Forward CIRCLE_TOKEN env vars to remote validate commands#336
Open
hanabel1 wants to merge 3 commits into
Open
Conversation
Commands run on a sidecar via 'chunk validate --remote' couldn't reach CircleCI APIs (e.g. smarter-testing endpoints) because no credentials crossed the SSH boundary. Forward CIRCLE_TOKEN and CIRCLECI_TOKEN from the host environment via the existing ExecOverSSH envVars hook, matching the way the local case picks them up implicitly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hanabel1
force-pushed
the
hm/forward-circle-token-to-sidecar
branch
from
9dfa670 to
0fb6486
Compare
…g in is installed on every template sidecar.
| // remote validate commands authenticate to CircleCI APIs (e.g. smarter-testing | ||
| // endpoints) using the caller's credentials, mirroring the local behavior | ||
| // where these are picked up implicitly from the environment. | ||
| func hostForwardEnv() map[string]string { |
Contributor
There was a problem hiding this comment.
do we have something to this already for the normal command execution?
| // where these are picked up implicitly from the environment. | ||
| func hostForwardEnv() map[string]string { | ||
| env := map[string]string{} | ||
| for _, name := range []string{config.EnvCircleToken, config.EnvCircleCIToken} { |
Contributor
There was a problem hiding this comment.
I think we want to pull this off the config object. The circle token can be read from a file/keychain so it won't necessarily be in the environment
michael-webster
requested changes
May 18, 2026
Contributor
michael-webster
left a comment
michael-webster
left a comment
There was a problem hiding this comment.
Left a comment, but I think we want this to use the config we load instead of assuming an env var. We really don't want to depend on the API token being in an env var.
The CircleCI token can be persisted to the on-disk config (and in the future a keychain backend), so reading it only from os.Getenv silently dropped the token for users who authenticated via `chunk auth`. Source it from config.Resolve instead so the canonical priority chain applies, and forward the single resolved value as CIRCLE_TOKEN. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
chunk validate --remotecouldn't reach CircleCI APIs (e.g. smarter-testing endpoints) because no host credentials crossed the SSH boundary.openSSHSessionnow forwardsCIRCLE_TOKEN/CIRCLECI_TOKENfrom the host environment through the existingExecOverSSHenvVarshook, mirroring how the local validate path picks them up implicitly.hostForwardEnvhelper.Test plan
task fmt,task lint,go test -race ./...all pass.CIRCLE_TOKEN=… chunk validate --remote --cmd 'printf "CIRCLE_TOKEN length: %s\n" "${#CIRCLE_TOKEN}"'prints the expected non-zero length (70-char personal token reached the remote shell).AcceptEnvon the sidecar sshd doesn't need widening (test above succeeded without changes).🤖 Generated with Claude Code