Skip to content

[comp] Production Deploy#3374

Merged
tofikwest merged 5 commits into
releasefrom
main
Jul 8, 2026
Merged

[comp] Production Deploy#3374
tofikwest merged 5 commits into
releasefrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.


Summary by cubic

Redirects first-time GitHub App connections to the GitHub install page when no installation is found and fixes an ordering bug that could hang the OAuth callback (CS-710). Prevents “authorized but not installed” dead-ends and avoids redirect loops.

  • Bug Fixes
    • OAuth callback: if provider is github-app and no installation exists, redirect to the App installUrl with a fresh state; on return with installation_id and still no install, surface github_app_not_installed instead of looping.
    • State handling: create the install-handoff state before deleting the original; if creation fails, keep the original for cleanup and emit an error redirect to avoid hangs.
    • Manifest/Tests: added optional installUrl to OAuth config and set it for github-app to https://github.com/apps/comp-ai-compliance/installations/new; tests cover first-pass redirect, create-before-delete ordering and create-failure path, no-loop after an install attempt, and success when an installation already exists.

Written for commit fe63eb1. Summary will update on new commits.

Review in cubic

github-actions Bot and others added 3 commits July 7, 2026 22:21
…alled

Customer report: a first-time user completing the connect flow was only asked
to authorize their personal account, never got to install the App on their org
or pick repositories, and the integration never showed as connected.

Root cause: GitHub separates user *authorization* from app *installation*. The
authorize URL (login/oauth/authorize) only authenticates the user — it does not
install the App. So a first-time user authorized, the post-OAuth install check
correctly found no installation, and the connection was (correctly) not
finalized — but the user was never given a way to install.

Fix: when the install check finds no installation, redirect the user to the
App's install URL (new `installUrl` manifest field) so they install on their org
and choose repositories. They return through install-time OAuth (which carries
an `installation_id`), the check passes, and the connection is finalized. The
`installation_id` on the return trip is read only as a loop guard (never
persisted) so we don't redirect a second time. Already-installed / reconnect
users are unaffected (the check passes on the first callback).

Tests: redirect-to-install on first pass, error (no loop) after an install
attempt, and success when an installation already exists.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XyttkYNbkdYRp7DBKNuFVH
…ll-redirect

fix(integrations): redirect GitHub App users to install when not installed (CS-710)
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
comp-framework-editor (staging) Ready Ready Preview, Comment Jul 8, 2026 7:25pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app (staging) Skipped Skipped Jul 8, 2026 7:25pm
portal (staging) Skipped Skipped Jul 8, 2026 7:25pm

Request Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 4 files

Confidence score: 5/5

  • Safe to merge after the addressed issues were fixed.

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread apps/api/src/integration-platform/controllers/oauth.controller.ts
tofikwest and others added 2 commits July 8, 2026 15:17
cubic caught an error-path ordering bug: the GitHub App install redirect deleted
the original OAuth state before creating the install-handoff state. If the
create failed, the outer catch would call delete(state) again on an
already-removed record — Prisma's delete throws P2025, so the error redirect
never ran and the request hung.

Create the install-handoff state first, then delete the original. On a create
failure the original state survives, so the outer catch cleans it up and still
emits an error redirect. Add regression tests for the create-before-delete
ordering and the create-failure path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XyttkYNbkdYRp7DBKNuFVH
…ring

fix(integrations): create install-handoff state before deleting original (CS-710)
@vercel vercel Bot temporarily deployed to staging – app July 8, 2026 19:24 Inactive
@vercel vercel Bot temporarily deployed to staging – portal July 8, 2026 19:24 Inactive
@tofikwest tofikwest merged commit 9a77cbd into release Jul 8, 2026
12 checks passed
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.99.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants