6

Question:

Is there a way to combine the advantages of GitHub's fine-grained PATs with the simplicity of git pull over HTTPS? If so, then how?

Background

GitHub has "classic" and "fine-grained" personal access tokens (PATs):

enter image description here

Go to Settings > Developer Settings to see these.

I have been using a classic PAT to run git pull commands over HTTPS, to pull the latest commits from GitHub:

git pull https://${token}@github.com/${owner}/${repo}.git

This works without prompting for a password (I keep the PAT's expiration period reasonably short).

I cannot just (naively) substitute a new fine-grained token for the classic token in my git pull command. It prompts me for a password. (It is treated as a user ID, I assume.)

Fine-grained PATs certainly work with the GitHub REST API. I can use the API to get a commit if I have the commit SHA. But that is quite low-level compared to git pull and I don't want to "reimplement a lot of Git functionality" (ref).

Fine-grained PATs are welcomed because of their ability to lock down access to specific repos and specific functions. But how (if at all) can they be used directly with git pull commands?

I am using Git v2.38.1 (the latest release, currently).

andrewJames
  • 19,570
  • 8
  • 19
  • 51

4 Answers4

8

I used @bk2204's answer and took the following steps, to move from a "token-in-the-URL" approach (bad!) to a "credentials-in-a-store" approach (better!).

Using the newer GitHub fine-grained tokens for this worked without a problem.

I wanted to document the specific steps - here they are.

In GitHub:

  1. Create a new PAT: Settings > Developer Settings > Fine-grained tokens.

  2. Give this token access to one repository.

  3. Grant one Repository permission: Contents (read-only).

enter image description here

This also automatically sets the Metadata (read-only) permission, as well.

  1. I did NOT need or grant any Account permissions.

On my server:

This is a headless Linux box. I do not have any 3rd party key stores integrated with Git (for example, no libsecret).

I chose to use the Git-provided store. Although this stores credentials in plaintext, it's no less secure (in my opinion) than SSH keys stored in .ssh. This is acceptable for my situation - and is far better than what I have been doing (placing a token directly in the URL of the pull command).

Specific one-time set-up commands:

git config --global credential.helper store
git config --global credential.useHttpPath true

That creates the following in my global .gitconfig file:

[credential]
        helper = store
        useHttpPath = true

Then, in my Git repo directory, I run a simple pull:

git pull https://github.com/${owner}/${repo}.git

As a one-time step, I have to manually provide my user ID and the PAT at the prompts.

These credentials are stored in a new (for me) .git-credentials file. The format of the credentials is:

https://<user ID>:<fine-grained PAT>@github.com/<owner>/<repo>.git

I can repeat this process for more repos, each with their own PAT, as needed.

When I execute subsequent git pull commands, the relevant URL-specific credentials from the store are used - no command line interaction is needed.

andrewJames
  • 19,570
  • 8
  • 19
  • 51
2

You generally want to avoid using a token in the URL. While this is convenient when testing things from the command line, it's not very secure, and Git is trying to make it more difficult to do this.

If you want to store this information, use a credential helper. You can use a credential per URL in the credential helper by setting credential.usehttppath to true. (You can also use something like credential.https://github.com.usehttppath as well.) Then, when you're prompted for your username, specify your regular username, and specify the token for the password.

If you need to operate something from a shell script or other non-interactive use, the Git FAQ mentions how to use a simple credential helper to read from the environment. Again, specify the token as the password, not the username.

bk2204
  • 64,793
  • 6
  • 84
  • 100
1

Using same format for git pull command as classic token

git pull https://${token}@github.com/${owner}/${repo}.git

It gives a three choices to me.

#1 First (Sign in with your browser): I can login by username and password

#2 Second (Sign in with a code) : I can login by 8 digits hex code

#3 Third (Token) : I can login by fine token (PAT)

enter image description here

The Fine token assigned all repository or specific repositories only. And assign detail permissions by PAT UI screen.

Here is detail information about Fine grained PAT.

JulianHarty
  • 3,178
  • 3
  • 32
  • 46
Bench Vue
  • 5,257
  • 2
  • 10
  • 14
-2

Just add your username:

git pull https://${username}:${token}@github.com/${owner}/${repo}.git

However, as bk2204 stated, it is generally not recommended to have secret tokens in your URL.

k4rim
  • 1
  • 1
  • 1
  • 1
    This doesn't work for me. ```remote: Support for password authentication was removed on August 13, 2021. remote: Please see https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.``` – Emre Dec 29 '22 at 11:10
  • Please see https://stackoverflow.com/a/68781050/19382866, Emre Sülün. – k4rim Dec 29 '22 at 22:05