From 3695bda6379a1444781110acefe1e0b1306eace3 Mon Sep 17 00:00:00 2001 From: William Martin Date: Mon, 6 Jan 2025 16:30:48 +0100 Subject: [PATCH 1/2] Clear up --with-token fine grained PAT usage --- pkg/cmd/auth/login/login.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/cmd/auth/login/login.go b/pkg/cmd/auth/login/login.go index ca165a22f..c8011e597 100644 --- a/pkg/cmd/auth/login/login.go +++ b/pkg/cmd/auth/login/login.go @@ -69,9 +69,10 @@ func NewCmdLogin(f *cmdutil.Factory, runF func(*LoginOptions) error) *cobra.Comm stored location. Alternatively, use %[1]s--with-token%[1]s to pass in a personal access token (classic) on standard input. - The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. - - Fine-grained personal access tokens are not supported. + The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. Although + it is possible to pass a fine-grained personal access token to %[1]s--with-token%[1]s, it should be done with + care, as the inherent scoping to certain resources may cause confusing behaviour when interacting with other + resources. Favour setting %[1]sGH_TOKEN$%[1]s for fine-grained personal access token usage. Alternatively, gh will use the authentication token found in environment variables. This method is most suitable for "headless" use of gh such as in automation. See From e7d49fb78c371ba5df66407dbfa9f3aec6e61ea6 Mon Sep 17 00:00:00 2001 From: William Martin Date: Mon, 6 Jan 2025 17:21:02 +0100 Subject: [PATCH 2/2] Update pkg/cmd/auth/login/login.go Co-authored-by: Andy Feller --- pkg/cmd/auth/login/login.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/cmd/auth/login/login.go b/pkg/cmd/auth/login/login.go index c8011e597..347fcdb6a 100644 --- a/pkg/cmd/auth/login/login.go +++ b/pkg/cmd/auth/login/login.go @@ -69,9 +69,9 @@ func NewCmdLogin(f *cmdutil.Factory, runF func(*LoginOptions) error) *cobra.Comm stored location. Alternatively, use %[1]s--with-token%[1]s to pass in a personal access token (classic) on standard input. - The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. Although - it is possible to pass a fine-grained personal access token to %[1]s--with-token%[1]s, it should be done with - care, as the inherent scoping to certain resources may cause confusing behaviour when interacting with other + The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. + Take care when passing a fine-grained personal access token to %[1]s--with-token%[1]s + as the inherent scoping to certain resources may cause confusing behaviour when interacting with other resources. Favour setting %[1]sGH_TOKEN$%[1]s for fine-grained personal access token usage. Alternatively, gh will use the authentication token found in environment variables.