To set some context:
- GitHub CLI uses the GITHUB_TOKEN environment variable to cache GitHub auth tokens after a user logs into the GitHub CLI.
- Codespaces also uses GITHUB_TOKEN, but the token it puts in there is very restrictive because they want to be careful about what they give the Codespace permission to do.
- Git needs credentials in the Codespace to push to remotes and other privaleged operations. This works out of the box, but not after you login to the GitHub CLI.
The workflow that I want to be smooth is this:
- Fork a repository and create a Codespace using the GitHub UI
- From within the Codespace, use the GitHub CLI to create a GitHub Secret to be used by my GitHub Action
gitto push code changes to my fork
Let’s start at the second step, creating a secret with GitHub CLI.
When you try to do that today you get this error message:
gh secret set AZURE_CREDENTIALS -b'"...."
failed to fetch public key: HTTP 403: Resource not accessible by integration
What that error means is: “Your current authentication doesn’t have permissions to create a secret” - because you are using the limited permissions that the Codespace gave you.
I’ve filed an issue here to get a better error message: https://github.com/cli/cli/issues/3797
What you need to do is re-authenticate. You try with
gh auth login, but when you do that you get this error:
The value of the GITHUB_TOKEN environment variable is being used for authentication. To have GitHub CLI store credentials instead, first clear the value from the environment.
Currently, the GitHub CLI doesn’t let you overwrite the GITHUB_TOKEN env var when you run
gh auth login, so what you need to do is clear that env var like this:
I’ve filed an issue here to allow us to overwrite GITHUB_TOKEN: https://github.com/cli/cli/issues/3799
Then you can re-auth with the GitHub CLI with
gh auth login and create your secret or do whatever you were trying to do with it.
Then, when you try to do something with git, like push code changes to your fork, you’ll likely get this error:
git push --set-upstream origin env-dev5 remote: Invalid username or password. fatal: Authentication failed for 'https://github.com/jongio/golang-sample-app/'
I’ve filed an issue here to not put git in an invalid state after calling gh auth login: https://github.com/cli/cli/issues/3798
It doesn’t prompt you to enter username or password. So you are stuck.
But, it turns out that you can use the GitHub CLI as a git credential helper, so that when git needs to auth it will use the GitHub CLI to do so. Here’s how you set that up:
git config --global credential.https://github.com.helper '' git config --global 'credential.https://github.com' '!gh auth git-credential'
I’ve filed an issue here to make that easier for us: https://github.com/cli/cli/issues/3796
Hopefully, you found this post by searching up the error messages and this helped you resolve your issue. If not, comment below and I’ll try to help.