Skip to content

config: accept both ghp_ and github_pat_ tokens in schema #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
benvinegar merged 1 commit into from
Feb 17, 2026
Merged

config: accept both ghp_ and github_pat_ tokens in schema #36

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .env.schema
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ OPENCODE_ZEN_API_KEY=

# ── GitHub ───────────────────────────────────────────────────────────────────

# GitHub Personal Access Token (fine-grained, scoped to agent repos)
# @required @type=string(startsWith=ghp_)
# GitHub Personal Access Token (classic ghp_ or fine-grained github_pat_)
# @required @type=string
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrestricted string type accepts any value

Removing startsWith=ghp_ is correct, but dropping to a plain @type=string with no constraint means varlock will accept any non-empty string as a valid GITHUB_TOKEN (e.g. a mistyped value, a pasted Slack token, etc.). The sole guard is now the prefix-warning in config.sh, which only fires during interactive setup — not on every restart.

Varlock doesn't support multiple startsWith values in a single annotation, but it does support a pattern (regex) constraint. If varlock's schema supports a @type=string(pattern=...), you could capture both prefixes without losing all validation:

Suggested change
# @required @type=string
# @required @type=string(pattern=^(ghp_|github_pat_))

If varlock doesn't support pattern, a comment documenting the intentional lack of prefix validation here would help future maintainers understand why the constraint was removed rather than replaced.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .env.schema
Line: 37:37

Comment:
**Unrestricted string type accepts any value**

Removing `startsWith=ghp_` is correct, but dropping to a plain `@type=string` with no constraint means varlock will accept any non-empty string as a valid `GITHUB_TOKEN` (e.g. a mistyped value, a pasted Slack token, etc.). The sole guard is now the prefix-warning in `config.sh`, which only fires during interactive setup — not on every restart.

Varlock doesn't support multiple `startsWith` values in a single annotation, but it does support a `pattern` (regex) constraint. If varlock's schema supports a `@type=string(pattern=...)`, you could capture both prefixes without losing all validation:

```suggestion
# @required @type=string(pattern=^(ghp_|github_pat_))
```

If varlock doesn't support `pattern`, a comment documenting the intentional lack of prefix validation here would help future maintainers understand why the constraint was removed rather than replaced.

How can I resolve this? If you propose a fix, please make it concise.

# @docs(https://github.com/settings/tokens)
GITHUB_TOKEN=
Comment on lines +36 to 39
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related files not updated for fine-grained PAT support

Two companion files still only handle the ghp_ prefix and may need updating:

  1. bin/security-audit.sh (lines 281, 332, 336) — the secret-scanning regex patterns use only ghp_[a-zA-Z0-9]{36}. Fine-grained PATs with the github_pat_ prefix won't be detected by the audit's secret-exposure or git-history scans. redact-logs.sh already handles both prefixes correctly, but security-audit.sh has not been updated to match.

  2. CONFIGURATION.md (line 113) — the example env block still shows only a classic token placeholder. Updating it to reference both token formats would keep the docs consistent with the schema comment and the description in AGENTS.md.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .env.schema
Line: 36:39

Comment:
**Related files not updated for fine-grained PAT support**

Two companion files still only handle the `ghp_` prefix and may need updating:

1. **`bin/security-audit.sh`** (lines 281, 332, 336) — the secret-scanning regex patterns use only `ghp_[a-zA-Z0-9]{36}`. Fine-grained PATs with the `github_pat_` prefix won't be detected by the audit's secret-exposure or git-history scans. `redact-logs.sh` already handles both prefixes correctly, but `security-audit.sh` has not been updated to match.

2. **`CONFIGURATION.md`** (line 113) — the example env block still shows only a classic token placeholder. Updating it to reference both token formats would keep the docs consistent with the schema comment and the description in `AGENTS.md`.

How can I resolve this? If you propose a fix, please make it concise.


Expand Down