fix: Keep org-specific token rotation isolated#555
Draft
stray-nick wants to merge 3 commits intoMeltanoLabs:mainfrom
Draft
fix: Keep org-specific token rotation isolated#555stray-nick wants to merge 3 commits intoMeltanoLabs:mainfrom
stray-nick wants to merge 3 commits intoMeltanoLabs:mainfrom
Conversation
stray-nick
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Keep token rotation scoped to the current organization when that organization has its own configured token pool.
GitHub App installation tokens are org-scoped. If a stream is reading private repositories for one org and
get_next_auth_token()falls through to another org's installation token, GitHub can return misleading404 Not Foundresponses for repositories that do exist and are accessible with the correct org token.What changed
get_next_auth_token()now prefers the current organization's token managers whencurrent_organizationhas a configured token pool.Validation