You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(auth): try gh auth token before git credential fill
Add a GitHub CLI fallback for GitHub-like hosts before invoking git credential fill. Update the auth resolution docs and focused auth tests to match the narrower fallback chain.
If the global token doesn't work for the target host, APM automatically retries with git credential helpers. If nothing matches, APM attempts unauthenticated access (works for public repos on github.com).
18
+
If the global token doesn't work for the target host, APM next tries the active `gh` CLI account before falling back to git credential helpers. If nothing matches, APM attempts unauthenticated access (works for public repos on github.com).
18
19
19
20
Results are cached per-process — the same `(host, org)` pair is resolved once.
20
21
@@ -28,7 +29,8 @@ All token-bearing requests use HTTPS. Tokens are never sent over unencrypted con
28
29
| 2 |`GITHUB_APM_PAT`| Any host | Falls back to git credential helpers if rejected |
29
30
| 3 |`GITHUB_TOKEN`| Any host | Shared with GitHub Actions |
30
31
| 4 |`GH_TOKEN`| Any host | Set by `gh auth login`|
31
-
| 5 |`git credential fill`| Per-host | System credential manager, `gh auth`, OS keychain |
| 6 |`git credential fill`| Per-host | System credential manager, `gh auth`, OS keychain |
32
34
33
35
For Azure DevOps, APM resolves credentials in this order: `ADO_APM_PAT` env var, then a Microsoft Entra ID (AAD) bearer token from the Azure CLI (`az`). See [Azure DevOps](#azure-devops) below.
34
36
@@ -297,21 +299,24 @@ flowchart TD
297
299
B -->|GITHUB_APM_PAT_ORG| C[Use per-org token]
298
300
B -->|Not set| D{Global env var?}
299
301
D -->|GITHUB_APM_PAT / GITHUB_TOKEN / GH_TOKEN| E[Use global token]
0 commit comments