{"id":20397998,"url":"https://github.com/beacon-biosignals/github-token-helper","last_synced_at":"2026-01-07T09:38:52.570Z","repository":{"id":47470325,"uuid":"389710572","full_name":"beacon-biosignals/github-token-helper","owner":"beacon-biosignals","description":null,"archived":false,"fork":false,"pushed_at":"2024-07-31T19:35:11.000Z","size":18,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-02-04T23:16:18.517Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/beacon-biosignals.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-26T17:09:39.000Z","updated_at":"2024-07-31T19:35:13.000Z","dependencies_parsed_at":"2023-01-18T18:45:31.331Z","dependency_job_id":null,"html_url":"https://github.com/beacon-biosignals/github-token-helper","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beacon-biosignals%2Fgithub-token-helper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beacon-biosignals%2Fgithub-token-helper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beacon-biosignals%2Fgithub-token-helper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beacon-biosignals%2Fgithub-token-helper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/beacon-biosignals","download_url":"https://codeload.github.com/beacon-biosignals/github-token-helper/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246249218,"owners_count":20747168,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T04:17:45.328Z","updated_at":"2026-01-07T09:38:52.513Z","avatar_url":"https://github.com/beacon-biosignals.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# github-token-helper\n\nA [Git credential helper](https://git-scm.com/docs/gitcredentials) which assists with handling GitHub authentication using Personal Access Tokens (PAT).\n\nPrimarily, this is used as a more secure alternative to using `insteadOf` inside of a Dockerfile. For example take the following Dockerfile snippet which uses `--build-arg` to pass in a secret:\n\n```Dockerfile\nARG GITHUB_TOKEN\nRUN git config --global url.\"https://${GITHUB_TOKEN}:@github.com/\".insteadOf \"https://github.com/\"\n\n# Private repo\nRUN git clone https://github.com/MyOrg/PrivateRepo.git\n\n# Prevent leaking `GITHUB_TOKEN` into the container's runtime environment.\nRUN git config --global --remove-section url.\"https://${GITHUB_TOKEN}:@github.com/\"\n```\n\nThe above works but using `--build-arg` to pass in the secret is bad as this information is embedded in the image and is easily visible by using `docker history \u003cimage\u003e`.\n\nA better approach is to use [`docker build --secret`](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) which can be secure if used correctly. Take the following example:\n\n```Dockerfile\nRUN --mount=type=secret,id=github_token \\\n    git config --global url.\"https://$(cat /run/secrets/github_token):@github.com/\".insteadOf \"https://github.com/\"\n\n# Private repo\nRUN git clone https://github.com/MyOrg/PrivateRepo.git\n\n# Prevent leaking `GITHUB_TOKEN` into the container's runtime environment.\nRUN --mount=type=secret,id=github_token \\\n    git config --global --remove-section url.\"https://$(cat /run/secrets/github_token):@github.com/\"\n```\n\nThe secret information should no longer be leaked via the image history but since Docker uses layer caching the secret is still available in some of the image's layers.\n\nA solution to this problem is to only use the secret within the `RUN` instruction for which it is needed. We could call `git config` use it and then unset the value all in the same instruction. However, if we need to use the secret over multiple `RUN` instructions we will need to either duplicate the logic or refactor the logic into a re-usable script. One variation on the re-usable script would be to make use of a [custom git credential helper](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage#_a_custom_credential_cache) which can make use of the secret in when the secret is mounted but avoid embedding the secret in any layer. For example:\n\n```Dockerfile\n# Install github-token-helper\nRUN curl -fsSLO https://raw.githubusercontent.com/beacon-biosignals/github-token-helper/v0.1.2/github-token-helper \u0026\u0026 \\\n    install github-token-helper /usr/local/bin \u0026\u0026 \\\n    git config --system credential.https://github.com.helper \"/usr/local/bin/github-token-helper -f /run/secrets/github-token\"\n\n# Private repo\nRUN --mount=type=secret,id=github_token \\\n    git clone https://github.com/MyOrg/PrivateRepo.git\n```\n\n## Installation\n\nThe basic installation requires the script to present on your system and registered as a [custom helper](https://git-scm.com/docs/gitcredentials#_custom_helpers). To install `github-token-helper` on your local system you can run:\n\n```bash\ncurl -fsSLO https://raw.githubusercontent.com/beacon-biosignals/github-token-helper/v0.1.2/github-token-helper\ninstall github-token-helper $HOME\ngit config --global credential.https://github.com.helper \"$HOME/github-token-helper -f /run/secrets/github_token -e GITHUB_TOKEN\"\n```\n\n## Configuration\n\nThe `github-token-helper` accepts the following options:\n\n- `--file` / `-f`: Specify the file(s) containing the PAT. Used with `docker build --secret`.\n- `--env` / `-e`: The name of the environmental variable(s) which contains the PAT to use. Should not be used with Docker's `--build-arg` to avoid credential leaking but can be useful for running the container interactively.\n\n## Testing\n\nYou can test the behavior of this script by running the following and entering key/value\npairs or just pressing enter twice:\n\n```bash\necho 's3cre7' \u003e mysecret.txt\n./github-token-helper -f mysecret.txt get\n```\n\nWhen installed you can test the behavior of this this credential helper (and any other helpers you have installed) via:\n\n```bash\necho -e \"protocol=https\\nhost=github.com\\nusername=x\" | git credential fill\n```\n\nThe above is useful in validating the credentials used by the current system's setup.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeacon-biosignals%2Fgithub-token-helper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbeacon-biosignals%2Fgithub-token-helper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeacon-biosignals%2Fgithub-token-helper/lists"}