Skip to content

Fix SHA validation in create_or_update_file#2134

Merged
almaleksia merged 5 commits intomainfrom
almaleksia/update-file-fix-sha-mismatch
Mar 4, 2026
Merged

Fix SHA validation in create_or_update_file#2134
almaleksia merged 5 commits intomainfrom
almaleksia/update-file-fix-sha-mismatch

Conversation

@almaleksia
Copy link
Contributor

@almaleksia almaleksia commented Mar 4, 2026

Summary

We incorrectly return SHA mismatch for correct updates.

Changes:

  1. sha is required for existing file updates
  2. drop usage of HEAD + Etag and PUT with If-none-match header - we cannot use this approach
  3. sha is taken from the metadata returned by Contents API

Why

Fixes #2133

What changed

MCP impact

  • No tool or API changes
  • Tool schema or behavior changed
  • New tool added

Prompts tested (tool changes only)

Security / limits

  • No security or limits impact
  • Auth / permissions considered
  • Data exposure, filtering, or token/size limits considered

Tool renaming

  • I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
    • I have added the new tool aliases in deprecated_tool_aliases.go
  • I am not renaming tools as part of this PR

Note: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.

Lint & tests

  • Linted locally with ./script/lint
  • Tested locally with ./script/test

Docs

  • Not needed
  • Updated (README / docs / examples)

@almaleksia almaleksia requested a review from a team as a code owner March 4, 2026 12:07
Copilot AI review requested due to automatic review settings March 4, 2026 12:07
almaleksia
almaleksia commented Mar 4, 2026
View reviewed changes
pkg/github/repositories.go
minimalResponse := convertToMinimalFileContentResponse(fileContent)

// Warn if file was updated without SHA validation (blind update)
if sha == "" && previousSHA != "" {
Copy link
Contributor Author

@almaleksia almaleksia Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removing blind update completely

Copy link
Collaborator

@SamMorrowDrums SamMorrowDrums Mar 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fair to accept the errors, thought this is probably the most controversial change.

Copy link
Contributor Author

@almaleksia almaleksia Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided if GitHub API requires sha for updates who are we to make it optional :D

Copy link
Collaborator

@SamMorrowDrums SamMorrowDrums Mar 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I think it's fine to make agent fail, but I don't think it's wrong either way, just different trade-offs.

You still retain a git record of what you changed, so it might be surprising to update a file that has changed since you last checked, but you can at least still work out what happened.

The concern for me was always concurrent updates from different agents and then thinking independently that two things were done, but actually only one was because the other overwrites it. That's not great, and I think it's ok for us to not allow that by accident.

Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes incorrect SHA validation in the create_or_update_file tool by switching from HEAD/ETag-based checks to using the GitHub Contents API’s returned blob SHA, and updates the tool’s behavior/docs accordingly.

Changes:

  • Replace conditional HEAD/ETag SHA validation with Contents API metadata (.sha) lookups.
  • Require sha when updating an existing file (reject blind overwrites).
  • Update unit tests and tool schema snapshot to reflect the new behavior and guidance.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
pkg/github/repositories.go Reworks create_or_update_file SHA validation/existence checks and updates user-facing guidance.
pkg/github/repositories_test.go Updates test cases to mock Contents API GET behavior and assert new validation outcomes.
pkg/github/__toolsnaps__/create_or_update_file.snap Updates tool description/schema snapshot to match new guidance and behavior.

SamMorrowDrums
SamMorrowDrums approved these changes Mar 4, 2026
View reviewed changes
Copy link
Collaborator

@SamMorrowDrums SamMorrowDrums left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All makes sense.

@almaleksia almaleksia merged commit ccb9b53 into main Mar 4, 2026
20 checks passed
@almaleksia almaleksia deleted the almaleksia/update-file-fix-sha-mismatch branch March 4, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SamMorrowDrums SamMorrowDrums SamMorrowDrums approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: create_or_update_file SHA validation uses ETag instead of blob SHA, causing spurious failures

3 participants

@almaleksia @SamMorrowDrums