"Dotfiles and GitHub"

Everyone loves sharing their dotfiles, especially throwing them on GitHub. However, be careful what you throw in there. In this episode, we'll talk about ~/.gitconfig:

Github uses OAuth for it's authentication in places. Tools like the command line gist and git clone with a HTTPS link uses this too. This token is often stored in your ~/.gitconfig a la:

  user = magicaltrevor
  token = c5bcad3145e0f6340c1b0e098d27edb2

With this information you can be that person on Github. See https://help.github.com/articles/creating-an-access-token-for-command-line-use#using-the-token for how.

The problem

A brief Google search, shows you the problem. Show me the pain

Yeah, people throw these tokens on public github...

The fix

Thankfully git-config(1) lets you run commands to get the values for the keys.

The simplest fix is something like:

  user = magicaltrevor
  token = !"cat ~/.git-oauth-token | tr -d \"\n\""

You then merely put your token in ~/.git-oauth-token and chmod 400 it. (the tr is in there in case you add a newline at the end of the file)

Now you can throw this .gitconfig in GitHub and will be good with the world.

The cooler fix

If you're using a Mac, and frankly, you are, you can use OSX's keychain support:

  user = magicaltrevor
  gist-oauth-token = !"security find-generic-password -gs GitHub-API-Token 2>&1 >/dev/null |  cut -f 2 -d ' ' |  egrep -o '[0-9a-fA-F]+' | tr -d \"\n\""

(you are free to use whatever ugly method of perl or ruby you wish to parse the output, but I like mine as I view firing up ruby as expensive compared to 3 forks... I don't get out much)

Then add the password to the keychain. Either with Keychain.app or on the command line:

security add-generic-password -g GitHub-API-Token -w <token>

(be aware the command line way leaks the token via ps, so don't do it on a shared OSX system... Like anyone has those.)

If you run the command in the quotes on it's own, it should return your token:

[laptop:~]% security find-generic-password -gs GitHub-API-Token 2>&1 >/dev/null |  cut -f 2 -d ' ' |  egrep -o '[0-9a-fA-F]+' | tr -d "\n"

(note the lack of newline on the end.)


If you have already pushed a repo with a token in it, don't just overwrite the .gitconfig and repush, as it will still be in the history. Don't rewrite history either. Generate a new token at Personal Access Tokens and delete the old one.

Double Update

And please please enable Two Factor Authentication on your GitHub account whilst you're there!


Comments !