catch TorngitRefreshTokenFailedError without retrying

[drazisil-codecov]

Summary

• TorngitRefreshTokenFailedError was not caught in BaseCodecovTask.get_repo_provider_service, causing Celery to retry the task indefinitely on token refresh failures (e.g. 400 Bad Request from GitLab OAuth)
• Retrying is actively harmful: GitLab's refresh token reuse detection invalidates the entire token family if the same refresh token is submitted twice, turning a recoverable failure into a permanent one
• Added an explicit catch with no retry, matching the existing TorngitClientError pattern

Root cause

TorngitRefreshTokenFailedError inherits from TorngitError, not TorngitClientError, so it bypassed the existing clean-exit handler. TorngitCantRefreshTokenError (the "no refresh token present" case) was already handled correctly via TorngitClientError.

Test plan

• test_get_repo_provider_service_refresh_token_failed — verifies exception is caught, returns None, breadcrumb task called with GIT_CLIENT_ERROR, no retry raised
• Full TestBaseCodecovTask class passes (22 tests)

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk, targeted change to worker error handling that prevents infinite Celery retries on git-provider token refresh failures while keeping existing breadcrumb/error reporting behavior.

Overview
BaseCodecovTask.get_repo_provider_service now explicitly catches TorngitRefreshTokenFailedError and exits cleanly (returning None) instead of letting the task fail and be retried indefinitely.

On refresh-token failure it records a GIT_CLIENT_ERROR breadcrumb and logs a warning with stack trace, and a new unit test asserts this behavior.

^{Written by Cursor Bugbot for commit 1eba83f. This will update automatically on new commits. Configure here.}

[drazisil-codecov]

Why no retry?

GitLab implements refresh token reuse detection via Doorkeeper: once a refresh token is consumed, it's immediately invalidated. If the same token is submitted again (e.g. by a retry), GitLab revokes the entire token family and all subsequent attempts return 400 permanently.

Without this fix, the retry loop doesn't just fail — it actively destroys the token, turning a potentially recoverable situation into a permanent one requiring manual re-authorization.

Reference: GitLab Token Unable To Refresh Due To Race Condition – HashiCorp Support

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.25%. Comparing base (13ff78c) to head (1eba83f).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #783   +/-   ##
=======================================
  Coverage   92.25%   92.25%           
=======================================
  Files        1305     1305           
  Lines       47981    47985    +4     
  Branches     1636     1636           
=======================================
+ Hits        44263    44267    +4     
  Misses       3407     3407           
  Partials      311      311           

Flag	Coverage Δ
workerintegration	58.55% <20.00%> (-0.02%)	⬇️
workerunit	90.38% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov-notifications]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!