What done

• Verified PR scope aligns with issue OAuth problems #866 (GitHub OAuth PKCE flow, docs, helper tests).
• Confirmed CI matrix completed successfully across PHP 8.0–8.5.
• Confirmed Closes #866 and AI disclosure are present in PR body.

Testing Evidence

• gh pr checks 1151 --repo afragen/git-updater shows all required checks passing.
• Existing PR body includes static analysis and syntax checks run during implementation.

Key decisions

• Kept OAuth implementation focused to GitHub flow (state + PKCE) to address callback/token exchange constraints in issue scope.
• Preserved existing PAT support; OAuth is additive via settings controls and constants/filter.

Files changed

• src/Git_Updater/API/GitHub_API.php
• tests/test-github-oauth.php
• README.md

Blockers

• Merge is blocked by repository permissions for this contributor account.
• Merge attempt evidence: GraphQL: marcusquinn does not have the correct permissions to execute MergePullRequest.

Follow-up

• Maintainer merge is required to complete lifecycle closure for OAuth problems #866.
• After maintainer merge, the linked issue should auto-close via Closes #866.

Released in

• Not released yet (pending maintainer merge).

aidevops.sh v3.5.462 plugin for OpenCode v1.3.7 with gpt-5.3-codex spent 1h 41m and 66,184 tokens on this as a headless worker. Overall, 2197d 12h since this issue was created.

MERGE_SUMMARY

PR: #1151
Issue: Closes #866 (OAuth problems)
Branch: feature/issue-866-oauth → develop
Status: All CI checks passing (PHP 8.0–8.5). No merge conflicts. Mergeable.

What was implemented

• GitHub OAuth PKCE flow in src/Git_Updater/API/GitHub_API.php:
  • maybe_handle_oauth_flow() — dispatches authorize vs callback on admin_init.
  • start_oauth_flow() — generates state + PKCE verifier, stores in transient, redirects to GitHub authorize endpoint.
  • complete_oauth_flow() — validates callback state/PKCE verifier, exchanges code for token, saves to github_access_token site option.
  • get_oauth_credentials() — reads GU_GITHUB_OAUTH_CLIENT_ID, GU_GITHUB_OAUTH_CLIENT_SECRET, GU_GITHUB_OAUTH_SCOPE constants or gu_github_oauth_credentials filter.
• Tests in tests/test-github-oauth.php: PKCE S256 challenge generation and transient key derivation assertions.
• README documentation: OAuth setup instructions with credential constants.

CI evidence

All six PHP version checks pass:

• PHP 8.0, 8.1, 8.2, 8.3, 8.4, 8.5 ✓

Merge note

This contributor does not have merge rights on this repository. Maintainer merge required to close issue #866.

This FOSS contribution was prepared with AI assistance (aidevops.sh).