t1006: Fix cron PATH and GH_TOKEN detection#1291
Conversation
- Detect current $PATH and add to crontab env - Auto-detect GH_TOKEN from 'gh auth token' if available - Fixes 'opencode CLI not found' errors in cron execution - Ref GH#1289
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
WalkthroughThe pull request enhances the supervisor-helper.sh script to detect and propagate the user's PATH and GitHub token environment variables to cron-initiated pulses, ensuring automated tasks execute with the same tooling and authentication context as interactive sessions. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Thu Feb 12 20:20:04 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.agents/scripts/supervisor-helper.sh:
- Around line 13194-13210: The cron entry construction currently injects
GH_TOKEN into env_vars (variables gh_token and env_vars) which writes the secret
into the crontab; remove any logic that appends GH_TOKEN into env_vars so
GH_TOKEN is never placed into the generated cron line. Keep detection of gh CLI
and the gh_token retrieval (the command -v gh / gh auth token block) if you want
to cache or use it at runtime, but stop adding "${gh_token}" to env_vars (the
branch that sets env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}");
instead rely on runtime resolution of credentials and only export non-secret
envs like PATH (user_path) into the cron entry.
- Around line 13194-13212: The PATH value stored in user_path can contain
newlines or '%' characters that break cron entries; after assigning user_path,
sanitize it by stripping newlines/carriage-returns and escaping '%' (e.g.,
replace $'\n' and $'\r' with nothing and replace '%' with '\%'), then use that
sanitized variable (e.g., sanitized_path) when building env_vars and cron_cmd
instead of the raw user_path; ensure env_vars uses sanitized_path so cron
receives a single-line, percent-escaped PATH.
| # Detect current PATH for cron environment (t1006) | ||
| local user_path="${PATH}" | ||
|
|
||
| # Detect GH_TOKEN from gh CLI if available (t1006) | ||
| local gh_token="" | ||
| if command -v gh &>/dev/null; then | ||
| gh_token=$(gh auth token 2>/dev/null || true) | ||
| fi | ||
|
|
||
| # Build cron command with environment variables | ||
| local env_vars="" | ||
| if [[ -n "$user_path" ]]; then | ||
| env_vars="PATH=${user_path}" | ||
| fi | ||
| if [[ -n "$gh_token" ]]; then | ||
| env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}" | ||
| fi |
There was a problem hiding this comment.
Avoid writing GH_TOKEN into crontab (secret exposure risk).
Embedding GH_TOKEN in the cron entry stores it in plaintext and makes it visible via crontab -l, which is a hard security no-go. The script already resolves GH_TOKEN at runtime (cache + gh/gopass/credentials), so the cron entry doesn’t need the token.
✅ Safer approach (remove GH_TOKEN from cron line)
- # Detect GH_TOKEN from gh CLI if available (t1006)
- local gh_token=""
- if command -v gh &>/dev/null; then
- gh_token=$(gh auth token 2>/dev/null || true)
- fi
-
- # Build cron command with environment variables
+ # Build cron command with environment variables
local env_vars=""
if [[ -n "$user_path" ]]; then
env_vars="PATH=${user_path}"
fi
- if [[ -n "$gh_token" ]]; then
- env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"
- fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Detect current PATH for cron environment (t1006) | |
| local user_path="${PATH}" | |
| # Detect GH_TOKEN from gh CLI if available (t1006) | |
| local gh_token="" | |
| if command -v gh &>/dev/null; then | |
| gh_token=$(gh auth token 2>/dev/null || true) | |
| fi | |
| # Build cron command with environment variables | |
| local env_vars="" | |
| if [[ -n "$user_path" ]]; then | |
| env_vars="PATH=${user_path}" | |
| fi | |
| if [[ -n "$gh_token" ]]; then | |
| env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}" | |
| fi | |
| # Detect current PATH for cron environment (t1006) | |
| local user_path="${PATH}" | |
| # Build cron command with environment variables | |
| local env_vars="" | |
| if [[ -n "$user_path" ]]; then | |
| env_vars="PATH=${user_path}" | |
| fi |
🤖 Prompt for AI Agents
In @.agents/scripts/supervisor-helper.sh around lines 13194 - 13210, The cron
entry construction currently injects GH_TOKEN into env_vars (variables gh_token
and env_vars) which writes the secret into the crontab; remove any logic that
appends GH_TOKEN into env_vars so GH_TOKEN is never placed into the generated
cron line. Keep detection of gh CLI and the gh_token retrieval (the command -v
gh / gh auth token block) if you want to cache or use it at runtime, but stop
adding "${gh_token}" to env_vars (the branch that sets
env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"); instead rely on
runtime resolution of credentials and only export non-secret envs like PATH
(user_path) into the cron entry.
| # Detect current PATH for cron environment (t1006) | ||
| local user_path="${PATH}" | ||
|
|
||
| # Detect GH_TOKEN from gh CLI if available (t1006) | ||
| local gh_token="" | ||
| if command -v gh &>/dev/null; then | ||
| gh_token=$(gh auth token 2>/dev/null || true) | ||
| fi | ||
|
|
||
| # Build cron command with environment variables | ||
| local env_vars="" | ||
| if [[ -n "$user_path" ]]; then | ||
| env_vars="PATH=${user_path}" | ||
| fi | ||
| if [[ -n "$gh_token" ]]; then | ||
| env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}" | ||
| fi | ||
|
|
||
| local cron_cmd="*/${interval} * * * * ${env_vars:+${env_vars} }${script_path} pulse ${batch_arg} >> ${SUPERVISOR_DIR}/cron.log 2>&1 ${cron_marker}" |
There was a problem hiding this comment.
Sanitize PATH before injecting into cron (cron treats %/newlines specially).
Cron treats % as a newline and rejects embedded newlines, so an unsanitized PATH can silently break the crontab line. Strip newlines and escape % before composing the entry.
🧹 Harden PATH for cron
# Detect current PATH for cron environment (t1006)
- local user_path="${PATH}"
+ local user_path="${PATH}"
+ # Cron treats % as newline; strip newlines and escape %
+ user_path=${user_path//$'\n'/}
+ user_path=${user_path//$'\r'/}
+ user_path=${user_path//%/\\%}🤖 Prompt for AI Agents
In @.agents/scripts/supervisor-helper.sh around lines 13194 - 13212, The PATH
value stored in user_path can contain newlines or '%' characters that break cron
entries; after assigning user_path, sanitize it by stripping
newlines/carriage-returns and escaping '%' (e.g., replace $'\n' and $'\r' with
nothing and replace '%' with '\%'), then use that sanitized variable (e.g.,
sanitized_path) when building env_vars and cron_cmd instead of the raw
user_path; ensure env_vars uses sanitized_path so cron receives a single-line,
percent-escaped PATH.
…6) (#1291) - Detect current $PATH and add to crontab env - Auto-detect GH_TOKEN from 'gh auth token' if available - Fixes 'opencode CLI not found' errors in cron execution - Ref GH#1289
…6) (#1291) - Detect current $PATH and add to crontab env - Auto-detect GH_TOKEN from 'gh auth token' if available - Fixes 'opencode CLI not found' errors in cron execution - Ref GH#1289
1 participant
WIP - incremental commits
Ref #1289
Summary by CodeRabbit