feat(agent-env): add default GH_TOKEN, GITHUB_TOKEN, and git identity overrides

[amondnet]

Summary

• Inject default GH_TOKEN / GITHUB_TOKEN (via ${INSTALLATION_ACCESS_TOKEN}) into agent env when tokenProvider is available, so Claude Code agents get GitHub auth without explicit env: in WORKFLOW.md
• Add BotIdentity interface and optional botIdentity() to TokenProvider — queries GET /users/{bot_username}[bot] to resolve bot user ID for noreply email
• Default git identity (GIT_AUTHOR_*, GIT_COMMITTER_*) is injected from bot identity, ensuring correct attribution on git commit
• User-defined env in WORKFLOW.md always takes precedence over defaults

Test plan

• bun test packages/core/src/agent-env.test.ts — 7 new tests for default override behavior
• Verify existing tests still pass (bun run test)
• Type check passes (bun run check)

---

Summary by cubic

Automatically injects GitHub auth and a bot git identity into agent environments when a GitHub token provider is configured. Adds safeguards, identity caching, clearer logging, and a 30s timeout for bot identity lookup.

• New Features

  • Default GH_TOKEN and GITHUB_TOKEN set to ${INSTALLATION_ACCESS_TOKEN} when a token provider exists; user-defined env always wins.
  • Added BotIdentity and optional botIdentity() to TokenProvider; orchestrator queries GET /users/{bot_username}[bot] and caches the result to build the noreply email.
  • resolveAgentEnv sets GIT_AUTHOR_* and GIT_COMMITTER_* from the bot identity when missing.

• Bug Fixes

  • Only inject git identity when GitHub credentials are present; separate JSON parse vs network errors in fetchBotIdentity; add a 30s fetch timeout to avoid hangs.

^{Written for commit 94e8b8c. Summary will update on new commits.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the agent environment resolution by introducing automatic injection of default GitHub tokens and git identity information. Agents can now seamlessly authenticate with GitHub and attribute their commits correctly without explicit configuration, while still allowing users to override these defaults when needed. This streamlines agent development and improves the integrity of automated git operations.

Highlights

• Default GitHub Token Injection: Default GH_TOKEN and GITHUB_TOKEN are now automatically injected into the agent's environment using the installation access token, simplifying GitHub authentication for agents.
• Git Identity Overrides: Git identity variables (GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL) are automatically set based on the bot's identity, ensuring correct attribution for git commits made by agents.
• Bot Identity Resolution: A new BotIdentity interface and an optional botIdentity() method have been added to the TokenProvider to fetch and cache bot user details from the GitHub API.
• User-Defined Precedence: User-defined environment variables in WORKFLOW.md always take precedence over these newly introduced defaults, allowing for explicit overrides.
• New Test Coverage: New tests were added to agent-env.test.ts to cover the default environment variable injection and override logic comprehensively.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable feature for automatically injecting default GitHub authentication tokens and git author identity into the agent's environment. The implementation is well-executed, including good test coverage, caching for the bot identity, and proper handling of user overrides. I have a couple of suggestions to enhance the code's clarity and long-term maintainability.

[cubic-dev-ai]

1 issue found across 5 files

Confidence score: 4/5

• This PR is likely safe to merge, but there is a moderate reliability risk: bot startup can hang if identity fetch never returns, which can block agent initialization.
• The main issue is in packages/core/src/orchestrator.ts: adding a timeout around the GitHub bot identity call would prevent indefinite waits on slow or unresponsive endpoints.
• Pay close attention to packages/core/src/orchestrator.ts - startup flow depends on this fetch path, so lack of timeout can cause stalled launches.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/core/src/orchestrator.ts">

<violation number="1" location="packages/core/src/orchestrator.ts:1050">
P2: Add a timeout to bot identity fetch so agent startup cannot hang on a slow/unresponsive GitHub endpoint.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Runner as Agent Runner
    participant Env as Env Resolver
    participant TP as Token Provider
    participant GH as GitHub API
    
    Note over Runner,GH: NEW: Default Auth & Identity Injection Flow
    
    Runner->>Env: resolveAgentEnv(config, tokenProvider)
    
    rect rgb(240, 240, 240)
    Note over Env,TP: Build Defaults
    Env->>Env: NEW: Check for missing GH_TOKEN / GITHUB_TOKEN
    opt If missing
        Env->>Env: NEW: Add ${INSTALLATION_ACCESS_TOKEN} to defaults
    end
    
    Env->>Env: NEW: Check for missing GIT_AUTHOR/COMMITTER keys
    opt If git keys missing AND botIdentity exists
        Env->>TP: botIdentity()
        alt Cache miss
            TP->>GH: NEW: GET /users/{bot_username}[bot]
            GH-->>TP: 200 OK (id, login)
            TP->>TP: Construct noreply email using ID
        end
        TP-->>Env: BotIdentity (name, email)
        Env->>Env: NEW: Add git identity to defaults
    end
    end

    Env->>Env: Merge (User Env overrides Defaults)
    
    loop For each [key, value] in merged env
        alt value is "${INSTALLATION_ACCESS_TOKEN}"
            alt Token not yet cached
                Env->>TP: installationAccessToken()
                TP-->>Env: ghs_token
            end
            Env->>Env: Replace placeholder with token
        else value matches other ${VAR}
            Env->>Env: Resolve from process.env
        end
    end

    Env-->>Runner: Final Agent Environment

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

_{Requires human review: Modifies core environment resolution logic and authentication token handling for agents, including new network calls to resolve bot identities.}