Technote about credentials

[jeroen]

Preview here: https://deploy-preview-713--ropensci.netlify.app/technotes/2020/07/07/github-pat/

@jennybc @hadley does this answer most of your questions? I'd like to keep the post fairly introductory, and refer to the git-credential docs and package documentation for technical details.

[jeroen]

Do you endorse that? Is that worth mentioning as a fairly direct substitute for inlining a PAT in ~/.Renviron?

I think so. Myself I call set_github_pat() only once I need the GITHUB_PAT. There is no need to have the GITHUB_PAT in my R session all the time.

Then again if you do a lot of work with the GH api, it probably makes sense to do it in your .Rprofile.

[hadley]

I'd prefer not to endorse, or at least endorse with conditions, because I think it's a transitional state — the packages that use the env var (gh, remotes, and usethis?) should pretty rapidly transition to using credentials so that the PAT is only retrieved when necessary. I'd prefer to do one big push to get everyone's PAT out of .Renviron, so I think that should wait until we've incorporated the pluming into the major packages.

[jennybc]

I'd prefer not to endorse, or at least endorse with conditions, because I think it's a transitional state — the packages that use the env var (gh, remotes, and usethis?) should pretty rapidly transition to using credentials so that the PAT is only retrieved when necessary. I'd prefer to do one big push to get everyone's PAT out of .Renviron, so I think that should wait until we've incorporated the pluming into the major packages.

I want to make sure I follow you. Currently set_github_pat() takes the PAT from the credential store and puts it into the GITHUB_PAT env var. There's not a function marketed as simply returning the PAT, although obviously there could be. We use the session's env var as the cache.

Are you proposing this:

• credentials exports a function to fetch (and validate?) the PAT and we start to use that directly, instead of something that queries and env var
• credentials (or client packages) cache the fetched and validated PAT during the course of a session

[jennybc]

Or maybe @Hadley is saying that usethis should be the one making the credentials::set_github_pat() call, if the env var doesn't already hold a PAT? So, we still use the env var mechanism, but instead of making the PAT "always available", any package that needs the PAT is responsible for firing it.

[hadley]

Right, I'm just saying we should be responsible for it — i.e. if you've correctly setup your GitHub PAT with credentials, all our packages should just work without additional user intervention.

[jeroen]

usethis should be the one making the credentials::set_github_pat() call, if the env var doesn't already hold a PAT? So, we still use the env var mechanism, but instead of making the PAT "always available", any package that needs the PAT is responsible for firing it.

Yes I think this is the best solution.

One important limitation to be aware of is that most credential helpers do not allow you to programatically insert a password or token into the store. The user must interactively type the password or token in the dialog. So we still need to support the GITHUB_PAT environment variable for those cases where the token is not provided by an interactive user, but set externally, for example in CI environments.

[jeroen]

This is now live: https://ropensci.org/technotes/2020/07/07/github-pat/ . Thanks for the feedback!