Related to https://github.com/sourcegraph/sourcegraph/issues/45073
GitHub's new fine-grained access tokens have a minor difference from their classic Personal Access Tokens. In particular, I found the following from Stackoverflow: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token/66156992#66156992 sepcifically this part:
It used to work fine for me with classical personal access token, but as of 18th of October, GitHub released also fine-grained personal access token and it looks like for them, you have to use git clone https://oauth2:<oauth-key-goes-here>@github.com/username/repo.git
We need to add an oauth2 username, and then the access token as the password. This is different from how PATs used to work, and I can't find any official documentation on this. I quickly tested this locally:
I created a fine-grained personal access token with the repo:Contents scope, and tried to clone repositories. It failed with "invalid username/password".
Then I changed how we generate the clone URL for GitHub here: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/internal/repos/clone_url.go?L209 by making it UsernamePassword and supplying oauth2 as the username and the access token as the password. After that the repo was able to clone successfully.
My suggestion: verify if normal personal access tokens can work like this. Because we already do this for other auth providers, like GitLab: https://sourcegraph.com/github.com/sourcegraph/sourcegraph@ce477a4ad027d3dfcf74d4246d7f4c4a0eec3876/-/blob/internal/repos/clone_url.go?L216
So if we can just add the oauth2 username and it still works for classic PATs as well, this should do the trick.
/cc @sourcegraph/iam
Related to https://github.com/sourcegraph/sourcegraph/issues/45073
GitHub's new fine-grained access tokens have a minor difference from their classic Personal Access Tokens. In particular, I found the following from Stackoverflow: https://stackoverflow.com/questions/42148841/github-clone-with-oauth-access-token/66156992#66156992 sepcifically this part:
We need to add an
oauth2username, and then the access token as the password. This is different from how PATs used to work, and I can't find any official documentation on this. I quickly tested this locally:I created a fine-grained personal access token with the repo:Contents scope, and tried to clone repositories. It failed with "invalid username/password".
Then I changed how we generate the clone URL for GitHub here: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/internal/repos/clone_url.go?L209 by making it
UsernamePasswordand supplyingoauth2as the username and the access token as the password. After that the repo was able to clone successfully.My suggestion: verify if normal personal access tokens can work like this. Because we already do this for other auth providers, like GitLab: https://sourcegraph.com/github.com/sourcegraph/sourcegraph@ce477a4ad027d3dfcf74d4246d7f4c4a0eec3876/-/blob/internal/repos/clone_url.go?L216
So if we can just add the
oauth2username and it still works for classic PATs as well, this should do the trick./cc @sourcegraph/iam