Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use git credential helper #1871

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use git credential helper #1871

wants to merge 1 commit into from

Conversation

ChrisBr
Copy link

@ChrisBr ChrisBr commented Aug 8, 2024

Instead of using gh we should use the built in git credential helper to get a valid token. I think we could even get rid of reading the credentials files manually as git should be able to just do this for us.

What we're essentially doing is

> printf "host=github.com\nprotocol=https" | git credential fill
protocol=https
host=github.com
username=3799140
password=TOKEN

Ideally we would even hand down a path so the token could be scoped to a single repository.

https://git-scm.com/docs/gitcredentials

@ChrisBr
Copy link
Author

ChrisBr commented Aug 8, 2024

Ideally I would like to do something like to scope it to a repository, can we somehow hand the repository down?

printf "host=github.com\nprotocol=https\npath=cargo-bins/cargo-binstall" | git credential fill

NobodyXu
NobodyXu reviewed Aug 8, 2024
View reviewed changes
Copy link
Member

@NobodyXu NobodyXu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

According to gh-auth-login doc, the token could be stored in a system credential store, it only fallbacks if it's not available.

I suggest to fallback to git, if gh-auth-token fails

@ChrisBr
Copy link
Author

ChrisBr commented Aug 8, 2024

@NobodyXu thanks, makes sense.

Do you see a way to scope the token per repository, that's what we're doing in CI for security reason. Or does cargo-binstall need a token valid for all repositories it attempts to download?

@NobodyXu
Copy link
Member

NobodyXu commented Aug 8, 2024

Or does cargo-binstall need a token valid for all repositories it attempts to download?

Yes, it currently just reuses the same github-token for every repository of the crates to install.

@passcod
Copy link
Member

passcod commented Aug 8, 2024

I also want to say that on my system, using printf "host=github.com\nprotocol=https" | git credential fill does not return anything useful, while gh is currently logged in and binstall uses its token.

@ChrisBr
Copy link
Author

ChrisBr commented Aug 8, 2024

I also want to say that on my system, using printf "host=github.com\nprotocol=https" | git credential fill does not return anything useful

Hum that's interesting. But your git client is authenticated and can push to Github? Or do you use gh for this?

I don't use gh myself and only use plain old git.

@passcod
Copy link
Member

passcod commented Aug 9, 2024

Yes, I can push to git, because that uses ssh keys.

@ChrisBr
Copy link
Author

ChrisBr commented Aug 9, 2024

Yes, I can push to git, because that uses ssh keys.

Ah got it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NobodyXu NobodyXu NobodyXu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChrisBr @NobodyXu @passcod