How to Configure Git to Use a Token for HTTPS in CI
Set an http.extraheader with a base64 token so git authenticates over HTTPS without the token appearing in the remote URL.
Embedding a token in the remote URL leaks it into logs and .git/config. Instead, set an http.extraheader Authorization value for github.com. actions/checkout does this for you when given a token.
Steps
- Base64-encode
x-access-token:<token>. - Set
http.https://github.com/.extraheadertoAuthorization: Basic <b64>. - Run git operations as normal.
Workflow
.github/workflows/ci.yml
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- run: |
AUTH=$(printf 'x-access-token:%s' "${{ steps.app-token.outputs.token }}" | base64 -w0)
git config --global http.https://github.com/.extraheader "Authorization: Basic $AUTH"
git clone https://github.com/my-org/shared-libs.gitGotchas
- The header keeps the token out of remote URLs and
.git/confighistory. - Prefer letting
actions/checkoutset this via itstoken:input when possible.
Related guides
How to Authenticate the gh CLI With a Token in CIAuthenticate the GitHub CLI in CI by exporting GH_TOKEN, so gh commands run under a GitHub App installation t…
How to Keep GitHub Tokens Out of CI LogsPrevent a GitHub App token or PAT from leaking into GitHub Actions logs by relying on automatic masking, usin…