Authenticate GitHub CLI

Dear Support!

I have my self hosted Drone on my VPS and I’m working with my private repo on GitHub. My step commands are running in my own docker image.

With clone disabled in my .drone.yml I can use git clone and the authentication to my private repo happens automatically, no problem here.

Now I also want to use the GitHub CLI and wondering how to authenticate it. AFAIK the suggested solution is to add my token (PAT) as a new secret to Drone, set it into an environment variable like this:

      from_secret: github_token

…and then:

echo $GITHUB_TOKEN | gh auth login --with-token

So my question is that can I somehow use/access the “default” token that is used by the git commands to avoid storing a new secret in Drone? Or in other words: What is the best practice to auth GitHub CLI? Thank you!

From the Authentication docs:

If your repository is private or requires authentication to clone, Drone injects the credentials into your pipeline environment. Drone uses the oauth2 token associated with the repository owner as the clone credentials.

So the proper question is, how to use this “injected” auth info with gh auth ? Is it possible at all?

I’ve just figured out that Drone injects a ~/.netrc file to my step container, containing the credentials I was looking for. Ugly, but seems working:

    - awk '/{getline; print $4}' ~/.netrc | gh auth login --with-token
    - gh auth status

I’ve also found this old issue asking gh to support .netrc but seems it won’t be added:

We don’t yet respect the netrc file, but we appreciate the suggestion!

The netrc file is considered an internal implementation detail and could change in future releases, so just something to keep in mind going forward.

Thank you for the warning! I don’t want to risk any surprise after an upgrade, so I ended up with adding a new organization secret (a new git token with minimal rights) to my Drone and using that instead.