Skip to content

chore: bump bundled fnox to 1.24.0#15

Merged
fullerzz merged 1 commit intomainfrom
sync/fnox-1.24.0
May 9, 2026
Merged

chore: bump bundled fnox to 1.24.0#15
fullerzz merged 1 commit intomainfrom
sync/fnox-1.24.0

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 9, 2026

Upstream release

Bumps bundled fnox binary from 1.23.1 to 1.24.0.

Release: https://github.com/jdx/fnox/releases/tag/v1.24.0

Release notes

A focused release that adds a new github-oauth lease backend for minting short-lived, user-attributed GitHub tokens via OAuth device flow — without distributing an app private key.

Added

github-oauth lease backend (#464) -- @jdx

A new lease type that creates GitHub App user access tokens using the OAuth device flow and injects them as GITHUB_TOKEN (or a custom env var) for the duration of fnox exec. It is the recommended option for local development and user-attributed gh / GitHub API usage where you want a short-lived token tied to the signed-in user instead of a long-lived PAT in fnox.toml.

[leases.github]
type = "github-oauth"
client_id = "Iv1.yourgithubappclientid"
scope = "repo read:org workflow"
duration = "8h"
fnox exec -- gh pr list

On first run, fnox prints a verification URL and user code, optionally opens the URL in your browser, and polls GitHub until you approve the device prompt. Subsequent runs reuse the cached token until it expires.

Highlights of the backend:

  • Only the GitHub App client ID is required — no app private key and no client secret, so the lease config can be checked in and shared across a team. (The existing github-app backend remains the right choice for installation tokens in CI.)
  • OS keyring caching of access and refresh tokens, keyed by client id + scope + endpoints. Disable with keyring_cache = false to force the device flow on every lease.
  • Refresh token reuse when GitHub issues one — refreshes happen transparently; if the refresh fails, fnox falls back to a fresh device flow.
  • Configurable env var via env_var (e.g. "GH_TOKEN") and configurable auth_base / api_base for GitHub Enterprise Server.
  • open_browser controls whether fnox tries to launch the verification URL automatically (uses open / xdg-open / start).

The supported-backends table in the leases guide is updated, and the github-app docs now point local/user-attributed workflows at github-oauth. See the GitHub OAuth lease docs for the full reference.

Full Changelog: jdx/fnox@v1.23.1...v1.24.0

💚 Sponsor fnox

fnox is maintained by @jdx under en.dev — a small independent studio building developer tooling like mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.

If fnox is handling secrets or config for you or your team, please consider sponsoring at en.dev. Sponsorships are what let fnox stay independent and the project keep moving.

@fullerzz fullerzz merged commit 799cc30 into main May 9, 2026
@fullerzz fullerzz deleted the sync/fnox-1.24.0 branch May 9, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fullerzz