Skip to content

feat: add TokenProvider seam for per-request GitHub tokens#1

Merged
trakhimenok merged 1 commit into
mainfrom
feat/token-provider-seam
Jul 2, 2026
Merged

feat: add TokenProvider seam for per-request GitHub tokens#1
trakhimenok merged 1 commit into
mainfrom
feat/token-provider-seam

Conversation

@trakhimenok

Copy link
Copy Markdown
Contributor

Summary

Replaces the construction-time github.WithAuthToken(cfg.Token) binding with a per-request token seam, so callers can inject rotating credentials — e.g. short-lived (1h) GitHub App installation tokens minted on demand by the sneat-go backend — without rebuilding the adapter.

Implements sequencing item 3 of the OVDB access-tokens-and-grants design (sneat-co/backstage docs/roadmaps/ovdb-access-tokens-grants.md, Decision 3.4).

Public API

  • type TokenProvider interface { Token(ctx context.Context) (string, error) }
  • type TokenProviderFunc func(ctx context.Context) (string, error) — func adapter
  • func StaticTokenProvider(token string) TokenProvider
  • Config.TokenProvider TokenProvider — takes precedence over Config.Token

Backward compatibility

  • A non-empty Config.Token with no provider is auto-wrapped in StaticTokenProviderexisting callers keep working unchanged (entire pre-existing test suite passes untouched).
  • Empty token from a provider = unauthenticated request (same as empty Config.Token today).

Implementation notes

  • Token injection happens in a tokenProviderTransport http.RoundTripper consulted on every request; provider errors abort the request before it fires and surface as regular operation errors.
  • Caller-supplied http.Clients are shallow-copied, never mutated.
  • The duplicated go-github client construction in NewGitHubFileReader / NewTreeWriter is consolidated into newGitHubAPIClient.
  • go.sum: adds missing entries for dalgo v0.62.2 and golang.org/x/sys (local go build failed on main without them).

Tests

New coverage for: static-provider wrap, provider-wins-over-token precedence, provider called per operation with rotating tokens, error propagation through reader and writer, empty-token-unauthenticated, and no-mutation of caller HTTP clients. go build && go vet && go test green; package coverage 99.8%.

🤖 Generated with Claude Code

https://claude.ai/code/session_01FV3pbooAc9UPpNdiaJuKve

Replace construction-time github.WithAuthToken(cfg.Token) with a
per-request token resolution so callers can inject rotating credentials
(e.g. short-lived GitHub App installation tokens minted on demand by the
sneat-go backend) without rebuilding the adapter.

- Add TokenProvider interface { Token(ctx) (string, error) },
  TokenProviderFunc adapter and StaticTokenProvider(token).
- Add Config.TokenProvider field; an explicit provider wins over
  Config.Token, and a bare non-empty Config.Token is auto-wrapped in
  StaticTokenProvider, so existing callers keep working unchanged.
- Inject the token via a tokenProviderTransport RoundTripper that asks
  the provider on every request; provider errors abort the request and
  surface as regular operation errors. Caller-supplied http.Clients are
  copied, never mutated.
- Deduplicate the identical go-github client construction in
  NewGitHubFileReader and NewTreeWriter into newGitHubAPIClient.
- go.sum: add missing entries for dalgo v0.62.2 and golang.org/x/sys.

Design: sneat-co/backstage docs/roadmaps/ovdb-access-tokens-grants.md
(Decision 3.4, sequencing item 3).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FV3pbooAc9UPpNdiaJuKve
@trakhimenok trakhimenok merged commit 1fdc0e5 into main Jul 2, 2026
8 checks passed
@trakhimenok trakhimenok deleted the feat/token-provider-seam branch July 2, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant