From 45faadc681f9a7b68cb98870117e0c6ae97c3209 Mon Sep 17 00:00:00 2001 From: Goose Date: Wed, 15 Apr 2026 23:56:51 +0000 Subject: [PATCH] fix: isolate gh CLI config per agent to prevent token mixing Set GH_CONFIG_DIR=$AGENT_HOME/.config/gh before gh auth login so each agent writes to its own directory rather than the shared global config. This prevents tokens from different agents bleeding into one another's gh auth state. Co-Authored-By: Paperclip --- github-app-token/SKILL.md | 2 ++ github-app-token/scripts/generate-token.sh | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/github-app-token/SKILL.md b/github-app-token/SKILL.md index 52d4528..d573cbe 100644 --- a/github-app-token/SKILL.md +++ b/github-app-token/SKILL.md @@ -23,4 +23,6 @@ bash github-app-token/scripts/generate-token.sh The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `$AGENT_HOME/.gh-token`, and runs `gh auth login`. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error. +The script sets and exports `GH_CONFIG_DIR=$AGENT_HOME/.config/gh` so each agent's `gh` state is isolated from every other agent on the same host. After sourcing or calling the script, subsequent `gh` commands in the same shell session will automatically use that isolated config. If you spawn a subprocess, export `GH_CONFIG_DIR` before calling `gh`. + Requires `openssl`, `curl`, `jq`, and `gh`. diff --git a/github-app-token/scripts/generate-token.sh b/github-app-token/scripts/generate-token.sh index 0b30761..fa53084 100755 --- a/github-app-token/scripts/generate-token.sh +++ b/github-app-token/scripts/generate-token.sh @@ -41,7 +41,12 @@ GH_TOKEN_FILE="${GH_TOKEN_FILE:-$(mktemp)}" printf '%s' "$TOKEN" > "$GH_TOKEN_FILE" chmod 600 "$GH_TOKEN_FILE" -# --- Authenticate gh CLI --- +# --- Authenticate gh CLI with per-agent config isolation --- +# Each agent gets its own GH_CONFIG_DIR so tokens never bleed across agents. +export GH_CONFIG_DIR="${AGENT_HOME:+${AGENT_HOME}/.config/gh}" +GH_CONFIG_DIR="${GH_CONFIG_DIR:-$(mktemp -d)}" +mkdir -p "$GH_CONFIG_DIR" + gh auth login --with-token < "$GH_TOKEN_FILE" -echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)." +echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour). GH_CONFIG_DIR=$GH_CONFIG_DIR"