config: accept both ghp_ and github_pat_ tokens in schema#36
Conversation
The startsWith=ghp_ constraint rejects fine-grained PATs which use the github_pat_ prefix. Varlock doesn't support multiple startsWith values, so remove the prefix constraint. The config.sh prompt still validates prefixes with a warning.
Greptile SummaryThis PR fixes a crash-loop on startup caused by varlock rejecting fine-grained GitHub PATs ( Key observations:
Confidence Score: 4/5
Important Files Changed
Sequence DiagramsequenceDiagram
participant Admin
participant install.sh
participant config.sh
participant varlock
participant agent as baudbot_agent
Admin->>install.sh: run install / config
install.sh->>config.sh: prompt for GITHUB_TOKEN
config.sh-->>Admin: warn if prefix ≠ ghp_ or github_pat_
Admin->>config.sh: supply token (ghp_... or github_pat_...)
config.sh->>config.sh: write to ~/.config/.env
agent->>varlock: varlock load (.env.schema)
Note over varlock: @type=string (no prefix constraint)
varlock-->>agent: validation passes for both token types
agent->>agent: start successfully
Last reviewed commit: 35ab91a |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| # GitHub Personal Access Token (fine-grained, scoped to agent repos) | ||
| # @required @type=string(startsWith=ghp_) | ||
| # GitHub Personal Access Token (classic ghp_ or fine-grained github_pat_) | ||
| # @required @type=string |
There was a problem hiding this comment.
Unrestricted string type accepts any value
Removing startsWith=ghp_ is correct, but dropping to a plain @type=string with no constraint means varlock will accept any non-empty string as a valid GITHUB_TOKEN (e.g. a mistyped value, a pasted Slack token, etc.). The sole guard is now the prefix-warning in config.sh, which only fires during interactive setup — not on every restart.
Varlock doesn't support multiple startsWith values in a single annotation, but it does support a pattern (regex) constraint. If varlock's schema supports a @type=string(pattern=...), you could capture both prefixes without losing all validation:
| # @required @type=string | |
| # @required @type=string(pattern=^(ghp_|github_pat_)) |
If varlock doesn't support pattern, a comment documenting the intentional lack of prefix validation here would help future maintainers understand why the constraint was removed rather than replaced.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .env.schema
Line: 37:37
Comment:
**Unrestricted string type accepts any value**
Removing `startsWith=ghp_` is correct, but dropping to a plain `@type=string` with no constraint means varlock will accept any non-empty string as a valid `GITHUB_TOKEN` (e.g. a mistyped value, a pasted Slack token, etc.). The sole guard is now the prefix-warning in `config.sh`, which only fires during interactive setup — not on every restart.
Varlock doesn't support multiple `startsWith` values in a single annotation, but it does support a `pattern` (regex) constraint. If varlock's schema supports a `@type=string(pattern=...)`, you could capture both prefixes without losing all validation:
```suggestion
# @required @type=string(pattern=^(ghp_|github_pat_))
```
If varlock doesn't support `pattern`, a comment documenting the intentional lack of prefix validation here would help future maintainers understand why the constraint was removed rather than replaced.
How can I resolve this? If you propose a fix, please make it concise.| # GitHub Personal Access Token (classic ghp_ or fine-grained github_pat_) | ||
| # @required @type=string | ||
| # @docs(https://github.com/settings/tokens) | ||
| GITHUB_TOKEN= |
There was a problem hiding this comment.
Related files not updated for fine-grained PAT support
Two companion files still only handle the ghp_ prefix and may need updating:
-
bin/security-audit.sh(lines 281, 332, 336) — the secret-scanning regex patterns use onlyghp_[a-zA-Z0-9]{36}. Fine-grained PATs with thegithub_pat_prefix won't be detected by the audit's secret-exposure or git-history scans.redact-logs.shalready handles both prefixes correctly, butsecurity-audit.shhas not been updated to match. -
CONFIGURATION.md(line 113) — the example env block still shows only a classic token placeholder. Updating it to reference both token formats would keep the docs consistent with the schema comment and the description inAGENTS.md.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .env.schema
Line: 36:39
Comment:
**Related files not updated for fine-grained PAT support**
Two companion files still only handle the `ghp_` prefix and may need updating:
1. **`bin/security-audit.sh`** (lines 281, 332, 336) — the secret-scanning regex patterns use only `ghp_[a-zA-Z0-9]{36}`. Fine-grained PATs with the `github_pat_` prefix won't be detected by the audit's secret-exposure or git-history scans. `redact-logs.sh` already handles both prefixes correctly, but `security-audit.sh` has not been updated to match.
2. **`CONFIGURATION.md`** (line 113) — the example env block still shows only a classic token placeholder. Updating it to reference both token formats would keep the docs consistent with the schema comment and the description in `AGENTS.md`.
How can I resolve this? If you propose a fix, please make it concise.
1 participant
The
.env.schemahadstartsWith=ghp_onGITHUB_TOKEN, which rejects fine-grained PATs (github_pat_prefix). This caused varlock validation to fail and the agent to crash-loop on startup.Varlock doesn't support multiple
startsWithvalues, so the prefix constraint is removed from the schema. The soft validation inconfig.shstill warns on unexpected prefixes.