Authenticate git with gh over HTTPS
gh auth login does more than GitHub API access; it also configures git's credential helper.
From then on, HTTPS remotes authenticate as whichever account is active in gh.
Behind the scenes, gh registers itself as the credential helper:
When git needs credentials, it calls gh auth git-credential, which reads the stored token.
Token storage depends on the platform:
- macOS:
osxkeychain, the Keychain Access app - Linux:
~/.config/gh/hosts.yml(encrypted with a key frompass,gpg, or plain file)
gh auth status confirms which account is active:
No SSH keys needed, no ~/.ssh/config. Every push authenticates as the
active gh account.
In GitHub Actions, GITHUB_TOKEN is available automatically via OIDC. When $GITHUB_TOKEN
is set, gh auth git-credential uses it instead of a stored token; no gh auth login
needed in CI. This is the same token that actions/checkout uses for HTTPS clones.
Pip and uv support git+https:// dependencies. There are two ways to authenticate them:
Token-in-URL works everywhere but risks leaking into lock files; older versions of uv and
pip-compile could bake the token into requirements.txt. With gh auth git-credential,
the URL stays concise and the credential helper handles auth transparently; git, pip,
and uv all use it. This requires gh installed in CI.