Documentation
¶
Overview ¶
Package github implements the GitHub credential provider.
The GitHub provider acquires and manages GitHub tokens for container runs. Tokens can be obtained from:
- Environment variables (GITHUB_TOKEN, GH_TOKEN)
- The gh CLI (gh auth token)
- Interactive PAT prompt
The provider configures the proxy to inject Bearer tokens for api.github.com and github.com. Containers receive a format-valid placeholder token that passes gh CLI local validation, while the real token is injected at the network layer by the proxy.
Token refresh is supported for CLI and environment sources (30 minute interval). PATs entered interactively are static and cannot be refreshed.
Index ¶
- Constants
- type Provider
- func (p *Provider) CanRefresh(cred *provider.Credential) bool
- func (p *Provider) Cleanup(cleanupPath string)
- func (p *Provider) ConfigureProxy(proxy provider.ProxyConfigurer, cred *provider.Credential)
- func (p *Provider) ContainerEnv(cred *provider.Credential) []string
- func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
- func (p *Provider) Grant(ctx context.Context) (*provider.Credential, error)
- func (p *Provider) ImpliedDependencies() []string
- func (p *Provider) Name() string
- func (p *Provider) Refresh(ctx context.Context, proxy provider.ProxyConfigurer, cred *provider.Credential) (*provider.Credential, error)
- func (p *Provider) RefreshInterval() time.Duration
Constants ¶
const ( SourceCLI = "cli" // From `gh auth token` - refreshable SourceEnv = "env" // From GITHUB_TOKEN/GH_TOKEN env var - refreshable SourcePAT = "pat" // Interactive PAT entry - static )
Token source values stored in Credential.Metadata[provider.MetaKeyTokenSource].
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Provider ¶
type Provider struct{}
Provider implements provider.CredentialProvider for GitHub.
func (*Provider) CanRefresh ¶
func (p *Provider) CanRefresh(cred *provider.Credential) bool
CanRefresh reports whether this credential can be refreshed. Returns false for static credentials (PATs) and legacy credentials without metadata.
func (*Provider) ConfigureProxy ¶
func (p *Provider) ConfigureProxy(proxy provider.ProxyConfigurer, cred *provider.Credential)
ConfigureProxy sets up proxy headers for GitHub.
func (*Provider) ContainerEnv ¶
func (p *Provider) ContainerEnv(cred *provider.Credential) []string
ContainerEnv returns environment variables for GitHub.
GH_TOKEN: Used by gh CLI for API authentication. We set a format-valid placeholder (ghp_...) that passes gh CLI's local validation. The proxy intercepts HTTPS requests and injects the real token via Authorization headers.
GIT_TERMINAL_PROMPT: Set to 0 to disable interactive credential prompts from git.
func (*Provider) ContainerMounts ¶
func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
ContainerMounts returns mounts for GitHub. Copies user's gh CLI config (for aliases, preferences) if it exists. Authentication is handled via GH_TOKEN environment variable. Returns the temp directory path for cleanup when the run ends.
func (*Provider) Grant ¶
Grant acquires GitHub credentials interactively or from environment.
Token acquisition order:
- GITHUB_TOKEN or GH_TOKEN environment variable
- gh CLI token via `gh auth token`
- Interactive PAT prompt
func (*Provider) ImpliedDependencies ¶
ImpliedDependencies returns dependencies implied by this provider.
func (*Provider) Refresh ¶
func (p *Provider) Refresh(ctx context.Context, proxy provider.ProxyConfigurer, cred *provider.Credential) (*provider.Credential, error)
Refresh re-acquires a fresh token from the original source and updates the proxy. Returns ErrRefreshNotSupported if the credential cannot be refreshed.
func (*Provider) RefreshInterval ¶
RefreshInterval returns how often to attempt refresh.
Source Files