Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions docs/github-account-suspension-appeal-tracker.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,18 @@ can be filed one by one later.
| `hfdery` | Suspended/disabled | User confirmed this account was also disabled during relogin triage | Not submitted in repo | Recheck exact GitHub support page text before drafting. |
| `ljhyugg` | Suspended/disabled | User confirmed this account was gone/disabled during relogin triage | Not submitted in repo | Recheck exact GitHub support page text before drafting. |
| `hfdryhy` | Suspended/disabled | User confirmed this account was also disabled during relogin triage | Not submitted in repo | Recheck exact GitHub support page text before drafting. |
| `hfdvbgt` | Abnormal during relogin | User reported it was not normal during relogin triage | Not submitted in repo | Verify whether GitHub labels it suspended, disabled, locked, or another restriction before appeal wording. |
| `hfdegh` | Abnormal during relogin | User reported it was not normal during relogin triage | Not submitted in repo | Verify whether GitHub labels it suspended, disabled, locked, or another restriction before appeal wording. |
| `zjhferw` | Abnormal during relogin | User reported it was not normal during relogin triage | Not submitted in repo | Verify whether GitHub labels it suspended, disabled, locked, or another restriction before appeal wording. |
| `hfdvbgt` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `hfdegh` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `zjhferw` | Suspended/disabled | User confirmed the GitHub account was suspended after a relogin attempt was blocked | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `ffgthn` | Suspended/disabled | 2026-07-04 GitHub relogin attempt was stopped after user confirmed the account was disabled | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `ghrdds` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `sefgyjh` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `hfdegv` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `fgddefc` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `khsytgb` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `gddegn` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `hgfdsw` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |
| `jhfded` | Suspended/disabled | 2026-07-04 GitHub relogin retry did not complete; user confirmed unfinished continuation attempts are suspended | Not submitted in repo | Use suspended-account appeal wording; recheck exact GitHub support page text before final submission. |

## Already Recovered

Expand Down
89 changes: 89 additions & 0 deletions skills/github-password-rotator/SKILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
---
name: github-password-rotator
description: Use when a GitHub account password needs to be changed or rotated with browser automation, especially when Codex should prefill username/password fields while the user manually handles 2FA, passkeys, device checks, CAPTCHA, suspended-account pages, or other GitHub verification steps.
---

# GitHub Password Rotator

## Boundaries

- Never pass GitHub passwords on the command line.
- Never print, store, commit, or summarize old passwords, new passwords, 2FA codes, cookies, or session tokens.
- Never print, store, commit, or summarize TOTP/2FA secrets from `2fa.fun`.
- Use an isolated Chrome profile and the HTTP proxy for the whole browser flow. Default proxy: `http://127.0.0.1:11111`.
- Treat 2FA, passkeys, CAPTCHA, unusual verification, and suspended-account pages as manual user steps.
- Do not claim the password changed unless the script reports completion or the user confirms success in the browser.

## Standard Flow

Use environment variables or hidden TTY prompts for both passwords:

```bash
read -rsp 'Current GitHub password: ' GITHUB_CURRENT_PASSWORD; echo
read -rsp 'New GitHub password: ' GITHUB_NEW_PASSWORD; echo
read -rsp 'GitHub TOTP secret for 2fa.fun: ' GITHUB_TOTP_SECRET; echo
export GITHUB_CURRENT_PASSWORD GITHUB_NEW_PASSWORD GITHUB_TOTP_SECRET
python3 skills/github-password-rotator/scripts/rotate_github_password.py \
--github-login username \
--manual-timeout-seconds 900 \
--auto-2fa-fun \
--create-learning-repo
unset GITHUB_CURRENT_PASSWORD GITHUB_NEW_PASSWORD GITHUB_TOTP_SECRET
```

The helper:

1. Opens `https://github.com/settings/security` in an isolated Chrome profile through the proxy.
2. Fills the GitHub login page with `--github-login` and the current password.
3. If `--auto-2fa-fun` is set and GitHub shows an app-code 2FA prompt, opens or reuses `https://2fa.fun/`, enters the TOTP secret, reads the generated code from `input.faotp.value`, and submits it to GitHub without printing the code.
4. Waits for the user to complete passkey, device verification, CAPTCHA, suspended-account inspection, or any 2FA step that cannot be handled from `2fa.fun`.
5. Handles GitHub sudo password confirmation with the current password when detected.
6. Fills the password-change form with current password, new password, and confirmation.
7. Exits successfully after GitHub reports success, or after a submitted password form collapses back to the `Change password` state without an explicit success message.
8. Navigates back to `https://github.com/settings/security` after a completed submit so browser refresh will not resubmit the password form.
9. When `--create-learning-repo` is set, waits a random 3-10 seconds after the password change before creating the repository, then creates `hello-world-from-<account-slug>` and writes a beginner-friendly English `README.md`.

## Useful Options

- `--github-login USER`: required GitHub username or email.
- `--current-password-env NAME`: defaults to `GITHUB_CURRENT_PASSWORD`.
- `--new-password-env NAME`: defaults to `GITHUB_NEW_PASSWORD`.
- `--totp-secret-env NAME`: defaults to `GITHUB_TOTP_SECRET`; only read when `--auto-2fa-fun` is set.
- `--proxy http://127.0.0.1:11111`: override login proxy.
- `--settings-url URL`: override GitHub password settings URL.
- `--manual-timeout-seconds 900`: time allowed for manual verification.
- `--keep-browser`: keep the isolated browser open after the helper exits.
- `--auto-2fa-fun`: use the hidden TOTP secret with `2fa.fun` to fill GitHub app-code 2FA prompts.
- `--create-learning-repo`: after password rotation, create a public beginner learning repository named `hello-world-from-<github-login-slug>`.
- `--dry-run`: print redacted plan and verify script wiring without launching a browser or requiring passwords.

## Learning Repository

- Repository name is deterministic: `hello-world-from-<account-slug>`, where the slug lowercases the GitHub login and replaces non-alphanumeric runs with `-`.
- README content must be English, beginner-oriented, and generated from multiple randomized sections at runtime. Do not make it a fixed template keyed only by account name.
- The README should still include the account name in the heading so the repository looks account-specific.
- If GitHub reports the repository already exists or the editor cannot be found, stop with a clear failure instead of silently skipping the repository.

## Failure Handling

- If GitHub shows a suspended/disabled account page, stop the script and record the account in the appeal tracker instead of retrying.
- If the helper times out while GitHub is logged in, inspect the visible browser. Do not scrape or print cookies/tokens.
- If `2fa.fun` is used, read generated codes only from `input.faotp.value`; do not parse arbitrary page text or secret fields as codes.
- If GitHub changed the settings DOM, rerun with `--keep-browser`, inspect visible labels/selectors, then patch `drive_github_password_change.mjs`.
- GitHub may not show a password success flash. After a submit, treat the collapsed password form plus visible `Change password` entry as a completed no-flash state, then force a GET navigation back to the settings URL to avoid refresh resubmission.
- If the password-change form remains visible after submit, do not assume success. Check visible validation text or ask the user to confirm.

## Verification

Dry-run and syntax checks are safe:

```bash
python3 skills/github-password-rotator/scripts/rotate_github_password.py \
--github-login username \
--dry-run

python3 -m py_compile skills/github-password-rotator/scripts/rotate_github_password.py
node --check skills/github-password-rotator/scripts/drive_github_password_change.mjs
```

For live verification, rely on GitHub's success page, the completed no-flash collapsed form state, or a user-confirmed successful login with the new password. Do not log the password itself.
4 changes: 4 additions & 0 deletions skills/github-password-rotator/agents/openai.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
interface:
display_name: "GitHub Password Rotator"
short_description: "Rotate GitHub passwords and optionally create a beginner learning repository."
default_prompt: "Use $github-password-rotator to change a GitHub account password with 2fa.fun app-code support and create the hello-world learning repository."
Loading
Loading