Skip to content

merge queue: checking main (ea8d6fb) and #3460 together#3475

Closed
mergify[bot] wants to merge 3 commits into
mainfrom
mergify/merge-queue/848f51c2ea
Closed

merge queue: checking main (ea8d6fb) and #3460 together#3475
mergify[bot] wants to merge 3 commits into
mainfrom
mergify/merge-queue/848f51c2ea

Conversation

@mergify

@mergify mergify Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request has been checked successfully and will be merged soon. 🎉

Branch main (ea8d6fb) and #3460 are queued together for merge.

This pull request has been created by Mergify to check the mergeability of #3460.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.

Required conditions of queue rule default for merge:

Required conditions to stay in the queue:

---
checking_base_sha: ea8d6fbe8fec8d0c5e658ace31c1f89c6d0168a1
previous_check_retries: []
previous_failed_batches: []
pull_requests:
  - number: 3460
    scopes: []
scopes: []
...

rob-coco and others added 3 commits July 5, 2026 02:40
Generated auth login sent a bare authorization_code grant when no client
secret was configured — no client authentication and no code_verifier —
which token endpoints reject. Every printed CLI with authorization-code
OAuth inherited the broken CLIENT_ID-only path.

When no secret is set, the emitted flow now generates a per-attempt RFC
7636 verifier, sends an S256 code_challenge on the authorize request,
and exchanges with code_verifier in place of client_secret. Secret-based
flows are unchanged. The loopback redirect moves from localhost to
127.0.0.1 per RFC 8252 §7.3, and the token exchange gets its own 30s
client instead of the shared default.

Adds a generated-output test (compiled binary, verify-env URL assertions
both ways, injected -race runtime tests incl. the RFC 7636 appendix B
vector) and a golden case locking the authorization-code + PKCE shape,
which previously had no golden coverage.

Closes #3457. Refs mvanhorn/printing-press-library#1287.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… test assertions

Token exchange now uses http.NewRequestWithContext(cmd.Context(), ...)
so Ctrl+C cancels an in-flight exchange, matching the refreshAccessToken
idiom in client.go.tmpl. Split the whitespace-sensitive combined
assertion into independent Contains checks; mutual exclusivity stays
covered by the verify-env behavioral checks.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mergify mergify Bot closed this Jul 6, 2026
@mergify mergify Bot deleted the mergify/merge-queue/848f51c2ea branch July 6, 2026 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant