fix: use x-access-token user for GitHub App token in git insteadOf#501
Merged
Conversation
The GitHub App token rewrite added in #484 produced URLs of the form `https://<TOKEN>@github.com/...`. GitHub App installation tokens (unlike PATs) require the literal username `x-access-token`; without it git treats the token as the username, GitHub returns 401, and git falls back to a non-interactive password prompt: fatal: could not read Password for 'https://***@github.com': No such device or address This broke installation of private git+ssh dependencies (e.g. splunk/psa-cim-models) in `run-unit-tests`, `build`, and the ucc-modinput test setup. Prefix the rewritten URL with `x-access-token:` in all three places. Co-authored-by: Cursor <cursoragent@cursor.com>
dkaras-splunk
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The PAT → GitHub App migration in #484 rewrites private-repo clones via:
That worked for PATs (GitHub accepts a PAT as the username), but GitHub App installation tokens require the literal username
x-access-token. With only<TOKEN>@github.com, git treats the token as the username, GitHub returns 401, and git falls back to a non-interactive password prompt:This is currently breaking downstream add-ons that install private `git+ssh` dependencies (e.g. `splunk/psa-cim-models`) during the reusable workflow's `run-unit-tests` step. Example failing run: https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/runs/27150540186/job/80206858148.
Fix
Prefix the rewritten URL with `x-access-token:` in all three jobs that perform the rewrite:
Targeting `main` so it can ship as a `v5.5.x` patch (matches the path taken by #495/#496/#497/#500).
Note on App scope (not part of this PR)
Even with this fix, the GitHub App identified by `GH_APP_CLIENT_ID` / `GH_APP_PRIVATE_KEY` must be installed on the private dependency repo (e.g. `splunk/psa-cim-models`) with `contents: read`. Otherwise the clone will now fail with a clearer 403/404 instead of the password-prompt error. The `create-github-app-token` call only specifies `owner: ${{ github.repository_owner }}`, so it inherits whatever repos the App is installed on in the org.
Checklist
Testing done
To verify after merge & v5.5.x tag: re-run the failing `splunk-add-on-for-microsoft-cloud-services` pipeline pinned to the new tag and confirm `run-unit-tests` clones `splunk/psa-cim-models` successfully.
Made with Cursor