[codex] Require Tessl auth for skill review#17
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Action to require Tessl authentication for tessl skill review, ensuring missing/invalid auth fails the check even when fail-threshold: 0 (which should only disable score gating).
Changes:
- Add
tessl-tokeninput and wire it throughsetup-tessl@v2and runtime env vars. - Detect Tessl auth/login/401 failures and treat them as action failures regardless of threshold.
- Update documentation and examples to show the required secret.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/skill-review.ts | Adds auth-error detection and adjusts failure handling to avoid “passing” auth failures when threshold is 0. |
| src/main.ts | Fails the action on detected auth failures before applying score-threshold gating. |
| src/main.test.ts | Adds unit tests for auth error detection and threshold-0 auth failure behavior. |
| README.md | Updates usage and inputs docs to require tessl-token. |
| action.yml | Adds tessl-token input, upgrades to setup-tessl@v2, and passes token to setup/runtime. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (exitCode !== 0) { | ||
| const error = stderr || stdout || `Process exited with code ${exitCode}`; | ||
| console.warn( | ||
| `tessl skill review failed for ${skillFilePath} (exit code ${exitCode}): ${stderr}`, | ||
| `tessl skill review failed for ${skillFilePath} (exit code ${exitCode}): ${error}`, | ||
| ); | ||
| return { | ||
| skillPath: skillFilePath, | ||
| passed: threshold === 0, | ||
| passed: threshold === 0 && !isAuthErrorMessage(error), | ||
| score: -1, | ||
| output: '', | ||
| error: stderr || `Process exited with code ${exitCode}`, | ||
| error, | ||
| }; |
| tessl-token: | ||
| description: 'Tessl API token used to authenticate review requests. Store this as a GitHub secret, for example secrets.TESSL_TOKEN.' | ||
| required: false |
| // 5. Auth failures are infrastructure failures, not score failures. | ||
| // `fail-threshold: 0` disables score gating only; it must not hide missing auth. | ||
| const authFailures = results.filter((r) => isAuthErrorMessage(r.error)); | ||
| if (authFailures.length > 0) { | ||
| const summary = authFailures.map((r) => ` ${r.skillPath}`).join('\n'); | ||
| core.setFailed( | ||
| `Tessl authentication failed for ${authFailures.length} skill(s). Configure the tessl-token input with a Tessl API token stored in a GitHub secret.\n${summary}`, | ||
| ); | ||
| return; | ||
| } |
|
Thanks for this, Bap — pulled the branch down and gave it a review. Comment still posts on an auth failure (main thing I'd fix before merge) In Could we detect Token passed via three channels — nice to confirm which is canonical
Nits, non-blocking:
Approvable from my side — I'd just sort the comment-on-auth-failure ordering, then happy to 🚀 |
popey
left a comment
There was a problem hiding this comment.
Approving — re-ran bun test (39 pass) and bun run lint (clean) on the branch. The core change is right: this flips the 401-under-fail-threshold:0 case from a silent green check to a clear red failure with actionable guidance, which is exactly what we need for the accounts still on the unauthenticated setup.
✅ from me to land this now. Two notes, neither blocking the merge:
- Coordinate the merge with outreach. Since consumers pin
@mainand there are no tags, merging immediately turns affected repos' checks red until they add aTESSL_TOKENsecret + thewith: tessl-token:line. I'm prepping the copy-paste snippet for sales so the merge and the "here's how to fix it" message go out together rather than leaving Adobe/Samsara staring at a red X. - Comment-on-auth-failure ordering (from my earlier review) — still worth a quick follow-up so we don't post N identical 401 blocks, but don't let it hold up the urgent merge.
This is auth-only; the tessl skill review → tessl review command migration is tracked as the separate 2–3 week piece.
Summary
tessl-tokeninput and pass that one configured secret throughsetup-tessl@v2and the review runtime.fail-thresholdis0.Why
skill reviewnow requires Tessl authentication. Existing workflows could appear successful when review failed underfail-threshold: 0; this makes missing or invalid auth fail the check clearly.Validation
bun testbun run lintgit diff --check