feat: add support for token sources in GitLab and Forgejo#8868
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a unified authentication token resolution system for GitLab and Forgejo backends, mirroring the existing GitHub implementation. It adds support for environment variables, host-specific configuration files (gitlab_tokens.toml, forgejo_tokens.toml), and fallback integration with the glab and fj CLIs. New CLI commands mise gitlab token and mise forgejo token are provided for debugging token resolution. Feedback includes correcting a documentation comment in the Forgejo module, simplifying host lookup logic in the GitLab module using existing helper functions, and suggesting a rename for the github_headers function in src/http.rs as it now handles multiple backends.
e4e52e5 to
6e314e1
Compare
fb29569 to
d3ad13f
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds expanded token-resolution support for GitLab and Forgejo (including new token sources and debugging CLI commands) and routes HTTP auth headers for these providers similarly to existing GitHub behavior.
Changes:
- Introduce shared token utilities (
src/tokens.rs) for parsing token files, masking, and credential-based token retrieval. - Add GitLab/Forgejo token resolution +
mise gitlab token/mise forgejo tokenCLI subcommands with docs and completions. - Update HTTP client auth header selection to support GitLab and Forgejo.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| xtasks/fig/src/mise.ts | Adds Fig completion entries for forgejo token and gitlab token. |
| src/tokens.rs | New shared helpers: TOML/YAML token parsing, token masking, and credential-command/git-credential token fetch with caching. |
| src/main.rs | Registers the new tokens module. |
| src/http.rs | Replaces GitHub-only header injection with host-based auth headers for GitHub/GitLab/Forgejo. |
| src/gitlab.rs | Adds multi-source GitLab token resolution and exposes headers based on resolved token. |
| src/github.rs | Refactors to use shared token helpers for credential command, git credential, token masking, and token TOML parsing. |
| src/forgejo.rs | Adds multi-source Forgejo token resolution and exposes headers based on resolved token. |
| src/cli/mod.rs | Wires new forgejo and gitlab CLI command groups into the main CLI. |
| src/cli/gitlab/token.rs | Implements mise gitlab token debugging command (masked/unmasked output + source). |
| src/cli/gitlab/mod.rs | Adds mise gitlab <subcommand> dispatcher. |
| src/cli/github/token.rs | Switches to shared tokens::mask_token and removes local masking helper. |
| src/cli/forgejo/token.rs | Implements mise forgejo token debugging command (masked/unmasked output + source). |
| src/cli/forgejo/mod.rs | Adds mise forgejo <subcommand> dispatcher. |
| settings.toml | Adds Forgejo/GitLab settings for credential command, CLI token fallbacks, and git-credentials usage. |
| schema/mise.json | Adds JSON schema settings for Forgejo/GitLab token-related configuration. |
| mise.usage.kdl | Adds usage spec entries for forgejo token and gitlab token. |
| man/man1/mise.1 | Documents new CLI commands and their flags/arguments. |
| e2e/cli/test_gitlab_token | Adds e2e coverage for GitLab token resolution and masking behavior. |
| e2e/cli/test_forgejo_token | Adds e2e coverage for Forgejo token resolution and masking behavior. |
| docs/dev-tools/backends/gitlab.md | Documents GitLab authentication/token source priority and debugging command. |
| docs/dev-tools/backends/forgejo.md | Documents Forgejo authentication/token source priority and debugging command. |
| docs/cli/index.md | Adds Forgejo/GitLab commands to CLI index. |
| docs/cli/gitlab/token.md | Generates docs for mise gitlab token. |
| docs/cli/gitlab.md | Generates docs for mise gitlab. |
| docs/cli/forgejo/token.md | Generates docs for mise forgejo token. |
| docs/cli/forgejo.md | Generates docs for mise forgejo. |
| docs/.vitepress/cli_commands.ts | Adds Forgejo/GitLab commands to the docs site command registry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pub fn get_credential_command_token(provider: &str, cmd: &str, host: &str) -> Option<String> { | ||
| let cache_key = format!("{provider}:{host}"); | ||
| let mut cache = CREDENTIAL_COMMAND_CACHE | ||
| .lock() | ||
| .expect("CREDENTIAL_COMMAND_CACHE mutex poisoned"); | ||
| if let Some(token) = cache.get(&cache_key) { | ||
| return token.clone(); | ||
| } | ||
|
|
||
| let path_without_shims = path_env_without_shims(); | ||
| let result = std::process::Command::new("sh") | ||
| .arg("-c") | ||
| .arg(cmd) | ||
| .arg("mise-credential-helper") // $0 | ||
| .arg(host) // $1 | ||
| .env("PATH", &path_without_shims) | ||
| .env("GIT_TERMINAL_PROMPT", "0") | ||
| .stdin(std::process::Stdio::null()) | ||
| .stdout(std::process::Stdio::piped()) | ||
| .stderr(std::process::Stdio::piped()) | ||
| .output() |
There was a problem hiding this comment.
Both token getters hold the global cache Mutex while running external processes. Here, the lock is held across Command::output(), which can block other threads trying to resolve tokens (and can amplify delays if the command hangs). Suggested fix: limit the lock scope to (1) check cache, then drop the lock; (2) compute result; (3) re-lock briefly to insert (optionally double-check if another thread already inserted). Apply the same pattern to get_git_credential_token.
Greptile SummaryThis PR adds support for richer token sources in GitLab and Forgejo backends, aligning them with the existing GitHub token resolution system. It also introduces a new Key changes:
Confidence Score: 5/5Safe to merge — no new P0/P1 issues found; the enterprise-token-leak fix is correctly implemented by removing the enterprise-check from is_forgejo_host/is_gitlab_host All remaining architectural gaps (credential_command and use_git_credentials not reflected in is_forgejo_host, so HTTP-download middleware misses those sources) were already flagged in prior review threads and represent known limitations rather than new regressions introduced here. New token resolution logic is consistent across providers and thoroughly exercised by e2e tests. Code is clean with good separation of concerns via the new tokens.rs module. No files require special attention; src/http.rs host_auth_headers and the is_forgejo_host/is_gitlab_host gap are areas to follow up in a subsequent PR for full credential_command and git-credentials HTTP-download authentication coverage Important Files Changed
Sequence DiagramsequenceDiagram
participant User
participant CLI as mise token forgejo [host]
participant RT as resolve_token(host)
participant Env as Environment Vars
participant CC as credential_command
participant TF as forgejo_tokens.toml
participant FJ as fj CLI keys.json
participant GC as git credential fill
User->>CLI: mise token forgejo [host]
CLI->>RT: resolve_token(host)
RT->>Env: MISE_FORGEJO_ENTERPRISE_TOKEN (non-codeberg only)
alt enterprise token found
Env-->>RT: (token, EnvVar)
else
RT->>Env: MISE_FORGEJO_TOKEN / FORGEJO_TOKEN
alt env token found
Env-->>RT: (token, EnvVar)
else
RT->>CC: sh -c credential_command host
alt credential_command returns token
CC-->>RT: (token, CredentialCommand)
else
RT->>TF: lookup host
alt token in toml
TF-->>RT: (token, TokensFile)
else
RT->>FJ: lookup host in keys.json
alt fj CLI token found
FJ-->>RT: (token, FjCli)
else
RT->>GC: git credential fill
GC-->>RT: (token or None, GitCredential)
end
end
end
end
end
RT-->>CLI: Option<(String, TokenSource)>
CLI-->>User: host: xxxx...yyyy (source: SOURCE)
Reviews (15): Last reviewed commit: "Merge branch 'main' into feat/tokensourc..." | Re-trigger Greptile |
e7a548f to
4ae3d04
Compare
39169c6 to
c289698
Compare
02a707c to
a0a6647
Compare
6dfcf79 to
7a44f5a
Compare
dde3a0b to
ea1776e
Compare
|
@jdx I think the |
|
I agree, I think we should hide/deprecate |
5bb8c7e to
ebe47e4
Compare
01c8559 to
6600eee
Compare
### 🚀 Features - **(config)** report env files in config ls and doctor output by @SamSoldatenko in [#8853](#8853) - add support for token sources in GitLab and Forgejo by @roele in [#8868](#8868) ### 🐛 Bug Fixes - **(aqua)** prevent double .exe extension when Windows override URL already ends in .exe by @yusei-wy in [#8863](#8863) - **(bash)** avoid duplicate trust warning after cd by @timothysparg in [#8920](#8920) - **(env)** prevent config root injection into PATH via _.source by @jdx in [#8936](#8936) - **(install)** suppress spurious dependency warning when tool is configured by @jdx in [#8923](#8923) ### 📚 Documentation - **(node)** add section on pinning npm version by @jdx in [#8925](#8925) - add Windows default paths and mise.toml examples alongside CLI commands by @jdx in [#8926](#8926) - clarify common sources of confusion from GitHub discussions by @jdx in [#8927](#8927) - clarify Python venv mechanisms, JAVA_HOME behavior, and activation performance by @jdx in [#8928](#8928) - add FAQ and troubleshooting entries based on common Discord questions by @jdx in [#8930](#8930) ### New Contributors - @SamSoldatenko made their first contribution in [#8853](#8853) - @yusei-wy made their first contribution in [#8863](#8863)
`mise token github` (added in #8868) supersedes `mise github token`. Emit a deprecation warning on the parent `mise github` command and drop the new `mise github login` (use `mise token github --oauth` instead). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`mise token github` (added in #8868) supersedes `mise github token`. Emit a deprecation warning on the parent `mise github` command and drop the new `mise github login` (use `mise token github --oauth` instead). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adding support for more token sources in GitLab and Forgejo.