Skip to content

fix(ci): clear github.token extraheader before RELEASE_PAT push#172

Merged
YiWang24 merged 1 commit into
mainfrom
fix/clear-extraheader
May 26, 2026
Merged

fix(ci): clear github.token extraheader before RELEASE_PAT push#172
YiWang24 merged 1 commit into
mainfrom
fix/clear-extraheader

Conversation

@YiWang24

@YiWang24 YiWang24 commented May 26, 2026
edited by greptile-apps Bot
Loading

Copy link
Copy Markdown
Collaborator

Problem

Even after setting the remote URL to use RELEASE_PAT, git push still fails with:

! [remote rejected] ... (refusing to allow a GitHub App to create or update workflow without workflows permission)

The push URL in the error shows https://github.com/YiAgent/OpenCI.git — not the RELEASE_PAT URL we set.

Root Cause

actions/checkout sets http.https://github.com/.extraheader with github.token. This extra header is sent with ALL git operations to GitHub, overriding the RELEASE_PAT in the URL.

Fix

Clear the extraheader before pushing:

git config --local --unset-all 'http.https://github.com/.extraheader' || true
git push "https://x-access-token:${RELEASE_PAT}@github.com/..." "${branch}"

no-issue

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.

Greptile Summary

This PR fixes a git push failure where actions/checkout was injecting github.token via http.https://github.com/.extraheader, which overrode the RELEASE_PAT credentials in the remote URL on every request. The fix clears the extraheader before pushing and passes the PAT directly in the push URL instead of pre-configuring the remote.

  • The git remote set-url approach is replaced by an explicit git config --local --unset-all 'http.https://github.com/.extraheader' || true before the push, which is the correct and commonly recommended pattern for this scenario.
  • The || true appropriately handles the case where the extraheader key is absent (e.g., exit code 5 from git config), keeping the script compatible with set -euo pipefail.
  • The PAT is still masked in GitHub Actions runner logs since RELEASE_PAT is declared as a secret.

Confidence Score: 5/5

Safe to merge — the change is a minimal, targeted fix to a real push failure with no logic regressions.

The fix correctly targets the root cause: actions/checkout's injected extraheader silently wins the auth negotiation over credentials embedded in the remote URL. Clearing it before the push is the established pattern for this problem. The || true guard is appropriate under set -euo pipefail. No other logic in the workflow is altered.

No files require special attention; the change is confined to four lines in the push step.

Important Files Changed

Filename Overview
.github/workflows/on-main-bump-sha.yml Fixes push auth by clearing the actions/checkout-injected extraheader before pushing with RELEASE_PAT; removes the now-unnecessary remote set-url step and pushes directly with the PAT embedded in the URL.

Sequence Diagram

sequenceDiagram
    participant Runner as GitHub Runner
    participant GitConfig as Git Config
    participant GitHub as github.com

    Note over Runner,GitHub: actions/checkout injects github.token
    Runner->>GitConfig: Set extraheader with github.token

    Note over Runner,GitHub: OLD push behavior
    Runner->>GitConfig: set-url origin with PAT in URL
    Runner->>GitHub: git push origin branch
    GitHub-->>Runner: Rejected — extraheader overrides PAT creds

    Note over Runner,GitHub: NEW push behavior (this PR)
    Runner->>GitConfig: unset-all extraheader
    Runner->>GitHub: git push PAT-URL branch
    GitHub-->>Runner: Accepted — only PAT credentials sent
Loading

Reviews (1): Last reviewed commit: "fix(ci): clear extraheader before pushin..." | Re-trigger Greptile

@YiWang24
fix(ci): clear extraheader before pushing with RELEASE_PAT
af518c1 
actions/checkout sets http.extraheader with github.token, which
overrides the RELEASE_PAT in the remote URL. Clear the extraheader
before pushing so the PAT actually takes effect.
@qodo-code-review

qodo-code-review Bot commented May 26, 2026

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@YiWang24, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 13 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2bab901e-5130-4693-8a4b-9a9087b971c1

📥 Commits

Reviewing files that changed from the base of the PR and between b3b2bf0 and af518c1.

📒 Files selected for processing (1)
  • .github/workflows/on-main-bump-sha.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/clear-extraheader

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@YiWang24 YiWang24 merged commit 38435eb into main May 26, 2026
9 of 16 checks passed
@YiWang24 YiWang24 deleted the fix/clear-extraheader branch May 26, 2026 03:13
@sonarqubecloud

sonarqubecloud Bot commented May 26, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

openbot-dev[bot]
openbot-dev Bot approved these changes May 26, 2026
View reviewed changes

@openbot-dev openbot-dev Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diff correctly fixes a known issue where actions/checkout sets http.https://github.com/.extraheader with github.token, which can override the PAT in the URL during push. The change is well-motivated and correctly implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@openbot-dev openbot-dev[bot] openbot-dev[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@YiWang24