Skip to content

[Gastown] GitHub App integration overrides manually-saved PAT (github_pat_) in town Git Auth settings — users cannot use long-lived tokens #4394

Description

@kilo-code-bot

What happened?

When a town has a GitHub App integration configured (platformIntegrationId), the worker's /refresh-git-token endpoint always generates a fresh ghs_ GitHub App installation token (1hr expiry), completely overriding any github_pat_ fine-grained PAT saved in the dashboard's Git Authentication settings.

Reproduction:

  1. User saves a github_pat_... 90-day PAT in Gastown Settings → Git Authentication → GitHub Token, clicks Save
  2. User exits and re-enters Settings — the github_pat_ is gone, replaced with the ghs_ App installation token
  3. User clicks "Container Token Refresh" — the container receives a fresh ghs_ token, NOT the PAT
  4. The /refresh-git-token worker endpoint returns {"data":{"token":"ghs_..."}} even after the PAT was saved

Root cause: The GitHub App integration takes precedence over manually-configured tokens. In agent-runner.ts:273, resolveGitCredentials() fetches a fresh token from the Kilo Cloud API using platformIntegrationId, which generates ghs_ installation tokens. The git_auth.github_token PAT from town config is never used because the integration-sourced token always wins.

Impact: The user explicitly created a 90-day PAT to avoid the 1-hour expiry cycle that has stranded work 3+ times this session. But the integration override makes the PAT useless — the town is forced to use 1-hour ghs_ tokens that expire mid-task.

Expected behavior: When a user manually sets git_auth.github_token to a PAT (github_pat_ or ghp_), it should take precedence over the GitHub App integration token. The integration token should only be used as a fallback when no static token is configured.

Alternatively: Allow users to disable the GitHub App integration per-rig so a static PAT can be used instead.

Town: b1d2b62b-b236-48c0-8558-3b32057470be. Worker API: https://gastown.kiloapps.io

Area

Container / Git

Context

  • Town ID: b1d2b62b-b236-48c0-8558-3b32057470be
  • Agent: Mayor (d0f9f7a6-3442-4cd2-bc2f-e6acf48d536a)
  • Rig ID: e29ba178-b878-499f-9b8f-a3d3f8bdcc88

Recent Errors

refresh-git-token endpoint returns ghs_ installation token despite github_pat_ PAT saved in town config. Dashboard reverts PAT to ghs_ on page refresh. resolveGitCredentials() in agent-runner.ts:273 prioritizes platformIntegrationId over git_auth.github_token.

Filed automatically by the Mayor via gt_report_bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions