Skip to content
Latchkey

How to Configure Git to Use a Token for HTTPS in CI

Set an http.extraheader with a base64 token so git authenticates over HTTPS without the token appearing in the remote URL.

Embedding a token in the remote URL leaks it into logs and .git/config. Instead, set an http.extraheader Authorization value for github.com. actions/checkout does this for you when given a token.

Steps

  • Base64-encode x-access-token:<token>.
  • Set http.https://github.com/.extraheader to Authorization: Basic <b64>.
  • Run git operations as normal.

Workflow

.github/workflows/ci.yml
steps:
  - uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
  - run: |
      AUTH=$(printf 'x-access-token:%s' "${{ steps.app-token.outputs.token }}" | base64 -w0)
      git config --global http.https://github.com/.extraheader "Authorization: Basic $AUTH"
      git clone https://github.com/my-org/shared-libs.git

Gotchas

  • The header keeps the token out of remote URLs and .git/config history.
  • Prefer letting actions/checkout set this via its token: input when possible.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →