fix(codex/build): fetch ephemeral token for codex-link-index reads#110
Merged
theletterf merged 4 commits intomainfrom Apr 24, 2026
Merged
fix(codex/build): fetch ephemeral token for codex-link-index reads#110theletterf merged 4 commits intomainfrom
theletterf merged 4 commits intomainfrom
Conversation
docs-builder's cross-link fetcher clones elastic/codex-link-index to resolve codex/internal cross-links at build time. The private repo needs credentials, which this action did not fetch. As a result any consumer declaring a codex cross-link would fail with: fatal: could not read Username for 'https://github.com': No such device or address Mirror the token-fetch pattern used by codex/update-link-index, but targeting the shared read policy `token-policy-pull-codex-repositories` (registered via catalog-info for each consumer) and exporting the token as GITHUB_TOKEN so docs-builder's GitLinkIndexReader picks it up. Surfaced via elastic/platform-capacity-team#1328, the first PR in that repo to introduce a cross-link. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The self-test workflow runs codex/build against a mock docset with no cross-links and without id-token:write permission, so the Vault fetch fails with "OIDC token endpoint not exposed". Real consumers that don't declare codex cross-links would hit the same issue if their workflow isn't configured for OIDC or registered in catalog-info. Make the fetch step non-fatal so: - no cross-links: build runs without a token, same as before this PR; - missing policy: falls back to anonymous HTTPS, same as before; - properly configured: token is obtained and the private clone works.
nimdanitro
reviewed
Apr 24, 2026
nimdanitro
reviewed
Apr 24, 2026
Mpdreamz
approved these changes
Apr 24, 2026
Member
Mpdreamz
left a comment
Mpdreamz
left a comment
There was a problem hiding this comment.
Unblocking PR approval,
Not entirely sure why we need skip-token-revoke: true
Per reviewer feedback, align codex/build with codex/update-link-index: - derive the vault role name from the workflow ref hash instead of using the shared policy filename directly, matching the catalog-info registration pattern. - grant id-token:write to the build job in codex-preview.yml so `elastic/ci-gh-actions/fetch-github-token` can obtain an OIDC JWT.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
codex/buildcomposite action runsdocs-builder, which cloneselastic/codex-link-indexat build time to resolve codex/internal cross-links. That repo is private, but this action never fetched a token —docs-builder'sGitLinkIndexReaderfell back to anonymous HTTPS and failed withfatal: could not read Username for 'https://github.com': No such device or address.CrossLinkFetchernever invoked the git reader.codex/update-link-index— fetch an ephemeral token from Vault (keyed by a hash of the workflow ref, matching catalog-info registration) and expose it asGITHUB_TOKENto the build step sodocs-builderpicks it up.Context
Surfaced via elastic/platform-capacity-team#1328 — the first PR in that repo to introduce a
platform-observability-team://cross-link. The catalog-info side was already registered in elastic/catalog-info#3698 (both the shared pull policy and the per-repo push policy), but thebuildstep was never wired up to consume the pull policy.A companion docs-builder PR (elastic/docs-builder#3174) fixes a misleading fallback error URL that surfaced while debugging this, but that's cosmetic — this PR is the actual fix that unblocks the preview build.
Changes
codex/build/action.yml:Generate vault rolestep that derivestoken-policy-<12-char-hash>fromGITHUB_WORKFLOW_REF, matching the pattern used bycodex/update-link-indexand the role name catalog-info registers against.Fetch ephemeral GitHub token for codex-link-index readstep (Vault viaelastic/ci-gh-actions/fetch-github-token@v1, using the hash-derived role).continue-on-error: trueso it doesn't break callers that don't need the token.Buildstep asGITHUB_TOKEN, whichdocs-builder'sGitLinkIndexReader.GetCodexLinkIndexGitUrl()already reads..github/workflows/codex-preview.yml:id-token: writeto thebuildjob so the OIDC JWT needed byfetch-github-tokenis available.Failure modes after this PR
id-token: write), build runs without token, same as before this PR. No regression.GITHUB_TOKENis injected, private clone works. ✅Test plan
test-codex-buildself-test on this PR passes (mock docset has no cross-links; fetch is skipped viacontinue-on-error).could not read Username for 'https://github.com'.🤖 Generated with Claude Code