test(ci): validate GitHub token from pool with API call#7459
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds validation of GitHub tokens fetched from the token pool by making an API call to verify they work before using them. This prevents workflow failures from invalid or expired tokens.
Key Changes:
- Adds a GitHub API rate_limit call to validate tokens after format validation
- Skips invalid tokens and falls back to the default
GITHUB_TOKEN
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "token=$token" >> "$GITHUB_OUTPUT" | ||
| echo "token_id=$(echo "$response" | jq -r '.token_id')" >> "$GITHUB_OUTPUT" | ||
| # Validate the token works by calling GitHub API | ||
| if curl -sf -H "Authorization: token $token" "https://api.github.com/rate_limit" > /dev/null; then |
There was a problem hiding this comment.
The authorization header format 'token $token' is deprecated by GitHub. Use 'Bearer $token' instead for the Authorization header to follow GitHub's current API standards.
Suggested change
| if curl -sf -H "Authorization: token $token" "https://api.github.com/rate_limit" > /dev/null; then | |
| if curl -sf -H "Authorization: Bearer $token" "https://api.github.com/rate_limit" > /dev/null; then |
| echo "token=$token" >> "$GITHUB_OUTPUT" | ||
| echo "token_id=$(echo "$response" | jq -r '.token_id')" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "Token failed GitHub API validation, skipping" |
There was a problem hiding this comment.
The error message doesn't indicate whether the workflow will fall back to GITHUB_TOKEN or fail. Add clarification like 'Token failed GitHub API validation, falling back to GITHUB_TOKEN' to help with debugging.
Suggested change
| echo "Token failed GitHub API validation, skipping" | |
| echo "Token failed GitHub API validation; skipping custom token and relying on GITHUB_TOKEN or default workflow behavior" |
2ea8f37 to
428fd6c
Compare
428fd6c to
1b4d2d7
Compare
Before using a token from the pool, verify it works by calling the GitHub rate_limit API. This catches invalid/expired tokens early rather than failing later in the workflow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1b4d2d7 to
552b6ce
Compare
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.12 x -- echo |
19.7 ± 0.3 | 19.2 | 22.3 | 1.00 ± 0.03 |
mise x -- echo |
19.7 ± 0.4 | 19.0 | 22.6 | 1.00 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.12 env |
18.9 ± 0.3 | 18.3 | 21.7 | 1.00 |
mise env |
19.2 ± 0.7 | 18.5 | 26.9 | 1.01 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.12 hook-env |
19.2 ± 0.4 | 18.4 | 22.2 | 1.00 |
mise hook-env |
19.2 ± 0.5 | 18.5 | 24.5 | 1.00 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.12 ls |
16.6 ± 0.2 | 16.2 | 17.5 | 1.00 |
mise ls |
16.9 ± 0.3 | 16.3 | 18.3 | 1.01 ± 0.02 |
xtasks/test/perf
| Command | mise-2025.12.12 | mise | Variance |
|---|---|---|---|
| install (cached) | 108ms | 109ms | +0% |
| ls (cached) | 65ms | 66ms | -1% |
| bin-paths (cached) | 71ms | 72ms | -1% |
| task-ls (cached) | 2260ms | ✅ 287ms | +687% |
✅ Performance improvement: task-ls cached is 687%
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Before using a token from the pool, verify it works by calling the GitHub rate_limit API. This catches invalid/expired tokens early rather than failing later in the workflow.
Problem
PR #7395 was failing because
wait-for-gh-rate-limitgot a 401 error - the token from the pool was invalid but wasn't validated before being used.Solution
Add a curl call to
https://api.github.com/rate_limitafter fetching the token to verify it works. If validation fails, skip the token (workflow will use the defaultGITHUB_TOKEN).🤖 Generated with Claude Code
Note
Validate fetched pool token via GitHub API and tighten checks/early exits in the fetch-token action.
.github/actions/fetch-token/action.yml):token; enforces stricter format/length validation.rate_limitAPI; skips on failure.tokenandtoken_idoutputs only after successful validation.Written by Cursor Bugbot for commit 552b6ce. This will update automatically on new commits. Configure here.