fix: restore holonbot app token path for review runs (#619)

jolestar · jolestar · web-flow · commit c5332e603270 · 2026-02-10T15:32:14.000+08:00
* fix: align holonbot OIDC audience and token env precedence

- add holonbot_oidc_audience input (default: holon-token-broker) to action and reusable workflow\n- request GitHub OIDC token with configured audience before broker exchange\n- restore HOLON_GITHUB_TOKEN highest-priority runtime injection in serve path\n- add regression test for HOLON_GITHUB_TOKEN precedence

* fix(holonbot): default OIDC audience to holon-token-broker

- default broker audience to holon-token-broker when HOLON_OIDC_AUDIENCE is unset\n- add test coverage for default audience behavior\n- update README to reflect default audience behavior

---------

Co-authored-by: jolestar &lt;host-user@example.com&gt;
diff --git a/.github/workflows/holon-solve.yml b/.github/workflows/holon-solve.yml
@@ -113,6 +113,11 @@ on:
         required: false
         type: string
         default: 'holon-run/holon'
+      holonbot_oidc_audience:
+        description: 'OIDC audience used when exchanging for Holonbot app installation token'
+        required: false
+        type: string
+        default: 'holon-token-broker'
       runs_on:
         description: >
           Runner labels as a plain string (e.g., 'ubuntu-latest' or 'self-hosted')
@@ -1190,6 +1195,7 @@ jobs:
           version: ${{ inputs.version }}
           build_from_source: ${{ inputs.build_from_source }}
           holon_repository: ${{ inputs.holon_repository }}
+          holonbot_oidc_audience: ${{ inputs.holonbot_oidc_audience }}
 
       - name: Post Summary
         id: result
diff --git a/action.yml b/action.yml
@@ -38,6 +38,10 @@ inputs:
     description: 'URL of the Holonbot Token Broker'
     required: false
     default: 'https://bot.holon.run/api/exchange-token'
+  holonbot_oidc_audience:
+    description: 'OIDC audience for Holonbot token broker exchange'
+    required: false
+    default: 'holon-token-broker'
   log_level:
     description: 'Log level for CI visibility (debug, info, progress, minimal)'
     required: false
@@ -104,7 +108,15 @@ runs:
 
         if [ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
           echo "Fetching OIDC token from GitHub Actions runtime..."
-          OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value')
+          OIDC_URL="$ACTIONS_ID_TOKEN_REQUEST_URL"
+          if [ -n "${{ inputs.holonbot_oidc_audience }}" ]; then
+            if [[ "$OIDC_URL" == *\?* ]]; then
+              OIDC_URL="${OIDC_URL}&audience=${{ inputs.holonbot_oidc_audience }}"
+            else
+              OIDC_URL="${OIDC_URL}?audience=${{ inputs.holonbot_oidc_audience }}"
+            fi
+          fi
+          OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$OIDC_URL" | jq -r '.value')
 
           if [ -n "$OIDC_TOKEN" ] && [ "$OIDC_TOKEN" != "null" ]; then
             if [ -z "${{ inputs.holonbot_broker_url }}" ]; then
diff --git a/cmd/holon/env_injection.go b/cmd/holon/env_injection.go
@@ -74,6 +74,12 @@ func applyAnthropicAutoEnv(envVars map[string]string, fallback map[string]string
 }
 
 func applyGitHubTokenAutoEnv(envVars map[string]string) string {
+	if token := strings.TrimSpace(os.Getenv("HOLON_GITHUB_TOKEN")); token != "" {
+		envVars["HOLON_GITHUB_TOKEN"] = token
+		envVars["GITHUB_TOKEN"] = token
+		envVars["GH_TOKEN"] = token
+		return token
+	}
 	if token := strings.TrimSpace(os.Getenv("GITHUB_TOKEN")); token != "" {
 		envVars["GITHUB_TOKEN"] = token
 		envVars["GH_TOKEN"] = token
diff --git a/cmd/holon/serve_test.go b/cmd/holon/serve_test.go
@@ -297,6 +297,23 @@ func TestResolveServeRuntimeEnv_InjectsGitHubToken(t *testing.T) {
 	}
 }
 
+func TestResolveServeRuntimeEnv_PrefersHolonGitHubToken(t *testing.T) {
+	t.Setenv("HOLON_GITHUB_TOKEN", "holon-token")
+	t.Setenv("GITHUB_TOKEN", "actions-token")
+	t.Setenv("GH_TOKEN", "")
+
+	got := resolveServeRuntimeEnv(context.Background())
+	if got["HOLON_GITHUB_TOKEN"] != "holon-token" {
+		t.Fatalf("HOLON_GITHUB_TOKEN = %q", got["HOLON_GITHUB_TOKEN"])
+	}
+	if got["GITHUB_TOKEN"] != "holon-token" {
+		t.Fatalf("GITHUB_TOKEN = %q", got["GITHUB_TOKEN"])
+	}
+	if got["GH_TOKEN"] != "holon-token" {
+		t.Fatalf("GH_TOKEN = %q", got["GH_TOKEN"])
+	}
+}
+
 func bytesToLines(raw []byte) []string {
 	text := string(raw)
 	if text == "" {
diff --git a/holonbot/README.md b/holonbot/README.md
@@ -160,7 +160,7 @@ LOG_LEVEL=info
 - OIDC JWT verification enforces:
   - signature via GitHub JWKS
   - `iss` = `https://token.actions.githubusercontent.com`
-  - `aud` in `HOLON_OIDC_AUDIENCE` (required)
+  - `aud` in configured audiences (`HOLON_OIDC_AUDIENCE`, default: `holon-token-broker`)
   - standard JWT time checks (`exp`, `nbf`)
 - Claim validation enforces repository binding:
   - `repository` / `repository_owner` format and consistency
@@ -179,12 +179,10 @@ LOG_LEVEL=info
 
 ### Security Configuration
 
-Required:
-
-- `HOLON_OIDC_AUDIENCE`: Comma-separated accepted OIDC audiences.
-
 Optional (defaults shown):
 
+- `HOLON_OIDC_AUDIENCE=holon-token-broker` (comma-separated accepted OIDC audiences)
+
 - `HOLON_REQUIRE_ACTOR_COLLABORATOR=true`
 - `HOLON_MIN_ACTOR_PERMISSION=read`
 - `HOLON_REQUIRE_JOB_WORKFLOW_REF=true`
diff --git a/holonbot/api/exchange-token.js b/holonbot/api/exchange-token.js
@@ -4,6 +4,7 @@ import { verifyOIDCToken, validateClaims } from '../lib/oidc.js';
 const replayCache = new Map();
 const rateLimitCache = new Map();
 let lastCleanupAtMs = 0;
+const defaultOIDCAudiences = ['holon-token-broker'];
 const permissionRank = {
     none: 0,
     read: 1,
@@ -50,7 +51,7 @@ function parseCSV(value) {
 function getRequiredAudiences(env = process.env) {
     const audiences = parseCSV(env.HOLON_OIDC_AUDIENCE);
     if (audiences.length === 0) {
-        throw new HttpError(500, 'config.invalid', 'Missing HOLON_OIDC_AUDIENCE configuration');
+        return defaultOIDCAudiences;
     }
     return audiences;
 }
diff --git a/holonbot/package-lock.json b/holonbot/package-lock.json
diff --git a/holonbot/test/exchange-token.test.js b/holonbot/test/exchange-token.test.js
@@ -113,6 +113,27 @@ describe('exchange-token handler', () => {
             repository_ids: [42],
             permissions: { contents: 'write', pull_requests: 'write' }
         }));
+        expect(verifyOIDCToken).toHaveBeenCalledWith('valid-oidc-token', { audiences: ['holon-broker'] });
+    });
+
+    test('should default OIDC audience when HOLON_OIDC_AUDIENCE is not configured', async () => {
+        delete process.env.HOLON_OIDC_AUDIENCE;
+        verifyOIDCToken.mockResolvedValue({ sub: 'repo:owner/repo' });
+        validateClaims.mockReturnValue({
+            repository: 'owner/repo',
+            owner: 'owner',
+            repo: 'repo',
+            repositoryId: '42',
+            actor: 'jolestar',
+            ref: 'refs/heads/main',
+            runId: 'run-1',
+            jti: 'jti-1',
+        });
+
+        await handler(req, res);
+
+        expect(res.status).toHaveBeenCalledWith(200);
+        expect(verifyOIDCToken).toHaveBeenCalledWith('valid-oidc-token', { audiences: ['holon-token-broker'] });
     });
 
     test('should return 401 if auth header is missing', async () => {
