Post

Automatic Authentication for Pulling Private Git Repositories

How to automatically authentice to git, using a Personal Access Token.

Published Updated
Preview Image
By Jason Raveling
2 min read
Automatic Authentication for Pulling Private Git Repositories

Configuring a Personal Access Token (PAT) will allow you to automatically authenticate when pulling or pushing a git repository (repo). The example below shows a common use of a git repo referred to in a package.json. When installing packages listed in a package.json (e.g. with npm install) you are not prompted to log in. Using a PAT will allow npm to authenticate and pull that repo. It is important to note, this git configuration will work any time you use git.

When you need to install a package directly from a private git repo, your package.json may have a few lines like this.

1
2
3

"devDependencies": {
    "pro-thunderball-stat-monitor": "git+https://7cc4fake0tokena9c193fd7e0dce@github.com/salbarley/pro-thunderbal-stat-monitor",
}

That package.json will likely end up in a repo. For security reasons, you should not publish a Personal Access Token (PAT) in a repo. A good alternative is to configure your local machine to to automatically authenticate for you. You can do this using a PAT.

Generate a Personal Access Token (PAT)

Follow the steps below to create a PAT with read-only access.

This section is specific to GitHub. If you are using a different implementation of git, find out how to get a PAT and continue on to the next section.

  1. Log in to GitHub.
  2. At the top right corner, use your profile picture to navigate to Settings.
  3. In the sidebar, navigate to Developer Settings.
  4. Select Personal access tokens.
  5. Select Fine-grained tokens.
  6. Use the Generate new token button.
  7. Give the token a name and description.
  8. Optional. If you want to access repos in an organization, change Resource owner to that organization.
  9. Set your desired Expiration.
  10. Under Repository access select All repositories.
  11. Use the Add permissions dropdown and check Contents.
  12. Use the Generate token button.
  13. Follow any additional prompts. Important: Copy and paste your PAT to a file and save it on your local machine. It is only displayed one time.

An admin will probably need to approve your PAT for you to access the organization.

Configure git to use the PAT

Use the following command to configure your local machine to use the PAT. Replace <YOUR_TOKEN> with your token. Replace SomeOrg with your organization. You could also replace SomeOrg with your username so your token is only used when accessing your own private repos.

1

git config --global url."https://<YOUR_TOKEN>@github.com/SomeOrg".insteadOf "https://github.com/SomeOrg"

Remove the token (e.g. 7cc4fake0tokena9c193fd7e0dce@) and @ from your package.json. It should look something like below.

1
2
3

"devDependencies": {
    "pro-thunderball-stat-monitor": "git+https://github.com/salbarley/pro-thunderbal-stat-monitor",
}

From now on, whenever git tries to pull a repo from https://github.com/SomeOrg it will automatically use your PAT to authenticate. So next time you run npm install your PAT will automatically be injected whenever there is a repo at https://github.com/SomeOrg. Also if you open up the command line and run git pull https://github.com/SomeOrg/your-private-repo, it will automatically authenticate!

Tools
git security walkthrough work environment
This work by Jason Raveling is licensed under CC BY-ND 4.0 .