github,

How not to get prompt for GitHub username and token everytime

Feb 10, 2023 · 3 mins read · Post a comment

Getting prompt for GitHub username and token everytime you try to pull is so annoying task. Keep in mind that PATs (Personal Access Tokens) aren’t the default solution anymore, as of the time of writing. GitHub released new tokens, called Fine-grained tokens, which alas are still in beta. As the name suggests, the main difference between PATs and Fine-grained tokens, is that the former one has a broader scope, meaning PATs could access every repo you have access to, where with the latter one, you can specify the scope of repos. This post will focus on PATs only, since I didn’t have time to play around with Fine-grained ones though.

So, concerning not getting prompt on each git pull you need to save, or better cache these credentials somewhere in memory, or on disk, right?! The following steps below will describe the most simple, somehow secure solution to get things done.

Prerequisites

  • GitHub account
  • GitHub PAT (Personal Access Token)

Solution

Step 1. Create GitHub Personal Access token: Click on your GitHub Profile -> Settings -> Developer settings -> Personal access tokens -> Tokens (classic) -> Generate new token -> Fill up notes, expiration and scopes -> Generate token -> Save the token somewhere secure for a later use.

Step 2. Clone the desired repository over HTTPS. Yet, I’ve seen so many bad examples on the internet implying to run one of the following commands:

git clone https://<token>@github.com/<username>/<repo>.git
git clone https://<username>:<token>@github.com/<username>/<repo>.git
git remote set-url origin https://<token>@github.com/<username>/<repo>

Such poor practice. You are exposing the token in the first place by simply typing history, or git remote -v.

Step 3. Make sure to configure Git username and password. For instance:

git config --global user.name devcoops
git config --global user.email [email protected]

Step 4. For this step, you have few options to cache your credentials, including: GitHub CLI, Git Credential Manager (GCM), or even the native Git’s gitcredentials. Taking the basic approach into consideration, without installing any additional dependencies I’ve chosen the last option.

However, gitcredentials offers two options, known as helpers:

  • cache: Caching credentials in memory for a defined period of time.
  • store: Storing credentials indefinitely on disk.

Not saying that keeping secrets in memory for a certain period of time is a bulletproof solution, but it’s way “safer” than saving them on disk. In an ideal world, you might always want to cache creds so, run:

git config --global credential.helper 'cache --timeout=1800'

Note: Default timeout value is 900 seconds.

On the other hand, if you are lazy enough, and security is not “a big deal”, then run the following command instead:

git config credential.helper store

Note: Sadly, you can find your username and secret under the plain text file named .git-credentials found under your home or root directory.

Step 5. At last, validate by simply trying to run: git pull.

Conclusion

The solution is mainly aimed for Linux machines. Regarding macOS use the Keychain Access app, and regarding Windows use Windows Credentials. You’ll figure it out. If not, feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.