From 351d0a336935febfd1e405be7af46969d8c9b24f Mon Sep 17 00:00:00 2001 From: Proactive Engineer Date: Sun, 22 Feb 2026 02:06:16 -0800 Subject: [PATCH] fix: resolve github app config bugs, tighten permissions, and sync terraform user-data --- install.sh | 4 ++-- scripts/refresh-github-token.sh | 10 ++++---- skills/proactive-engineer/SKILL.md | 7 +++--- terraform/user-data.sh | 38 ++++-------------------------- 4 files changed, 15 insertions(+), 44 deletions(-) diff --git a/install.sh b/install.sh index c6a623e58789..ac53015cf020 100755 --- a/install.sh +++ b/install.sh @@ -179,8 +179,8 @@ prompt_key "GEMINI_API_KEY" \ # If using GitHub App, copy the private key and generate initial token if [ "$USE_GITHUB_APP" = "yes" ]; then - PEM_DEST="$INSTALL_DIR/github-app.pem" - mkdir -p "$INSTALL_DIR" + mkdir -p "$CONFIG_DIR" + PEM_DEST="$CONFIG_DIR/github-app.pem" cp "$GITHUB_APP_PEM_PATH" "$PEM_DEST" 2>/dev/null || true chmod 600 "$PEM_DEST" 2>/dev/null || true export GITHUB_APP_PEM_PATH="$PEM_DEST" diff --git a/scripts/refresh-github-token.sh b/scripts/refresh-github-token.sh index 41b2ad1b2572..57f4fd8d17db 100755 --- a/scripts/refresh-github-token.sh +++ b/scripts/refresh-github-token.sh @@ -10,7 +10,7 @@ set -euo pipefail # GITHUB_APP_PEM_PATH - Path to the .pem private key file # # Outputs the token (ghs_...) to stdout. -# Also exports git author/committer identity for the bot. +# Also configures global git author/committer identity for the bot. : "${GITHUB_APP_ID:?Set GITHUB_APP_ID}" : "${GITHUB_APP_INSTALLATION_ID:?Set GITHUB_APP_INSTALLATION_ID}" @@ -55,9 +55,9 @@ if [ -n "${AGENT_NAME:-}" ] && [ "$AGENT_NAME" != "default" ]; then AGENT_LABEL="Proactive Engineer ($AGENT_NAME)" fi -export GIT_AUTHOR_NAME="$AGENT_LABEL" -export GIT_AUTHOR_EMAIL="proactive-engineer[bot]@users.noreply.github.com" -export GIT_COMMITTER_NAME="$AGENT_LABEL" -export GIT_COMMITTER_EMAIL="proactive-engineer[bot]@users.noreply.github.com" +if command -v git >/dev/null 2>&1; then + git config --global user.name "$AGENT_LABEL" + git config --global user.email "proactive-engineer[bot]@users.noreply.github.com" +fi echo "$token" diff --git a/skills/proactive-engineer/SKILL.md b/skills/proactive-engineer/SKILL.md index cc2247298b80..021fbc2374e3 100644 --- a/skills/proactive-engineer/SKILL.md +++ b/skills/proactive-engineer/SKILL.md @@ -165,11 +165,10 @@ You'll have either a GitHub App or a Personal Access Token configured: - **GITHUB_APP_ID**, **GITHUB_APP_INSTALLATION_ID**, **GITHUB_APP_PEM_PATH** are set in your environment - Before any git push, PR, or `gh` CLI operation, refresh your token and set it for both git and gh: ```bash - export GITHUB_TOKEN=$(~/.proactive-engineer/scripts/refresh-github-token.sh) - export GH_TOKEN="$GITHUB_TOKEN" - git config --global user.name "Proactive Engineer" - git config --global user.email "proactive-engineer[bot]@users.noreply.github.com" + export GH_TOKEN=$(~/.proactive-engineer/scripts/refresh-github-token.sh) + export GITHUB_TOKEN="$GH_TOKEN" ``` + *(The script automatically configures your git committer identity.)* - You MUST set `GH_TOKEN` so that `gh pr create` and other `gh` commands use the App token instead of your personal auth. - Tokens expire every hour, so always refresh before git operations. diff --git a/terraform/user-data.sh b/terraform/user-data.sh index 0c8cb6b6e621..1bb767b5ca92 100644 --- a/terraform/user-data.sh +++ b/terraform/user-data.sh @@ -59,43 +59,15 @@ else export SLACK_APP_TOKEN='$SLACK_APP_TOKEN' export SLACK_BOT_TOKEN='$SLACK_BOT_TOKEN' export GITHUB_TOKEN='$GITHUB_TOKEN' + export GITHUB_APP_ID='$GITHUB_APP_ID' + export GITHUB_APP_INSTALLATION_ID='$GITHUB_APP_INSTALLATION_ID' + export GITHUB_APP_PEM_PATH='$GITHUB_APP_PEM_PATH' export GEMINI_API_KEY='$GEMINI_API_KEY' export AGENT_NAME='$AGENT_NAME' export AGENT_DISPLAY_NAME='$AGENT_DISPLAY_NAME' + export SETUP_TAILSCALE='y' - curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard - export PATH=\"\$HOME/.npm-global/bin:\$HOME/.local/bin:\$PATH\" - - REPO=refreshdotdev/proactive-engineer - INSTALL_DIR=\"\$HOME/.proactive-engineer\" - PROFILE_NAME=\"pe-\$AGENT_NAME\" - CONFIG_DIR=\"\$HOME/.openclaw-\$PROFILE_NAME\" - WORKSPACE_DIR=\"\$HOME/.openclaw/workspace-\$PROFILE_NAME\" - SKILL_DIR=\"\$HOME/.openclaw/skills/proactive-engineer\" - - git clone --depth 1 https://github.com/\$REPO.git \"\$INSTALL_DIR\" - - mkdir -p \"\$(dirname \$SKILL_DIR)\" - ln -sf \"\$INSTALL_DIR/skills/proactive-engineer\" \"\$SKILL_DIR\" - - mkdir -p \"\$CONFIG_DIR\" \"\$WORKSPACE_DIR\" - for f in HEARTBEAT.md IDENTITY.md SOUL.md AGENTS.md; do - ln -sf \"\$INSTALL_DIR/skills/proactive-engineer/workspace/\$f\" \"\$WORKSPACE_DIR/\$f\" 2>/dev/null || true - done - - cat > \"\$CONFIG_DIR/openclaw.json\" << CONF -{ - \"gateway\": { \"mode\": \"local\", \"port\": 18789, \"auth\": { \"allowTailscale\": true }, \"tailscale\": { \"mode\": \"serve\" } }, - \"env\": { \"GITHUB_TOKEN\": \"\$GITHUB_TOKEN\", \"GEMINI_API_KEY\": \"\$GEMINI_API_KEY\" }, - \"agents\": { \"defaults\": { \"workspace\": \"\$WORKSPACE_DIR\", \"heartbeat\": { \"every\": \"30m\" }, \"model\": { \"primary\": \"google/gemini-3.1-pro-preview\" } } }, - \"channels\": { \"slack\": { \"enabled\": true, \"appToken\": \"\$SLACK_APP_TOKEN\", \"botToken\": \"\$SLACK_BOT_TOKEN\", \"groupPolicy\": \"open\", \"channels\": { \"*\": { \"requireMention\": true } }, \"dmPolicy\": \"open\", \"allowFrom\": [\"*\"] } }, - \"skills\": { \"entries\": { \"proactive-engineer\": { \"enabled\": true, \"env\": { \"AGENT_NAME\": \"\$AGENT_NAME\", \"AGENT_DISPLAY_NAME\": \"\$AGENT_DISPLAY_NAME\" } } } } -} -CONF - - openclaw --profile \"\$PROFILE_NAME\" gateway install 2>/dev/null || true - systemctl --user enable \"openclaw-gateway-\$PROFILE_NAME\" 2>/dev/null || true - systemctl --user start \"openclaw-gateway-\$PROFILE_NAME\" 2>/dev/null || true + curl -fsSL https://raw.githubusercontent.com/refreshdotdev/proactive-engineer/main/install.sh | bash " fi