Issues setting up git authentication with github CLI

[JaneJeon]

Platform or tool

GitHub

Desired or expected behavior

I authenticated my github CLI via op's GitHub plugin, using the Personal Access Token stored in my vault. It works fine when I call gh manually; however, when I try to authenticate git using gh (I wanted to use Personal Access Token for authenticating git, as I was trying to push a commit with a github workflow change), it failed (see below).

This was even after I ran gh auth setup-git, which I understand is a way for git to authenticate directly using gh CLI (which is now authenticated by the op plugin) without having to resort to git-credentials-manager.

When I inspected git settings, turns out the issue was that git was trying to use credential helper of !/opt/homebrew/bin/gh auth git-credential (default behaviour of running git auth setup-git), which was using gh without the aliasing that the op plugin sourcing does!

So I ended up having to manually set the credential helper as gh auth git-credential, but it doesn't really sit right with me.

1. Is this the "right way" to authenticate git and gh?
2. If so, could this be better documented? I looked all around in the 1pw dev docs and I didn't see anything about authenticating git itself (which is super important if you want to use your PAT to authenticate).

Thanks.

Current behavior

! [remote rejected] master -> master (refusing to allow an OAuth App to create or update workflow `.github/workflows/ci.yml` without `workflow` scope)

Relevant log output

No response

op CLI version

2.13.1

[arunsathiya]

Hi @JaneJeon, I am sorry we missed this earlier.

I stumbled upon this issue when investigating a different one. You are right in that the path should be op plugin run -- gh in .gitconfig so that it uses the 1Password-stored secret. And I hear that this manual editing isn't elegant. I'll raise this internally, thank you for reporting!

[JaneJeon]

Thank you. For the moment, I've simply resorted to using an SSH key for authentication and signing w/ github.

[AndyTitu]

Hey @JaneJeon, I've just stumbled across this cool git (+docker) 1Password credential helper project which makes it possible to use 1Password as a secret store for your git (or docker) credentials. I haven't tried it myself yet, but it seems as an interesting starting place for you if you want to switch over to using https for git auth alongside storing your credentials in 1Password.

Alternatively, if you want to stick to SSH, take a look the 1P support for SSH

[JaneJeon]

Thanks, but as I've said above, I've currently resorted to using 1P + GH over SSH, and I'd much rather have proper gh/git authentication support baked with 1p CLI.

[ascarter]

gh has a command gh auth setup-git which puts in the credential helper entries. It would be cool if when aliased via op that the call for gh auth setup-git would produce the op run version instead. Since you are wrapping gh, can you just intercept and answer this directly without letting it go to gh? Also could intercept login, logout, and refresh and give a message that 1Password is managing the GitHub auth.

[peterldowns]

+1 to @ascarter's suggestions, both about fixing the gh auth setup-git script to use the 1password wrapper, and to modify the other auth-related commands. I just had to figure all this out by myself and it was a confusing 20 minutes.