From 39367f45dfe18d4e6c257d3626533ba090ec7dd6 Mon Sep 17 00:00:00 2001 From: Zbigniew Sobiecki Date: Mon, 16 Feb 2026 19:09:39 +0000 Subject: [PATCH] fix: resolve agent-specific GITHUB_TOKEN in executeGitHubAgent executeGitHubAgent() always used the default project GITHUB_TOKEN, ignoring per-agent credential overrides. This caused the review agent to authenticate as the repo owner instead of the dedicated review bot, triggering GitHub 422 errors ("Can not approve your own pull request"). Resolve agent-scoped credentials first via getAgentCredential(), falling back to the project default only when no override exists. Co-Authored-By: Claude Opus 4.6 --- src/triggers/github/webhook-handler.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/triggers/github/webhook-handler.ts b/src/triggers/github/webhook-handler.ts index 8ae0e9e4..78f7ffd4 100644 --- a/src/triggers/github/webhook-handler.ts +++ b/src/triggers/github/webhook-handler.ts @@ -40,7 +40,8 @@ async function executeGitHubAgent( ): Promise { const trelloApiKey = await getProjectSecret(project.id, 'TRELLO_API_KEY').catch(() => ''); const trelloToken = await getProjectSecret(project.id, 'TRELLO_TOKEN').catch(() => ''); - const githubToken = await getProjectSecret(project.id, 'GITHUB_TOKEN'); + const agentGitHubToken = await getAgentCredential(project.id, result.agentType, 'GITHUB_TOKEN'); + const githubToken = agentGitHubToken || (await getProjectSecret(project.id, 'GITHUB_TOKEN')); const restoreLlmEnv = await injectLlmApiKeys(project.id);