shithub Public

Watch 1 Fork 0 Star 0

markdown · 2749 bytes Raw Blame History

Cloning over HTTPS with a PAT

For git over HTTPS, you authenticate with a personal access token (PAT), not your account password. This matches GitHub's behavior since 2021 and reflects the same security thinking: account passwords are more sensitive than scoped, revocable tokens.

1. Create a PAT

Settings → Developer settings → Personal access tokens → "New token".

Note — name the token after where you'll use it ("laptop", "ci-runner-1"). Future-you will thank present-you.
Expiration — pick the shortest interval that's tolerable. Tokens you forget about are tokens an attacker eventually finds.
Scopes — for git push/pull from a workstation, pick repo (read+write). For read-only mirroring, repo:read is enough.

When you submit, the token is shown once. Copy it immediately into your password manager — we never display it again.

2. Clone

git clone https://shithub.sh/<owner>/<repo>.git

When git asks for credentials:

Username: your shithub username.
Password: the PAT.

3. Cache credentials

Typing the PAT every push gets old. Use a credential helper:

macOS: git config --global credential.helper osxkeychain
Windows: git config --global credential.helper manager
Linux (GNOME): git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/...
Anywhere, in a pinch: git config --global credential.helper cache (in-memory, default 15-minute TTL).

The helper stores (url, username, password); the next push to the same host reuses it.

4. Use a CI runner

In CI, set the username/password as secrets and inject them via the URL or ~/.netrc. Use a token with the narrowest scope the job needs and a short expiration.

git clone https://x-access-token:${SHITHUB_PAT}@shithub.sh/owner/repo.git

Because the token is in the URL, make sure your CI doesn't echo the URL into logs.

When pushes fail

Symptom	Likely cause
`403 Forbidden` on push	Token lacks `repo` write scope.
`401 Unauthorized` immediately	Wrong username, expired token, or the token was revoked.
`protected branch hook declined`	Branch protection requires PR + reviews — push to a feature branch instead.
`pre-receive hook declined: repo over quota`	Repo size cap hit; see your operator.
`error: failed to push some refs … updates were rejected`	Standard git non-fast-forward — pull/rebase first.

View source

  
        1
        # Cloning over HTTPS with a PAT
      
        2
        
        3
        For git over HTTPS, you authenticate with a **personal access
      
        4
        token** (PAT), not your account password. This matches GitHub's
      
        5
        behavior since 2021 and reflects the same security thinking:
      
        6
        account passwords are more sensitive than scoped, revocable
      
        7
        tokens.
      
        8
        
        9
        ## 1. Create a PAT
      
        10
        
        11
        Settings → Developer settings → Personal access tokens → "New
      
        12
        token".
      
        13
        
        14
        - **Note** — name the token after where you'll use it ("laptop",
      
        15
          "ci-runner-1"). Future-you will thank present-you.
      
        16
        - **Expiration** — pick the shortest interval that's tolerable.
      
        17
          Tokens you forget about are tokens an attacker eventually finds.
      
        18
        - **Scopes** — for git push/pull from a workstation, pick `repo`
      
        19
          (read+write). For read-only mirroring, `repo:read` is enough.
      
        20
        
        21
        When you submit, the token is shown **once**. Copy it immediately
      
        22
        into your password manager — we never display it again.
      
        23
        
        24
        ## 2. Clone
      
        25
        
        26
        ```sh
      
        27
        git clone https://shithub.sh/<owner>/<repo>.git
      
        28
        ```
      
        29
        
        30
        When git asks for credentials:
      
        31
        
        32
        - **Username:** your shithub username.
      
        33
        - **Password:** the PAT.
      
        34
        
        35
        ## 3. Cache credentials
      
        36
        
        37
        Typing the PAT every push gets old. Use a credential helper:
      
        38
        
        39
        - **macOS:** `git config --global credential.helper osxkeychain`
      
        40
        - **Windows:** `git config --global credential.helper manager`
      
        41
        - **Linux (GNOME):** `git config --global credential.helper
      
        42
          /usr/share/doc/git/contrib/credential/libsecret/...`
      
        43
        - **Anywhere, in a pinch:** `git config --global credential.helper
      
        44
          cache` (in-memory, default 15-minute TTL).
      
        45
        
        46
        The helper stores `(url, username, password)`; the next push to
      
        47
        the same host reuses it.
      
        48
        
        49
        ## 4. Use a CI runner
      
        50
        
        51
        In CI, set the username/password as secrets and inject them via
      
        52
        the URL or `~/.netrc`. Use a token with the narrowest scope the
      
        53
        job needs and a short expiration.
      
        54
        
        55
        ```sh
      
        56
        git clone https://x-access-token:${SHITHUB_PAT}@shithub.sh/owner/repo.git
      
        57
        ```
      
        58
        
        59
        Because the token is in the URL, make sure your CI doesn't echo
      
        60
        the URL into logs.
      
        61
        
        62
        ## When pushes fail
      
        63
        
        64
        | Symptom                                              | Likely cause                              |
      
        65
        |------------------------------------------------------|-------------------------------------------|
      
        66
        | `403 Forbidden` on push                              | Token lacks `repo` write scope.           |
      
        67
        | `401 Unauthorized` immediately                       | Wrong username, expired token, or the token was revoked. |
      
        68
        | `protected branch hook declined`                     | Branch protection requires PR + reviews — push to a feature branch instead. |
      
        69
        | `pre-receive hook declined: repo over quota`        | Repo size cap hit; see your operator.     |
      
        70
        | `error: failed to push some refs … updates were rejected` | Standard git non-fast-forward — pull/rebase first. |

1	# Cloning over HTTPS with a PAT
2
3	For git over HTTPS, you authenticate with a **personal access
4	token** (PAT), not your account password. This matches GitHub's
5	behavior since 2021 and reflects the same security thinking:
6	account passwords are more sensitive than scoped, revocable
7	tokens.
8
9	## 1. Create a PAT
10
11	Settings → Developer settings → Personal access tokens → "New
12	token".
13
14	- Note — name the token after where you'll use it ("laptop",
15	"ci-runner-1"). Future-you will thank present-you.
16	- Expiration — pick the shortest interval that's tolerable.
17	Tokens you forget about are tokens an attacker eventually finds.
18	- Scopes — for git push/pull from a workstation, pick `repo`
19	(read+write). For read-only mirroring, `repo:read` is enough.
20
21	When you submit, the token is shown once. Copy it immediately
22	into your password manager — we never display it again.
23
24	## 2. Clone
25
26	```sh
27	git clone https://shithub.sh/<owner>/<repo>.git
28	```
29
30	When git asks for credentials:
31
32	- Username: your shithub username.
33	- Password: the PAT.
34
35	## 3. Cache credentials
36
37	Typing the PAT every push gets old. Use a credential helper:
38
39	- macOS: `git config --global credential.helper osxkeychain`
40	- Windows: `git config --global credential.helper manager`
41	- Linux (GNOME): `git config --global credential.helper
42	/usr/share/doc/git/contrib/credential/libsecret/...`
43	- Anywhere, in a pinch: `git config --global credential.helper
44	cache` (in-memory, default 15-minute TTL).
45
46	The helper stores `(url, username, password)`; the next push to
47	the same host reuses it.
48
49	## 4. Use a CI runner
50
51	In CI, set the username/password as secrets and inject them via
52	the URL or `~/.netrc`. Use a token with the narrowest scope the
53	job needs and a short expiration.
54
55	```sh
56	git clone https://x-access-token:${SHITHUB_PAT}@shithub.sh/owner/repo.git
57	```
58
59	Because the token is in the URL, make sure your CI doesn't echo
60	the URL into logs.
61
62	## When pushes fail
63
64	\| Symptom \| Likely cause \|
65	\|------------------------------------------------------\|-------------------------------------------\|
66	\| `403 Forbidden` on push \| Token lacks `repo` write scope. \|
67	\| `401 Unauthorized` immediately \| Wrong username, expired token, or the token was revoked. \|
68	\| `protected branch hook declined` \| Branch protection requires PR + reviews — push to a feature branch instead. \|
69	\| `pre-receive hook declined: repo over quota` \| Repo size cap hit; see your operator. \|
70	\| `error: failed to push some refs … updates were rejected` \| Standard git non-fast-forward — pull/rebase first. \|