mathias/hyperguild
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: set GITHUB_PAT in routing pod k8s secret to enable GitHub repo creation in project_create #12

New Issue
Closed
opened 2026-05-18 13:32:51 +00:00 by mathias · 1 comment
mathias commented 2026-05-18 13:32:51 +00:00
Owner
Copy Link

Problem

project_create skips the GitHub repo creation step when s.cfg.GitHub == nil.
This happens when GITHUB_PAT is not set in the routing pod environment.

The code in handlers.go is correct:

if s.cfg.GitHub != nil {
    if err := s.callCreateGitHubRepo(ctx, args); err != nil && !errors.Is(err, githubclient.ErrAlreadyExists) {
        return marshalPartial(res, stepCreateGitHub, err)
    }
    res.Reached = append(res.Reached, stepCreateGitHub)
}

But without GITHUB_PAT set, the GitHub client is never initialised in cmd/routing/main.go:

if cfg.GitHubPAT != "" {
    ghClient = githubclient.New(cfg.GitHubPAT)
}

This means the GitHub repo is never created, and subsequently the push-mirror sync
fails because it has no destination to push to.

Observed during e2e test on 2026-05-18: test-throwaway-001 was created on Gitea,
mirror was configured, but GitHub repo never appeared. Required manual intervention:
create GitHub repo via API, delete and recreate mirror with PAT, trigger sync manually.

Fix

Set GITHUB_PAT as a k8s secret in the routing pod deployment on koala.

1. Create the secret

kubectl create secret generic routing-github \
  --namespace routing \
  --from-literal=github-pat="$GITHUB_PAT"

Or add to the existing SOPS-encrypted secrets file for the routing pod.

2. Mount in deployment

In k3s/apps/routing/deployment.yaml, add env var from secret:

env:
  - name: GITHUB_PAT
    valueFrom:
      secretKeyRef:
        name: routing-github
        key: github-pat

3. Verify config loads correctly

After deploy, check routing pod logs on startup:

project_create registered ... github_pat_set=true

Currently logs github_pat_set=false which is the signal that PAT is missing.

4. Also set GITHUB_OWNER

Verify GITHUB_OWNER=mathiasb is set in the routing pod config. This is needed
for constructing the correct mirror remote URL.

Acceptance criteria

  • GITHUB_PAT set as k8s secret in routing namespace
  • Routing pod deployment mounts secret as env var
  • Routing pod startup log shows github_pat_set=true
  • project_create e2e test: GitHub repo appears at github.com/mathiasb/<name> within 60s
  • Mirror sync shows last_error: "" after initial sync

Required GitHub PAT scopes

  • repo — create private/public repos, push code via mirror

Related

  • hyperguild #11 (e2e test findings)
  • internal/skills/project/handlers.go — code is correct, no changes needed
  • cmd/routing/main.go — config loading is correct, no changes needed
## Problem `project_create` skips the GitHub repo creation step when `s.cfg.GitHub == nil`. This happens when `GITHUB_PAT` is not set in the routing pod environment. The code in `handlers.go` is correct: ```go if s.cfg.GitHub != nil { if err := s.callCreateGitHubRepo(ctx, args); err != nil && !errors.Is(err, githubclient.ErrAlreadyExists) { return marshalPartial(res, stepCreateGitHub, err) } res.Reached = append(res.Reached, stepCreateGitHub) } ``` But without `GITHUB_PAT` set, the GitHub client is never initialised in `cmd/routing/main.go`: ```go if cfg.GitHubPAT != "" { ghClient = githubclient.New(cfg.GitHubPAT) } ``` This means the GitHub repo is never created, and subsequently the push-mirror sync fails because it has no destination to push to. Observed during e2e test on 2026-05-18: `test-throwaway-001` was created on Gitea, mirror was configured, but GitHub repo never appeared. Required manual intervention: create GitHub repo via API, delete and recreate mirror with PAT, trigger sync manually. ## Fix Set `GITHUB_PAT` as a k8s secret in the routing pod deployment on koala. ### 1. Create the secret ```bash kubectl create secret generic routing-github \ --namespace routing \ --from-literal=github-pat="$GITHUB_PAT" ``` Or add to the existing SOPS-encrypted secrets file for the routing pod. ### 2. Mount in deployment In `k3s/apps/routing/deployment.yaml`, add env var from secret: ```yaml env: - name: GITHUB_PAT valueFrom: secretKeyRef: name: routing-github key: github-pat ``` ### 3. Verify config loads correctly After deploy, check routing pod logs on startup: ``` project_create registered ... github_pat_set=true ``` Currently logs `github_pat_set=false` which is the signal that PAT is missing. ### 4. Also set GITHUB_OWNER Verify `GITHUB_OWNER=mathiasb` is set in the routing pod config. This is needed for constructing the correct mirror remote URL. ## Acceptance criteria - [ ] `GITHUB_PAT` set as k8s secret in routing namespace - [ ] Routing pod deployment mounts secret as env var - [ ] Routing pod startup log shows `github_pat_set=true` - [ ] `project_create` e2e test: GitHub repo appears at `github.com/mathiasb/<name>` within 60s - [ ] Mirror sync shows `last_error: ""` after initial sync ## Required GitHub PAT scopes - `repo` — create private/public repos, push code via mirror ## Related - hyperguild #11 (e2e test findings) - `internal/skills/project/handlers.go` — code is correct, no changes needed - `cmd/routing/main.go` — config loading is correct, no changes needed
mathias commented 2026-05-18 15:08:43 +00:00
Author
Owner
Copy Link

Resolved. Verified on koala cluster 2026-05-18:

routing-secrets keys present:

$ kubectl get secret routing-secrets -n routing -o jsonpath='{.data}' | jq 'keys'
["GITEA_MCP_TOKEN", "GITHUB_PAT", "LITELLM_API_KEY", "ROUTING_MCP_TOKEN"]

Deployment wires secret via envFrom (k3s/apps/routing/deployment.yaml@fe534a6):

envFrom:
  - secretRef:
      name: routing-secrets

Plus GITHUB_OWNER=mathiasb and INFRA_REPO=infra set as literal env.

Routing pod startup log confirms config loaded:

project_create registered gitea_mcp_url=http://gitea-mcp.gitea-mcp.svc.cluster.local:8080/mcp gitea_owner=mathias github_owner=mathiasb infra_repo=infra github_pat_set=true

Image deployed: gitea.d-ma.be/mathias/routing:5950ef5f0fef7a38bc29638a4514fd5b1efa4df4.

All acceptance criteria met. Remaining concern — GITHUB_PAT persistence in secrets.enc.yaml for SOPS round-trip / rebuild survival — tracked separately in #14 (Item 2).

Resolved. Verified on koala cluster 2026-05-18: **`routing-secrets` keys present:** ``` $ kubectl get secret routing-secrets -n routing -o jsonpath='{.data}' | jq 'keys' ["GITEA_MCP_TOKEN", "GITHUB_PAT", "LITELLM_API_KEY", "ROUTING_MCP_TOKEN"] ``` **Deployment wires secret via `envFrom`** (`k3s/apps/routing/deployment.yaml@fe534a6`): ```yaml envFrom: - secretRef: name: routing-secrets ``` Plus `GITHUB_OWNER=mathiasb` and `INFRA_REPO=infra` set as literal env. **Routing pod startup log confirms config loaded:** ``` project_create registered gitea_mcp_url=http://gitea-mcp.gitea-mcp.svc.cluster.local:8080/mcp gitea_owner=mathias github_owner=mathiasb infra_repo=infra github_pat_set=true ``` Image deployed: `gitea.d-ma.be/mathias/routing:5950ef5f0fef7a38bc29638a4514fd5b1efa4df4`. All acceptance criteria met. Remaining concern — `GITHUB_PAT` persistence in `secrets.enc.yaml` for SOPS round-trip / rebuild survival — tracked separately in #14 (Item 2).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
mathias
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mathias/hyperguild#12
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?