Support Github credentials in ~/.gitconfig

[silverwind]

Github advises to store credentials into git's global configuration file and I think we should support pulling those credentials from there, if present, possible via the parse-git-config module.

[priyank-p]

Seems like something we should support, also just curious how may people who use node-core-utils use it?

[joyeecheung]

Sounds like a good idea, but we should figure out how to get this right with our ghauth integration that creates a token for you when you run it for the first time...

1. User has tokens in ~/.gitconfig or .git/gitconfig: use that and don't care about what permission the token github.token has?
2. User does not have tokens in ~/.gitconfig or .git/gitconfig: creates one in the prompt and put that in .git/gitconfig? or ~/.gitconfig? what happens if they overwrite that token later?

Also, what are we going to do with the existing ~/.ncurc tokens? Are we going to ignore them? Or let the ~/.gitconfig tokens take precedence? Or the other way around?

[joyeecheung]

Or, the easiest way: we do a major update, simply ignores the token in ~/.ncurc (or warn the user to delete/move them?), deletes the ghauth code (or provide an alternative tool that allows user to create the tokens while choosing where they want to place it), and only use ~/.gitconfig/.git/gitconfig (local config takes precedence)

[priyank-p]

simply ignores the token in ~/.ncurc

I think we can do it manually after prompting the user about it. it should just require us to append

[github]
     user = <user>
     token = <token>

* the spaces are tabs

(That should provide better migration over new config)

[silverwind]

I we don't expect more options to be added to .ncurc in the future, it might be best to deprecate it with a warning.

I wouldn't write into git configuration files as that can be tricky. For example, I use a [include] section to include another file in my gitconfig (the one where I store sensitive information like the GitHub token)

[priyank-p]

For example, I use a [include] section to include another file in my gitconfig

@silverwind thanks for the heads up for that, i didn't know you could do that :). Instead of writing to file we can just run the cmds using child_process if the user want since the end goal is to provide easier transition.

[silverwind]

Running git commands like git config --global github.user user would still write to ~/.gitconfig (even in the presence of includes) and some people (like me) track this file in public source control, so it'd be obivously dangerous to write credentials into it.

I think the only sensible choice is to print a deprecation warning and let the user handle it.

BTW, here's my setup in case you're interested: .gitconfig .gitconfig.local

[priyank-p]

@silverwind that's why i said "if the user want" so you or anyone as user can choose what to do :)

[silverwind]

Ah, prompting the user interactively could work of course.

[gibfahn]

I wouldn't write into git configuration files as that can be tricky. For example, I use a [include] section to include another file in my gitconfig (the one where I store sensitive information like the GitHub token)

Using an [include] section is interesting, I hadn't heard of that.

Or, the easiest way: we do a major update, simply ignores the token in ~/.ncurc (or warn the user to delete/move them?), deletes the ghauth code (or provide an alternative tool that allows user to create the tokens while choosing where they want to place it)

What's the downside to keeping .ncurc? I'd assume we're likely to need more config info in there at some point.

The "one token" idea makes sense in some contexts, but I have multiple tokens with different scopes, so I'd rather have them in separate files.

How about using the GitHub one if it's there? If it has the wrong permissions (or isn't there) prompt to generate a token, and then give the user the choice of where to put it.

[silverwind]

How about using the GitHub one if it's there? If it has the wrong permissions (or isn't there) prompt to generate a token, and then give the user the choice of where to put it.

Good point. We can just transparently add support for using the token in git configuration if it's there. Not sure about the prompting part. I'd expect a user of this tool to be competent enough to edit some files on their machine, no need for hand-holding.

[github-actions[bot]]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.