diff --git a/.github/workflows/opencode-review.yml b/.github/workflows/opencode-review.yml index afa2f417..7d7f325c 100644 --- a/.github/workflows/opencode-review.yml +++ b/.github/workflows/opencode-review.yml @@ -107,9 +107,13 @@ jobs: rm -rf "$fetch_dir" "$COVERAGE_SOURCE_WORKDIR" git init "$fetch_dir" git -C "$fetch_dir" remote add origin "${GITHUB_SERVER_URL}/${TARGET_REPOSITORY}.git" - git -C "$fetch_dir" \ - -c http."${GITHUB_SERVER_URL}/".extraheader="AUTHORIZATION: bearer ${GH_TOKEN}" \ - fetch --no-tags --prune --no-recurse-submodules origin "$PR_BASE_SHA" "$PR_HEAD_SHA" + auth_header="$(printf 'x-access-token:%s' "$GH_TOKEN" | base64 | tr -d '\n')" + if ! git -C "$fetch_dir" \ + -c "http.${GITHUB_SERVER_URL}/.extraheader=AUTHORIZATION: basic ${auth_header}" \ + fetch --no-tags --prune --no-recurse-submodules origin "$PR_BASE_SHA" "$PR_HEAD_SHA"; then + echo "::error::Coverage fetch could not authenticate to ${TARGET_REPOSITORY} or read base/head SHAs ${PR_BASE_SHA}/${PR_HEAD_SHA}; check token permissions, target repository access, and SHA visibility." + exit 1 + fi git -C "$fetch_dir" checkout --detach "$PR_BASE_SHA" git -C "$fetch_dir" config user.name "github-actions[bot]" git -C "$fetch_dir" config user.email "41898282+github-actions[bot]@users.noreply.github.com" diff --git a/tests/test_opencode_agent_contract.py b/tests/test_opencode_agent_contract.py index 1b908e77..7e11bacc 100644 --- a/tests/test_opencode_agent_contract.py +++ b/tests/test_opencode_agent_contract.py @@ -158,7 +158,12 @@ def test_opencode_target_coverage_materializes_merge_tree_without_checkout_actio assert "uses: actions/checkout" not in step assert "refs/pull/${{ github.event.pull_request.number }}/merge" not in step assert "TARGET_REPOSITORY:" in step + assert "x-access-token:%s" in step + assert "AUTHORIZATION: basic ${auth_header}" in step + assert "AUTHORIZATION: bearer" not in step + assert 'http."${GITHUB_SERVER_URL}/".extraheader' not in step assert 'fetch --no-tags --prune --no-recurse-submodules origin "$PR_BASE_SHA" "$PR_HEAD_SHA"' in step + assert "Coverage fetch could not authenticate" in step assert 'merge --no-ff --no-edit "$PR_HEAD_SHA"' in step assert 'Coverage merge tree could not be materialized' in step assert "PR_HEAD_SHA:" in step diff --git a/tests/test_opencode_workflow_shell_syntax.py b/tests/test_opencode_workflow_shell_syntax.py index 30485823..15f65136 100644 --- a/tests/test_opencode_workflow_shell_syntax.py +++ b/tests/test_opencode_workflow_shell_syntax.py @@ -40,6 +40,7 @@ def test_opencode_review_run_blocks_are_valid_bash(): return for step_name in ( + "Materialize pull request merge tree for coverage measurement", "Prepare bounded OpenCode review evidence", "Publish OpenCode review outcome", ):