How do I ensure `gh` doesn't use `~/.config/gh/config.yml`? #7435

sheldonhull · 2023-05-12T21:23:23Z

sheldonhull
May 12, 2023

I've explicitly disabled and blocked this directory as I didn't want it writing plain text token information again.

I setup git credential manager and set it to use this:

[credential "https://github.com"]
   provider= github
   helper = /usr/local/bin/git-credential-manager
   useHttpPath = true
   interactive= auto
   guiPrompt = false

I also exited the git daemon processes and reloaded in a new terminal and authenticated after getting the expected git credential manager prompt for web/token.

I can't get gh repo list or any other command to work when that gh/config.yml is blocked.
Is it required even if not using auth?
If so, how do I get gh to honor my credential settings and not store a plain text token?

Answered by mislav

May 14, 2023

You can use gh auth login --secure-storage, which is now the default behavior even if you don't pass that flag. That will still write host information to either config.yml or hosts.yml, but won't save your token there, and instead save it to Keychain on macOS, "wincred" on Windows, or Secret Service (e.g. Gnome keyring) on Linux. This will typically only work on computers with a graphical desktop environment installed.

In all other environments you can manually set the GH_TOKEN environment variable with a Personal Access token you've generated yourself. In that case, gh will only read from the environment variable and not from config.yml or hosts.yml.

View full answer

mislav · 2023-05-14T10:30:06Z

mislav
May 14, 2023

You can use gh auth login --secure-storage, which is now the default behavior even if you don't pass that flag. That will still write host information to either config.yml or hosts.yml, but won't save your token there, and instead save it to Keychain on macOS, "wincred" on Windows, or Secret Service (e.g. Gnome keyring) on Linux. This will typically only work on computers with a graphical desktop environment installed.

In all other environments you can manually set the GH_TOKEN environment variable with a Personal Access token you've generated yourself. In that case, gh will only read from the environment variable and not from config.yml or hosts.yml.

4 replies

sheldonhull May 18, 2023
Author

thank you! I'll try this out. I'm trying to ensure no plain text tokens anywhere on system and either vault pulled or in keychain, so i'll try this out.

sheldonhull May 18, 2023
Author

@mislav so I'm on cli version 2.29.0 and last I tried it stored a token.
There should be no token saved to that file directly in darwin right?

mislav May 19, 2023

Yes, on darwin Keychain should be used. If that doesn't work, check if the security CLI tool has access to Keychain. You should have been asked by OS dialog prompt for this, but if you've answered "never" some time in the past, that could have affected it. Otherwise, open an issue please!

zimmerman-pliant Mar 27, 2024

This will typically only work on computers with a graphical desktop environment installed.

Is there a recommended solution for headless embedded computers?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How do I ensure `gh` doesn't use `~/.config/gh/config.yml`? #7435

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How do I ensure gh doesn't use ~/.config/gh/config.yml? #7435

sheldonhull May 12, 2023

Replies: 1 comment · 4 replies

mislav May 14, 2023

sheldonhull May 18, 2023 Author

sheldonhull May 18, 2023 Author

mislav May 19, 2023

zimmerman-pliant Mar 27, 2024

How do I ensure `gh` doesn't use `~/.config/gh/config.yml`? #7435

sheldonhull
May 12, 2023

Replies: 1 comment 4 replies

mislav
May 14, 2023

sheldonhull May 18, 2023
Author

sheldonhull May 18, 2023
Author