massongit
commented
1 year ago In gh 2.26.0 or later, running gh annotations after running gh auth login will fail.
However, if I run gh auth login with --insecure-storage and then run gh annotations, it will succeed.
[My environment]
$ sw_vers
ProductName: macOS
ProductVersion: 12.6.4
BuildVersion: 21G526[gh 2.28.0 (via homebrew)]
$ gh --version
gh version 2.28.0 (2023-04-25)
https://github.com/cli/cli/releases/tag/v2.28.0
$ gh auth login
...
$ gh annotations -repo org/repo
authentication token not found for host github.com
$ gh auth login --insecure-storage
...
$ gh annotations -repo org/repo
Reposi... Workflow Event Job JobSt... JobCo... Concl... Annot... Message[gh 2.26.0]
$ path/to/gh_2.26.0_macOS_arm64/bin/gh --version
gh version 2.26.0 (2023-04-04)
https://github.com/cli/cli/releases/tag/v2.26.0
$ path/to/gh_2.26.0_macOS_arm64/bin/gh auth login
...
$ path/to/gh_2.26.0_macOS_arm64/bin/gh annotations -repo org/repo
authentication token not found for host github.com
$ path/to/gh_2.26.0_macOS_arm64/bin/gh auth login --insecure-storage
...
$ path/to/gh_2.26.0_macOS_arm64/bin/gh annotations -repo org/repo
Repository Workflow Event Job JobStartedAt JobCompletedAt Conclusion AnnotationLevel Message[gh 2.25.1]
$ path/to/gh_2.25.1_macOS_arm64/bin/gh --version
gh version 2.25.1 (2023-03-21)
https://github.com/cli/cli/releases/tag/v2.25.1
$ path/to/gh_2.25.1_macOS_arm64/bin/gh auth login
...
$ path/to/gh_2.25.1_macOS_arm64/bin/gh annotations -repo org/repo
Repository Workflow Event Job JobStartedAt JobCompletedAt Conclusion AnnotationLevel Message
swfz
Token storage change in latest release of gh
This is a message from the GitHub CLI team, maintainers of
gh, writing to inform you that the most recent release ofghcontains changes which may affect your extension. The latest release introduces the feature of storing authentication tokens in the system keyring (encrypted storage) instead of in a plain text file. The keyrings that are supported are:Keychain on macOS
GNOME Keyring on Linux (Secret Service dbus interface)
Wincred on Windows
This has huge security benefits for the users of our tool and was one of our oldest outstanding issues. Unfortunately this change has the potential to break extensions that rely on utilizing the users authentication token to work.
In order to have continued compatibility with
ghthere are some actions you, as an extension author, need to take. These actions will depend on the implementation of your extension.Extensions built in Go using go-gh:
Upgrade your
go-ghversion to v1.2.1, the latest version.go get github.com/cli/go-gh@v1.2.1Verify that in your extension retrieval of the user authentication token is done using the
auth.TokenForHostfunction.All other extensions:
Verify that in your extension retrieval of the user authentication token is done by shelling out to the
gh auth tokencommand.gh config getcommand, reading the configuration file directly, or any other methods it will no longer work.As of right now storing the authentication token in the system keyring is an opt-in feature, but in the near future it will be required and at that point if the changes above are not made then your extension will be broken for all users. If you have any questions/concerns about this change please feel free to open a discussion in the gh repo.
Thanks, The GitHub CLI Team