Skip to content

feat: add github service to fleet provisioning#5

Merged
pranavpatilsce merged 1 commit intomainfrom
feat/github-service
Mar 25, 2026
Merged

feat: add github service to fleet provisioning#5
pranavpatilsce merged 1 commit intomainfrom
feat/github-service

Conversation

@pranavpatilsce
Copy link
Copy Markdown
Contributor

@pranavpatilsce pranavpatilsce commented Mar 24, 2026

Summary

Adds the reef github service to the fleet provisioning pipeline so it's available on all root and golden (child agent) VMs. Installs the git credential helper at build time for transparent git clone/git push.

Changes

src/topology.js

  • Add "github" to defaultSharedOperationalDna().services — activated on both root and golden images
  • Add "github" to capabilities

src/boot.js

  • buildImageScript() (root image): after punkin extension install, copies services/github/credential-helper.sh to /usr/local/bin/git-credential-vers and sets git config --global credential.https://github.com.helper
  • buildGoldenImageScript() (golden image): same credential helper install for child agent VMs

Security

  • No secrets baked into images — the credential helper reads VERS_API_KEY from environment at runtime
  • VERS_API_KEY is injected post-spawn (root: /opt/reef/.env, golden: /etc/profile.d/reef-agent.sh)
  • Existing secret-free image test continues to pass (verifies no VERS_API_KEY, LLM_PROXY_KEY, VERS_AUTH_TOKEN, or .env references in image scripts)

How it works on provisioned VMs

Root VM (/opt/ paths):

/opt/reef/services/github/           ← service code
/opt/reef/services-active/github/    ← symlinked at runtime
/usr/local/bin/git-credential-vers   ← credential helper (build time)
git config --global credential.helper set (build time)
VERS_API_KEY injected to /opt/reef/.env (provision time)

Golden (child) VM (/root/ paths):

/root/reef/services/github/          ← service code
/root/reef/services-active/github/   ← symlinked (all services)
/usr/local/bin/git-credential-vers   ← credential helper (build time)
git config --global credential.helper set (build time)
VERS_API_KEY injected to /etc/profile.d/reef-agent.sh (post-spawn)

Companion PR

  • reef #22 — the github service module itself (routes, tools, token profiles, credential helper script)

Test plan

  • All 7 vers-fleets tests pass
  • build-root --private --reef-path <reef-branch> produces image with credential helper installed
  • build-golden --private --reef-path <reef-branch> produces image with credential helper installed
  • provision from both images → reef health check shows github in services list
  • git clone on VM uses credential helper transparently

@pranavpatilsce
feat: add github service to shared operational DNA and credential hel…
3160f45 
…per install

- Add "github" to defaultSharedOperationalDna() services and capabilities
- Install git-credential-vers in both buildImageScript (root) and
  buildGoldenImageScript (golden) — copies credential helper from
  reef services/github/, sets git config global credential helper
- No secrets baked into images — helper reads Vers API key from env
  at runtime
@pranavpatilsce pranavpatilsce merged commit 606b239 into main Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nsluss nsluss nsluss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pranavpatilsce @nsluss