Using GitHub CLI and Git in GitHub Codespaces

'GitHub Codespaces, CLI, and Git'

I work with GitHub Codespaces quite a bit and discovered that there a few things that don’t work well with GitHub CLI and Git.

To set some context:

  1. GitHub CLI uses the GITHUB_TOKEN environment variable to cache GitHub auth tokens after a user logs into the GitHub CLI.
  2. Codespaces also uses GITHUB_TOKEN, but the token it puts in there is very restrictive because they want to be careful about what they give the Codespace permission to do.
  3. Git needs credentials in the Codespace to push to remotes and other privaleged operations. This works out of the box, but not after you login to the GitHub CLI.

The workflow that I want to be smooth is this:

  1. Fork a repository and create a Codespace using the GitHub UI
  2. From within the Codespace, use the GitHub CLI to create a GitHub Secret to be used by my GitHub Action
  3. Use git to push code changes to my fork

Let’s start at the second step, creating a secret with GitHub CLI.

When you try to do that today you get this error message:

gh secret set AZURE_CREDENTIALS -b'"...."
failed to fetch public key: 
HTTP 403: Resource not accessible by integration

What that error means is: “Your current authentication doesn’t have permissions to create a secret” - because you are using the limited permissions that the Codespace gave you.

I’ve filed an issue here to get a better error message: https://github.com/cli/cli/issues/3797

What you need to do is re-authenticate. You try with gh auth login, but when you do that you get this error:

The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

Currently, the GitHub CLI doesn’t let you overwrite the GITHUB_TOKEN env var when you run gh auth login, so what you need to do is clear that env var like this:

export GITHUB_TOKEN=

I’ve filed an issue here to allow us to overwrite GITHUB_TOKEN: https://github.com/cli/cli/issues/3799

Then you can re-auth with the GitHub CLI with gh auth login and create your secret or do whatever you were trying to do with it.

Then, when you try to do something with git, like push code changes to your fork, you’ll likely get this error:

git push --set-upstream origin env-dev5
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/jongio/golang-sample-app/'

I’ve filed an issue here to not put git in an invalid state after calling gh auth login: https://github.com/cli/cli/issues/3798

It doesn’t prompt you to enter username or password. So you are stuck.

But, it turns out that you can use the GitHub CLI as a git credential helper, so that when git needs to auth it will use the GitHub CLI to do so. Here’s how you set that up:

git config --global credential.https://github.com.helper ''
git config --global 'credential.https://github.com' '!gh auth git-credential'

I’ve filed an issue here to make that easier for us: https://github.com/cli/cli/issues/3796

Hopefully, you found this post by searching up the error messages and this helped you resolve your issue. If not, comment below and I’ll try to help.

Jon