Skip to content

feat: require GH_TOKEN at install (alongside the LLM key)#91

Merged
AbirAbbas merged 1 commit into
mainfrom
feat/require-gh-token
Jul 8, 2026
Merged

feat: require GH_TOKEN at install (alongside the LLM key)#91
AbirAbbas merged 1 commit into
mainfrom
feat/require-gh-token

Conversation

@AbirAbbas

Copy link
Copy Markdown
Collaborator

Summary

SWE-AF's whole point is the delivery loop: clone a repo → push a branch → open a pull request — all of which need GitHub write access. The agent shells out to git push / gh pr create, which authenticate from GH_TOKEN (see prompts/github_pr.py: "The GH_TOKEN environment variable is already set for authentication").

But GH_TOKEN was declared optional, so af install / af run never prompted for it — a user could set up the node with just an LLM key and only discover the token was missing once a build reached the push/PR step and failed.

Change

Move GH_TOKEN from optional to required, right next to the require_one_of LLM-provider key:

user_environment:
  require_one_of:
    - id: llm_provider          # ANTHROPIC_API_KEY or OPENROUTER_API_KEY
      ...
  required:
    - name: GH_TOKEN            # repo scope — clone + push + open PRs
      type: secret
      scope: global
  optional:
    - SWE_DEFAULT_MODEL / AGENTFIELD_SERVER / AGENTFIELD_API_KEY / NODE_ID

Now setup prompts for the token up front and stores it encrypted, so the two things a SWE-AF node actually needs — an LLM key and a GitHub token — are both required at install time.

Planning-only reasoners (plan and friends) don't touch GitHub, but the node's reason for existing is delivering PRs, so a token is a genuine setup requirement rather than an optional extra.

Verification

Parsed through the AgentField manifest loader (packages.ParsePackageMetadata): required=[GH_TOKEN], require_one_of=1 group, optional=4 — GH_TOKEN loads as a required secret.

🤖 Generated with Claude Code

SWE-AF's core loop clones a repo, pushes a branch, and opens a pull
request — all of which need GitHub write access; `gh`/`git` authenticate
from GH_TOKEN (prompts/github_pr.py assumes it's set). It was declared
`optional`, so `af install`/`af run` never prompted for it and a build
would only fail once it reached the push/PR step.

Move GH_TOKEN into `required` so setup prompts for it up front and stores
it encrypted, right next to the require_one_of LLM-provider key. Planning
(`plan` and friends) still works without touching GitHub, but the node's
purpose is delivering PRs, so a token is a genuine setup requirement.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@AbirAbbas AbirAbbas merged commit f33edd3 into main Jul 8, 2026
2 checks passed
@AbirAbbas AbirAbbas deleted the feat/require-gh-token branch July 8, 2026 00:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant