Auth fails intermittently using token from context.octokit.auth({ type: 'installation' })

[dprothero]

I am cloning a repository that my app has access to. In order to do this, I am first generating a token like so, using the octokit instance provided by probot:

const tokenResponse: { token: string } = (await context.octokit.auth({ type: 'installation' })) as { token: string };

Then, I clone the repo by launching a command similar to the following

git clone https://x-access-token:${tokenResponse.token}@github.com/${owner}/${repo} /tmp/target-temp-directory

This works 99.9% of the time. However, once in a while, I will get a failure with this output from the git command:

Cloning into '/tmp/tmp-19-0c6NRS4pYxQt'...
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/owner/repo/'

When I say it works 99.9% of the time, I mean with the same repository that it it will occassionally fail with.

I read on the GitHub docs that tokens last an hour, but I'm generating the token immediately before attempting the clone with no room for delay in between.

Does Probot and/or Octokit somehow cache the token and reuse it?

I was thinking of adding a retry loop, but I feel like I need more context on what's happening before attempting a blind fix.

[gr2m]

When I say it works 99.9% of the time, I mean with the same repository that it it will occassionally fail with.

there might be a delay until a newly installation access token propagates to all read-only follower databases. For requests we take this into account and will do request retries for you:
https://github.com/octokit/auth-app.js/blob/d5bcdfc6a76a022a9bc82bcc974e4d33dfe3c9a4/src/hook.ts#L108-L114

But as you take the token out of octokit's control, you might run into a situation where an authentication fails because whatever instance is receiving your git requests does not yet have the installation access token.

I'd recommend to either make a poor-person's 5 second delay before you do the git command, or you implement a retry similar to what we do in the app authentication strategy implementation

[dprothero]

I am already doing retry with exponential backoff, so there's a cycle of about 60 seconds before it gives up.

I'm actually thinking I might be getting a token that's close to expiring the closer I look at my logs. I looked at the warning level retries and notice the first failure was an error with the clone, but subsequent retries failed with the invalid username/password, so perhaps the token has expired by the time it gets to the second retry.

[gr2m]

close to expiring

That could be. The authentication object returned from octokit.auth() includes an expiration timestamp:

https://github.com/octokit/auth-app.js#authenticate-as-installation

You can request to get a new token by passing { type: "installation", refresh: true}, see https://github.com/octokit/auth-app.js#installation-authentication