Describe the bug
Even though GH_TOKEN should have higher precedence than GITHUB_TOKEN, per #2388, it seems as though gh (including 2.15.0) somehow uses the latter within Codespaces. By default, a codespace has a very-restricted GITHUB_TOKEN that has access (only) to the repo for which the codespace was created. But even if you create less-restricted PAT with repo and read:org scopes (that should thus have access to all of one's repos) and store that value as a codespace secret called GH_TOKEN, thereby exposing it in the codespace as an environment variable, gh appears to use GITHUB_TOKEN when trying to clone those other repos, even though it reports being logged in with GH_TOKEN, per the logs below.
Steps to reproduce the behavior
- Create a private repo with just a
README.md.
- Create a public repo with just a
README.md.
- Create a PAT with
repo and read:org scope.
- Store PAT as a codespace secret called
GH_TOKEN in public repo.
- Create a codespace for public repo.
- In codespace, execute
which should confirm that
GH_TOKEN is in use.
- In codespace, execute
gh repo clone https://github.com/{owner}/{repo}.git
{owner}/{repo} is the private repo, which should fail.
- In codespace, execute:
export GITHUB_TOKEN=$GH_TOKEN
- In codespace, execute
gh repo clone https://github.com/{owner}/{repo}.git
Expected vs actual behavior
Clone should succeed using GH_TOKEN alone, without modifying GITHUB_TOKEN.
Logs
# Confirm that gh is using GH_TOKEN
@dmalan ➜ /workspaces/public (main) $ GH_DEBUG=1 gh auth status
* Request at 2022-09-11 16:40:03.732200409 +0000 UTC m=+0.015436667
* Request to https://api.github.com/
* Request took 54.412286ms
* Request at 2022-09-11 16:40:03.786785597 +0000 UTC m=+0.070021755
* Request to https://api.github.com/graphql
* Request took 100.683283ms
github.com
✓ Logged in to github.com as dmalan (GH_TOKEN)
✓ Git operations for github.com configured to use https protocol.
✓ Token: *******************
# Try to clone with gh
@dmalan ➜ /workspaces/public (main) $ GH_DEBUG=1 gh repo clone https://github.com/dmalan/private.git
* Request at 2022-09-11 16:42:36.891859527 +0000 UTC m=+0.014884457
* Request to https://api.github.com/graphql
* Request took 166.385245ms
[git clone https://github.com/dmalan/private.git]
Cloning into 'private'...
remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/dmalan/private.git/': The requested URL returned error: 403
exit status 128
# Try to clone with git
@dmalan ➜ /workspaces/public (main) $ GH_DEBUG=1 git clone https://github.com/dmalan/private.git
Cloning into 'private'...
remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/dmalan/private.git/': The requested URL returned error: 403
# Overwrite GITHUB_TOKEN with GH_TOKEN
@dmalan ➜ /workspaces/public (main ✗) $ export GITHUB_TOKEN=$GH_TOKEN
# Clone with gh
@dmalan ➜ /workspaces/public (main) $ GH_DEBUG=1 gh repo clone https://github.com/dmalan/private.git
* Request at 2022-09-11 16:43:30.332738503 +0000 UTC m=+0.015444697
* Request to https://api.github.com/graphql
* Request took 169.280648ms
[git clone https://github.com/dmalan/private.git]
Cloning into 'private'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
# Remove clone
@dmalan ➜ /workspaces/public (main ✗) $ rm -rf private/
# Re-clone with git
@dmalan ➜ /workspaces/public (main) $ GH_DEBUG=1 git clone https://github.com/dmalan/private.git
Cloning into 'private'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
CC @aprilla @rongxin-liu
Describe the bug
Even though
GH_TOKENshould have higher precedence thanGITHUB_TOKEN, per #2388, it seems as thoughgh(including 2.15.0) somehow uses the latter within Codespaces. By default, a codespace has a very-restrictedGITHUB_TOKENthat has access (only) to the repo for which the codespace was created. But even if you create less-restricted PAT withrepoandread:orgscopes (that should thus have access to all of one's repos) and store that value as a codespace secret calledGH_TOKEN, thereby exposing it in the codespace as an environment variable,ghappears to useGITHUB_TOKENwhen trying to clone those other repos, even though it reports being logged in withGH_TOKEN, per the logs below.Steps to reproduce the behavior
README.md.README.md.repoandread:orgscope.GH_TOKENin public repo.GH_TOKENis in use.{owner}/{repo}is the private repo, which should fail.Expected vs actual behavior
Clone should succeed using
GH_TOKENalone, without modifyingGITHUB_TOKEN.Logs
CC @aprilla @rongxin-liu