Everyone loves sharing their dotfiles, especially throwing them on GitHub. However, be careful what you throw in there. In this episode, we’ll talk about ~/.gitconfig:
Github uses OAuth for it’s authentication in places. Tools like the command line gist and git clone with a HTTPS link uses this too. This token is often stored in your ~/.gitconfig a la:
[github]
user = magicaltrevor
token = c5bcad3145e0f6340c1b0e098d27edb2
With this information you can be that person on Github. See https://help.github.com/articles/creating-an-access-token-for-command-line-use#using-the-token for how.
A brief Google search, shows you the problem. Show me the pain
Yeah, people throw these tokens on public github…
Thankfully git-config(1) lets you run commands to get the values for the keys.
The simplest fix is something like:
[github]
user = magicaltrevor
token = !"cat ~/.git-oauth-token | tr -d \"\n\""
You then merely put your token in ~/.git-oauth-token and chmod 400 it. (the tr is in there in case you add a newline at the end of the file)
Now you can throw this .gitconfig in GitHub and will be good with the world.
If you’re using a Mac, and frankly, you are, you can use OSX’s keychain support:
[github]
user = magicaltrevor
gist-oauth-token = !"security find-generic-password -gs GitHub-API-Token 2>&1 >/dev/null | cut -f 2 -d ' ' | egrep -o '[0-9a-fA-F]+' | tr -d \"\n\""
(you are free to use whatever ugly method of perl or ruby you wish to parse the output, but I like mine as I view firing up ruby as expensive compared to 3 forks… I don’t get out much)
Then add the password to the keychain. Either with Keychain.app or on the command line:
security add-generic-password -g GitHub-API-Token -w <token>
(be aware the command line way leaks the token via ps, so don’t do it on a shared OSX system… Like anyone has those.)
If you run the command in the quotes on it’s own, it should return your token:
[laptop:~]% security find-generic-password -gs GitHub-API-Token 2>&1 >/dev/null | cut -f 2 -d ' ' | egrep -o '[0-9a-fA-F]+' | tr -d "\n"
c5bcad3145e0f6340c1b0e098d27edb2%
(note the lack of newline on the end.)
Update
If you have already pushed a repo with a token in it, don’t just overwrite the .gitconfig and repush, as it will still be in the history. Don’t rewrite history either. Generate a new token at Personal Access Tokens and delete the old one.
Double Update
And please please enable Two Factor Authentication on your GitHub account whilst you’re there!
Enjoy!