playbooks

home / skills / jackspace / claudeskillz / github-auth

github-auth skill

/skills/github-auth

This skill securely manages GitHub credentials for API calls and git operations, guiding safe authentication and workflow automation.

npx playbooks add skill jackspace/claudeskillz --skill github-auth

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
6.0 KB
---
name: github-auth
description: Securely authenticate with GitHub using stored credentials for API operations and git commands
---

# GitHub Authentication

This skill provides secure access to GitHub credentials for API operations, repository management, and git commands.

## Instructions

When helping with GitHub operations that require authentication:

### Credential Location
- Credentials are stored in the project root `.env` file
- **Cross-platform path examples:**
  - Linux/macOS: `~/apps/your_claude_skills/.env` or use relative path: `./.env`
  - Windows: `%USERPROFILE%\apps\your_claude_skills\.env` or relative: `.\.env`

- **Load credentials:**
  ```bash
  # Linux/macOS:
  source ./.env

  # Windows PowerShell:
  # Get-Content .\.env | ForEach-Object { if ($_ -match '^([^=]+)=(.*)$') { [Environment]::SetEnvironmentVariable($matches[1], $matches[2]) } }
  ```

- **Access in scripts:**
  ```bash
  # Linux/macOS:
  GITHUB_USERNAME=$(grep GITHUB_USERNAME ./.env | cut -d= -f2)
  GITHUB_PAT=$(grep GITHUB_PAT ./.env | cut -d= -f2)

  # Windows PowerShell:
  # $GITHUB_USERNAME = (Get-Content .\.env | Select-String "GITHUB_USERNAME").Line.Split("=")[1]
  # $GITHUB_PAT = (Get-Content .\.env | Select-String "GITHUB_PAT").Line.Split("=")[1]
  ```

### GitHub API Operations
Use the GitHub CLI (gh) for authenticated operations:
```bash
# Authenticate gh with stored PAT
echo "$GITHUB_PAT" | gh auth login --with-token

# Or use API directly with curl
curl -H "Authorization: token $GITHUB_PAT" https://api.github.com/user/repos
```

### Git Operations with Authentication

⚠️ **SECURITY WARNING**: Embedding credentials in URLs is a security risk. Use SSH keys or git credential helper instead.

**RECOMMENDED: Use SSH Keys**
```bash
# Setup SSH key for GitHub (one-time setup)
ssh-keygen -t ed25519 -C "[email protected]"
cat ~/.ssh/id_ed25519.pub  # Add this to GitHub Settings > SSH Keys

# Clone with SSH (RECOMMENDED)
git clone [email protected]:owner/repo.git

# Add SSH remote
git remote add origin [email protected]:owner/repo.git
```

**ALTERNATIVE: Use Git Credential Helper**
```bash
# Configure git credential helper (stores credentials securely)
git config --global credential.helper store

# First time will prompt for credentials, then stores them securely
git clone https://github.com/owner/repo.git
```

**NOT RECOMMENDED: Credentials in URL** (only for automation/CI)
```bash
# WARNING: Credentials in URLs can leak in logs/history
# Only use in secure, automated environments
git clone https://$GITHUB_USERNAME:[email protected]/owner/repo.git
```

### Common GitHub Operations

1. **Create Repository**
   ```bash
   gh repo create owner/repo --private --description "Description"
   ```

2. **List Repositories**
   ```bash
   gh repo list
   ```

3. **Create Pull Request**
   ```bash
   gh pr create --title "Title" --body "Description"
   ```

4. **Manage Issues**
   ```bash
   gh issue create --title "Issue" --body "Description"
   gh issue list
   ```

5. **Release Management**
   ```bash
   gh release create v1.0.0 --title "Release 1.0.0" --notes "Release notes"
   ```

### Security Best Practices

1. **Never Echo or Display PAT**
   - Never use `echo $GITHUB_PAT` or display the token
   - Use it directly in commands or pipe to stdin
   - Keep .env file permissions restricted (chmod 600)

2. **Use gh CLI When Possible**
   - Prefer `gh` commands over raw API calls
   - gh stores credentials securely
   - Better error handling and user-friendly output

3. **Never Put Credentials in Git URLs**
   - Credentials in URLs can leak in git history, logs, and error messages
   - Use SSH keys or git credential helper instead
   - Only use URL credentials in secure CI/CD environments

4. **Verify .env is Gitignored**
   - Always check .gitignore includes .env
   - Never commit credentials to git
   - Use .env.example for documentation

5. **Rotate Tokens Regularly**
   - GitHub PATs should be rotated periodically
   - Revoke old tokens after rotation
   - Update .env file with new token

### Error Handling

If authentication fails:
1. Verify PAT is valid in .env file
2. Check PAT has required scopes (repo, workflow, etc.)
3. Verify PAT hasn't expired
4. Test with: `gh auth status`

## Examples

### Example 1: Create and Push to New Repo
```bash
# Load credentials (Linux/macOS):
source ./.env

# Load credentials (Windows PowerShell):
# Get-Content .\.env | ForEach-Object { if ($_ -match '^([^=]+)=(.*)$') { [Environment]::SetEnvironmentVariable($matches[1], $matches[2]) } }

# Create private repository
gh repo create yourusername/my-new-repo --private --description "My new project"

# Initialize local repo and push
git init
git add .
git commit -m "Initial commit"
git branch -M main
git remote add origin https://github.com/yourusername/my-new-repo.git
git push -u origin main
```

### Example 2: Clone Private Repo (SSH - RECOMMENDED)
```bash
# Clone with SSH (most secure)
git clone [email protected]:yourusername/private-repo.git
```

### Example 2b: Clone with Credential Helper
```bash
# First time setup (one-time)
git config --global credential.helper store

# Clone - will prompt for credentials first time, then cache
git clone https://github.com/yourusername/private-repo.git
```

### Example 3: API Request
```bash
# Load credentials (Linux/macOS):
source ./.env

# Load credentials (Windows PowerShell):
# Get-Content .\.env | ForEach-Object { if ($_ -match '^([^=]+)=(.*)$') { [Environment]::SetEnvironmentVariable($matches[1], $matches[2]) } }

# List user's repositories (Linux/macOS):
curl -s -H "Authorization: token $GITHUB_PAT" \
  https://api.github.com/user/repos | jq -r '.[].full_name'

# Windows PowerShell:
# $headers = @{ Authorization = "token $env:GITHUB_PAT" }
# (Invoke-RestMethod -Uri "https://api.github.com/user/repos" -Headers $headers).full_name
```

## Notes

- GitHub CLI (gh) is the recommended method for GitHub operations
- The PAT should have appropriate scopes based on operations needed
- Credentials file is protected by .gitignore
- For CI/CD, use GitHub Actions secrets instead of .env file
- Consider using SSH keys for git operations as an alternative to HTTPS with PAT

Overview

This skill securely authenticates with GitHub using stored credentials to enable API operations and authenticated git commands. It centralizes credential handling via a project .env file and recommends secure practices like SSH keys, the gh CLI, and git credential helpers. The goal is safe, repeatable automation for repository management and API calls.

How this skill works

Credentials (GITHUB_USERNAME and GITHUB_PAT) are kept in a project-root .env file and loaded into the environment for scripts and commands. For API work, the skill recommends using the gh CLI or passing the PAT to curl via stdin or authorization headers. For git operations it encourages SSH keys or git credential helpers rather than embedding credentials in URLs.

When to use it

  • Automating GitHub API calls from scripts or tooling that require authentication
  • Creating, listing, or managing repositories, issues, pull requests, and releases
  • Cloning or pushing to private repositories in development or CI where credentials are needed
  • On developer workstations where repeatable, secure access to GitHub is required
  • When onboarding automation that must read a stored PAT and avoid exposing it

Best practices

  • Store credentials in a .env file at the project root and restrict file permissions (chmod 600)
  • Keep .env in .gitignore and provide a .env.example for documentation
  • Prefer gh CLI for authenticated operations and better error handling
  • Use SSH keys for git operations; use git credential helper if HTTPS is required
  • Never echo or print the PAT; pipe it to commands or supply via secure environment variables
  • Rotate personal access tokens regularly and revoke old tokens

Example use cases

  • Load credentials from .env and create a private repository with gh, then push initial commit
  • Authenticate gh using the stored PAT to create pull requests and manage issues programmatically
  • Clone private repos securely via SSH for development or CI agents
  • Run curl API requests against /user/repos using a PAT from the environment to list repositories
  • Configure git credential helper on a workstation to cache HTTPS credentials securely

FAQ

Where should I store the .env file?

Place .env in the project root and ensure it is listed in .gitignore. Use filesystem paths appropriate for your OS (./.env, ~/apps/your_claude_skills/.env, or %USERPROFILE% on Windows).

Is it safe to embed credentials in repository URLs for automation?

No. Embedding credentials in URLs can leak in logs and history. Use SSH keys or secure credential helpers. Only use URL-embedded credentials in tightly controlled CI environments and rotate tokens afterward.