Support GH_TOKEN

[zx8]

#976 taught gh to respect the GITHUB_TOKEN environment variable. Unfortunately, I already use this environment variable for other tools, and as such it has the absolute minimum set of scopes attached to it for security purposes.

Now that gh has started use this environment variable, I'm getting the following error:

Warning: gh now requires the `read:org` OAuth scope.
Visit https://github.com/settings/tokens and edit your token to enable `read:org`
or generate a new token for the GITHUB_TOKEN environment variable
graphql error: 'Your token has not been granted the required scopes to execute this query. The 'name' field requires one of the following scopes: ['read:org', 'read:discussion'], but your token has only been granted the: ['repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.'

I don't want to grant this token additional scopes because it is not required for the other tools that use it.

Possible solutions:

• Rename GITHUB_TOKEN to GITHUB_GH_TOKEN and avoid clashes altogether
• Unset GITHUB_TOKEN to allow OAuth flow to take precedence (i.e. create a wrapper script which invokes GITHUB_TOKEN= command gh "$@")
• Let the user specify which auth method should take precedence – in my case, I specifically do not want to use the GITHUB_TOKEN method

Thoughts?

[mislav]

Hi thanks for bringing this up!

For the reasons you mentioned, maybe we should have called this variable GH_TOKEN. I was initially advocating for using GITHUB_TOKEN because I saw it as an already established convention, but I get what you're saying re: varying OAuth scopes.

[oiricaud]

This is already implemented? What! Thanks I requested this feature 1-2 weeks ago. Ima try it out

[Lewiscowles1986]

well they could launch their process with an overridden GITHUB_TOKEN, it's not outside of the bounds of normalcy or reasonable behaviour to avoid needing a code change. (still what I would recommend instead of iterating on GITHUB_TOKEN, just unset or redefine it within the process you wish to not use it for...)

Also are all github orgs not readable by default? Or is that permission for private information. What does gh cli need from orgs:read which is not public? @mislav answered this below

[mislav]

@Lewiscowles1986 We need read:org because of organization teams. PR reviewer requests can be to a team, and repository create operation can assign a repo to a team if it's within an organization. Both need read:org.

[vilmibm]

I am definitely ok with GH_TOKEN.

[mislav]

The question now is whether we should also remove support for GITHUB_TOKEN if we add GH_TOKEN?

The way I see it, the original report basically argues that automatically respecting GITHUB_TOKEN can be harmful if that token doesn't have sufficient scopes. Removing it may break scripts that already rely on GITHUB_TOKEN, but maybe that's ok since we're still in beta and the feature has been around for only a short time.

On the other hand, I see supporting GITHUB_TOKEN as something intuitive, and perhaps we could require that if someone has that environment variable set, it needs to have at least repo, read:org scopes? 🤔

[zx8]

@mislav I'd have no problem if both GITHUB_TOKEN and GH_TOKEN were supported iff GH_TOKEN took precedence, since then I could just grant it the required scopes and not have to over-grant access to GITHUB_TOKEN.

[mislav]

I'd have no problem if both GITHUB_TOKEN and GH_TOKEN were supported iff GH_TOKEN took precedence

Fantastic. I think that's a great compromise ✨

[vilmibm]

It's been pointed out elsewhere that we aren't doing a good job of surfacing this support in docs. This issue should include better coverage of this feature (perhaps in the manually maintained "examples" section of the manual).