feat: add multi-host netrc auth

zah · zah · commit 56be136d7e96 · 2025-06-08T04:13:39.000+03:00
diff --git a/.agents/codebase-insights.txt b/.agents/codebase-insights.txt
@@ -10,7 +10,9 @@
 - Tests must call `VCSRepo.new(repo).checkout_branch('feat')` after `run_agent_task()` calls
 
 ## Token Usage
-- Uses GITHUB_TOKEN (not GITHUB_ACCESS_TOKEN) consistently across the codebase
+- Authentication for GitHub, GitLab and BitBucket is handled via `~/.netrc` which
+  is configured during `codex-setup` if the respective `*_TOKEN` environment
+  variables are present. The token is no longer injected in remote URLs.
 
 ## EXTRAS Framework
 - Ruby-based component installation system via `bin/install-extras`
diff --git a/.agents/tasks/2025/06/07-0843-multi-vcs-support.txt b/.agents/tasks/2025/06/07-0843-multi-vcs-support.txt
@@ -0,0 +1,5 @@
+In several places, we support only GitHub. (Do a case insensitive grep for GitHub).
+
+Try to extend the logic to add support for GitLab and BitBucket.
+
+Instead of using http auth directly supplied  in the URL, let’s set up a netrc file during the codex-setup phase which would allow us to authenticate in front of these services with regular URLs
diff --git a/codex-setup b/codex-setup
@@ -13,7 +13,22 @@ else
   GET_TASK_CMD="get-task"
 fi
 
-# TODO: Support GitLab and BitBucket
+# Configure ~/.netrc for Git hosting services
+NETRC_CONTENT=""
+if [ -n "${GITHUB_TOKEN}" ]; then
+  NETRC_CONTENT+=$'machine github.com\n  login x-access-token\n  password '${GITHUB_TOKEN}$'\n'
+fi
+if [ -n "${GITLAB_TOKEN}" ]; then
+  NETRC_CONTENT+=$'machine gitlab.com\n  login oauth2\n  password '${GITLAB_TOKEN}$'\n'
+fi
+if [ -n "${BITBUCKET_TOKEN}" ]; then
+  NETRC_CONTENT+=$'machine bitbucket.org\n  login x-token-auth\n  password '${BITBUCKET_TOKEN}$'\n'
+fi
+if [ -n "$NETRC_CONTENT" ]; then
+  echo "Configuring ~/.netrc for git authentication"
+  printf "%s" "$NETRC_CONTENT" > "$HOME/.netrc"
+  chmod 600 "$HOME/.netrc"
+fi
 
 cat > ../AGENTS.md << EOF
 When you a given a task description or developer instructions that
diff --git a/docs/devcontainer-setup.md b/docs/devcontainer-setup.md
@@ -10,9 +10,13 @@ export OPENAI_API_KEY="your-openai-api-key"
 export OPENAI_ORG_ID="your-org-id"  # Optional
 ```
 
-### GitHub Integration
+### Git Hosting Integration
+Set tokens for any providers you intend to push to. The setup script will create
+a `~/.netrc` file from these values.
 ```bash
-export GITHUB_TOKEN="your-github-token"
+export GITHUB_TOKEN="your-github-token"    # Optional
+export GITLAB_TOKEN="your-gitlab-token"    # Optional
+export BITBUCKET_TOKEN="your-bitbucket-token"  # Optional
 ```
 
 ## Setting Environment Variables
@@ -22,13 +26,17 @@ Add to your `~/.bashrc`, `~/.zshrc`, or equivalent:
 ```bash
 export OPENAI_API_KEY="sk-..."
 export GITHUB_TOKEN="ghp_..."
+export GITLAB_TOKEN="glpat-..."
+export BITBUCKET_TOKEN="bbt_..."
 ```
 
 ### Windows
 Using PowerShell:
 ```powershell
 $env:OPENAI_API_KEY = "sk-..."
 $env:GITHUB_TOKEN = "ghp_..."
+$env:GITLAB_TOKEN = "glpat-..."
+$env:BITBUCKET_TOKEN = "bbt_..."
 ```
 
 Or set permanently via System Properties > Environment Variables.
diff --git a/lib/agent_tasks.rb b/lib/agent_tasks.rb
@@ -65,19 +65,7 @@ def git_details
     target_branch = branch_match[1].strip
     raise StandardError, 'Error: Start-Agent-Branch is empty in commit message' if target_branch.empty?
 
-    if target_remote.start_with?('https://github.com/')
-      github_token = ENV.fetch('GITHUB_TOKEN', nil)
-      unless github_token
-        raise StandardError,
-              'Error: The Codex environment must be configured with a GITHUB_TOKEN, specified as a secret'
-      end
-
-      remote_url = target_remote.sub('https://github.com/', "https://x-access-token:#{github_token}@github.com/")
-    else
-      remote_url = target_remote
-    end
-
-    { remote_url: remote_url, push_branch: target_branch }
+    { remote_url: target_remote, push_branch: target_branch }
   end
 
   def prepare_work_environment
diff --git a/test/test_commit_message_format.rb b/test/test_commit_message_format.rb
@@ -80,31 +80,17 @@ def test_agent_tasks_extraction_with_remote_and_branch
     vcs_repo.checkout_branch('extract-test')
     agent_tasks = AgentTasks.new(repo)
 
-    # Save original token and set test token
-    original_token = ENV.fetch('GITHUB_TOKEN', nil)
-
-    begin
-      ENV['GITHUB_TOKEN'] = 'test_token_123'
-      # Test autopush message generation
-      message = agent_tasks.agent_prompt(autopush: true)
-
-      assert_includes message, 'extraction test task'
-      assert_includes message, 'git remote add target_remote "https://x-access-token:test_token_123@github.com/testuser/test-repo.git"'
-      assert_includes message, 'git push target_remote HEAD:extract-test'
-    ensure
-      # Restore original token
-      if original_token
-        ENV['GITHUB_TOKEN'] = original_token
-      else
-        ENV.delete('GITHUB_TOKEN')
-      end
-    end
+    # Autopush message generation should not embed credentials
+    message = agent_tasks.agent_prompt(autopush: true)
+    assert_includes message, 'extraction test task'
+    assert_includes message, 'git remote add target_remote "https://github.com/testuser/test-repo.git"'
+    assert_includes message, 'git push target_remote HEAD:extract-test'
   ensure
     FileUtils.remove_entry(repo) if repo && File.exist?(repo)
     FileUtils.remove_entry(remote) if remote && File.exist?(remote)
   end
 
-  def test_agent_tasks_autopush_requires_github_token
+  def test_agent_tasks_autopush_without_token
     repo, remote = setup_repo(:git)
 
     # Set up HTTPS remote
@@ -119,34 +105,12 @@ def test_agent_tasks_autopush_requires_github_token
     vcs_repo.checkout_branch('token-test')
     agent_tasks = AgentTasks.new(repo)
 
-    # Save original token
-    original_token = ENV.fetch('GITHUB_TOKEN', nil)
-
-    begin
-      # Test with missing token
-      ENV.delete('GITHUB_TOKEN')
-      error = assert_raises(StandardError) do
-        agent_tasks.agent_prompt(autopush: true)
-      end
-      assert_includes error.message,
-                      'The Codex environment must be configured with a GITHUB_TOKEN, ' \
-                      'specified as a secret'
-
-      # Test with token present
-      ENV['GITHUB_TOKEN'] = 'test_token_123'
-      message = agent_tasks.agent_prompt(autopush: true)
-      assert_includes message, 'git remote add target_remote "https://x-access-token:test_token_123@github.com/testuser/test-repo.git"'
-      assert_includes message, 'git push target_remote HEAD:token-test'
-    ensure
-      # Restore original token
-      if original_token
-        ENV['GITHUB_TOKEN'] = original_token
-      else
-        ENV.delete('GITHUB_TOKEN')
-      end
-      FileUtils.remove_entry(repo) if repo && File.exist?(repo)
-      FileUtils.remove_entry(remote) if remote && File.exist?(remote)
-    end
+    message = agent_tasks.agent_prompt(autopush: true)
+    assert_includes message, 'git remote add target_remote "https://github.com/testuser/test-repo.git"'
+    assert_includes message, 'git push target_remote HEAD:token-test'
+  ensure
+    FileUtils.remove_entry(repo) if repo && File.exist?(repo)
+    FileUtils.remove_entry(remote) if remote && File.exist?(remote)
   end
 
   def test_agent_tasks_autopush_errors_on_missing_commit_data
@@ -163,25 +127,12 @@ def test_agent_tasks_autopush_errors_on_missing_commit_data
 
     agent_tasks = AgentTasks.new(repo)
 
-    # Save original token and set test token
-    original_token = ENV.fetch('GITHUB_TOKEN', nil)
-    ENV['GITHUB_TOKEN'] = 'test_token_123'
-
-    begin
-      # Should raise error because commit doesn't have Target-Remote
-      error = assert_raises(StandardError) do
-        agent_tasks.agent_prompt(autopush: true)
-      end
-      assert_includes error.message, 'You are not currently on a agent task branch'
-    ensure
-      # Restore original token
-      if original_token
-        ENV['GITHUB_TOKEN'] = original_token
-      else
-        ENV.delete('GITHUB_TOKEN')
-      end
-      FileUtils.remove_entry(repo) if repo && File.exist?(repo)
-      FileUtils.remove_entry(remote) if remote && File.exist?(remote)
+    error = assert_raises(StandardError) do
+      agent_tasks.agent_prompt(autopush: true)
     end
+    assert_includes error.message, 'You are not currently on a agent task branch'
+  ensure
+    FileUtils.remove_entry(repo) if repo && File.exist?(repo)
+    FileUtils.remove_entry(remote) if remote && File.exist?(remote)
   end
 end
