Skip to content

jira-agent: refresh token before Phase 3 and increase Phase 4 max-turns #80447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
enxebre wants to merge 1 commit into
base: main
Choose a base branch
from
+16 −6
Open

jira-agent: refresh token before Phase 3 and increase Phase 4 max-turns #80447

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions ...tor/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,17 @@ while IFS= read -r line; do
REVIEW_FINDINGS=$(cat "${SHARED_DIR}/claude-${ISSUE_KEY}-review-text.txt")
fi

# Refresh tokens before Phase 3 since it pushes code.
# Phases 1-2 can exceed the 1-hour GitHub App token lifetime.
echo "Refreshing GitHub App tokens before Phase 3..."
GITHUB_TOKEN_FORK=$(generate_github_token "$INSTALLATION_ID_FORK")
if [ -z "$GITHUB_TOKEN_FORK" ] || [ "$GITHUB_TOKEN_FORK" = "null" ]; then
echo "ERROR: Failed to refresh GitHub App token for fork"
else
git config --global credential.helper "!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN_FORK}; }; f"
echo "Fork token refreshed"
fi
Comment on lines +540 to +549

@coderabbitai coderabbitai Bot Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't continue into Phase 3/4 with a failed token refresh.

Lines 544-549 and Lines 621-633 only log refresh failures, then fall through into the push/PR phases with the previous credentials still configured. In the same long-running case this change is addressing, that leaves Phase 3 pushing with an expired fork token and Phase 4 calling gh with an expired upstream token. Retry the refresh or fail the current issue before entering the dependent phase.

Also applies to: 616-633

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hypershift/jira-agent/process/hypershift-jira-agent-process-commands.sh`
around lines 540 - 549, The refresh block for the GitHub App token using
generate_github_token (GITHUB_TOKEN_FORK) only logs failures and continues,
which allows Phase 3/4 to run with expired credentials; update the logic in the
token refresh sections (the GITHUB_TOKEN_FORK and GITHUB_TOKEN_UPSTREAM refresh
blocks around generate_github_token) to either retry token generation a few
times with backoff or immediately fail the script when refresh returns
empty/"null" before entering the push/PR phases—i.e., on failure do a bounded
retry of generate_github_token and if still unsuccessful call exit 1 (or
otherwise abort the run) instead of merely echoing an error so Phase 3/4 never
proceed with stale credentials.


PHASE3_START=$(date +%s)

if [ -n "$REVIEW_FINDINGS" ]; then
Expand Down Expand Up @@ -602,11 +613,10 @@ IMPORTANT:
echo "Phase 3 duration: ${PHASE3_DURATION}s"
echo "$PHASE3_DURATION" > "${SHARED_DIR}/claude-${ISSUE_KEY}-fix-duration.txt"

# Regenerate GitHub App tokens before push/PR operations.
# Installation tokens expire after 1 hour, and phases 1-3 can
# easily exceed that. Refreshing here ensures push and PR
# creation use a valid token.
echo "Refreshing GitHub App tokens before push/PR..."
# Regenerate GitHub App tokens before Phase 4.
# Phase 3 may also have taken significant time, so refresh again
# to ensure PR creation uses a valid token.
echo "Refreshing GitHub App tokens before Phase 4..."
GITHUB_TOKEN_FORK=$(generate_github_token "$INSTALLATION_ID_FORK")
if [ -z "$GITHUB_TOKEN_FORK" ] || [ "$GITHUB_TOKEN_FORK" = "null" ]; then
echo "ERROR: Failed to refresh GitHub App token for fork"
Expand Down Expand Up @@ -648,7 +658,7 @@ IMPORTANT:
set +e
claude -p "$PR_PROMPT" \
--allowedTools "Bash Read Grep Glob" \
--max-turns 15 \
--max-turns 30 \
--effort max \
--model "$CLAUDE_MODEL" \
--verbose \
Expand Down