Skip to content

Prebuild: init submodule via PAT secret and build pg_durable#92

Merged
pinodeca merged 1 commit into
mainfrom
pinodeca/codespace-repo-perms
Mar 30, 2026
Merged

Prebuild: init submodule via PAT secret and build pg_durable#92
pinodeca merged 1 commit into
mainfrom
pinodeca/codespace-repo-perms

Conversation

@pinodeca
Copy link
Copy Markdown
Contributor

@pinodeca pinodeca commented Mar 29, 2026
edited
Loading

Summary

During the Codespace prebuild, use a GH_PAT Codespace secret to clone the private duroxide-pg-opt submodule, then build pg_durable. The PAT is scrubbed from the filesystem before the prebuild image is snapshotted.

Interactive Codespaces continue to use the token permissions granted via customizations.codespaces.repositories in devcontainer.json (merged in #93).

Changes

  • onCreateCommand.sh: PAT-based submodule init with credential cleanup, fallback to default credentials, cargo build --features pg17 if submodule available
  • postCreateCommand.sh: Verify submodule and build state when user opens Codespace
  • CODESPACES_PREBUILDS.md: Document dual auth approach (PAT for prebuild, Codespace token for interactive use)

Auth mechanisms

Context Mechanism
Prebuild (onCreateCommand) GH_PAT Codespace secret — temporary git insteadOf rewrite, scrubbed after clone
Interactive Codespace devcontainer.json codespaces.repositories token permissions
Local Dev Container User's own credentials

Admin setup (one-time)

  1. Create a fine-grained PAT scoped read-only to microsoft/duroxide-pg-opt (Contents: Read)
  2. Go to repo SettingsSecrets and variablesCodespaces
  3. Add secret: Name = GH_PAT, Value = the PAT
  4. Trigger a prebuild rebuild

Security

  • The PAT is injected as an env var (not persisted in filesystem snapshots)
  • The temporary ~/.gitconfig entry is removed immediately after submodule clone
  • Credential cache is explicitly rejected
  • Belt-and-suspenders grep verifies no traces remain
  • Users opening Codespaces from the prebuild never see or need the PAT

@pinodeca
Prebuild: init submodule via PAT secret and build pg_durable
5a87740 
During the Codespace prebuild, use a GH_PAT Codespace secret to clone
the private duroxide-pg-opt submodule, then build pg_durable. The PAT
is scrubbed from the filesystem before the prebuild image is snapshotted.

Interactive Codespaces use the token permissions already granted via
customizations.codespaces.repositories in devcontainer.json (merged in #93).

Changes:
- onCreateCommand.sh: PAT-based submodule init with credential cleanup,
  fallback to default credentials, cargo build if submodule available
- postCreateCommand.sh: verify submodule and build state on open
- CODESPACES_PREBUILDS.md: document dual auth approach (PAT for prebuild,
  Codespace token for interactive use)

Setup: add a GH_PAT Codespace secret in Settings > Secrets > Codespaces
with a fine-grained PAT scoped read-only to microsoft/duroxide-pg-opt.
@pinodeca pinodeca force-pushed the pinodeca/codespace-repo-perms branch from 619b98f to 5a87740 Compare March 30, 2026 17:14
@pinodeca pinodeca changed the title Prebuild: init submodule and build pg_durable via Codespace token permissions Prebuild: init submodule via PAT secret and build pg_durable Mar 30, 2026
@pinodeca pinodeca mentioned this pull request Mar 30, 2026
Closed
@pinodeca pinodeca merged commit b1017f1 into main Mar 30, 2026
7 checks passed
@pinodeca pinodeca deleted the pinodeca/codespace-repo-perms branch March 30, 2026 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pinodeca