::Netrc(path) => {
+                // Only refresh GitHub Actions JWTs when actually running in GitHub Actions
+                if environment.is_github_actions() {
                     let netrc_path_clone = path.to_path_buf();
                     let initial_github_jwt_clone = flakehub_password.clone();
                     let api_clone = api.clone();

                     tokio::task::spawn(refresh_github_actions_jwt_worker(
                         netrc_path_clone,
                         initial_github_jwt_clone,
                         api_clone,
                     ));
+                }
             }
             crate::FlakeHubAuthSource::DeterminateNixd => {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@magic-nix-cache/src/flakehub.rs` around lines 99 - 110, The
`refresh_github_actions_jwt_worker` is being spawned whenever
`!environment.is_gitlab_ci()` is true, but this worker requires GitHub
Actions-specific environment variables that only exist in GitHub Actions CI. Add
an additional check to verify that the code is running in a GitHub Actions
environment before spawning the worker in the `Netrc` path case. This ensures
the worker only runs when the required environment variables
(`ACTIONS_ID_TOKEN_REQUEST_TOKEN`, `ACTIONS_ID_TOKEN_REQUEST_URL`) are actually
present, preventing repeated failures and log spam in non-GitHub Actions
environments like Buildkite.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@magic-nix-cache/src/flakehub.rs`:
- Around line 99-110: The `refresh_github_actions_jwt_worker` is being spawned
whenever `!environment.is_gitlab_ci()` is true, but this worker requires GitHub
Actions-specific environment variables that only exist in GitHub Actions CI. Add
an additional check to verify that the code is running in a GitHub Actions
environment before spawning the worker in the `Netrc` path case. This ensures
the worker only runs when the required environment variables
(`ACTIONS_ID_TOKEN_REQUEST_TOKEN`, `ACTIONS_ID_TOKEN_REQUEST_URL`) are actually
present, preventing repeated failures and log spam in non-GitHub Actions
environments like Buildkite.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b2543b50-4320-4637-99e3-9b19f24d2853

📥 Commits

Reviewing files that changed from the base of the PR and between 0adf8a1 and e921fb3.

📒 Files selected for processing (1)

• magic-nix-cache/src/flakehub.rs