gh-copilot
gh-copilot copied to clipboard
github
[DOCS]: What OAuth scope is required for `gh copilot`?
Describe the need
➜ ~ gh copilot suggest "Receive webhooks locally"
✗ Error: No valid OAuth token detected
I use a local GITHUB_TOKEN environment variable instead of gh's own credential. What OAuth scope is necessary? Ideally I'd add that information to both the README and the error message
Version
gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0
I installed the extension just now
Relevant terminal output
➜ ~ gh extension install github/gh-copilot --force
✓ Installed extension github/gh-copilot
➜ ~ gh copilot suggest "Receive webhooks locally"
✗ Error: No valid OAuth token detected
To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.
➜ ~ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.
➜ ~ gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0
Thanks for creating our first issue, @gr2m! 🎉
➜ ~ gh auth login --web -h github.com The value of the GITHUB_TOKEN environment variable is being used for authentication. To have GitHub CLI store credentials instead, first clear the value from the environment.
Since you're overriding the GITHUB_TOKEN, could you confirm that is a OAuth token (gho_...) or try clearing the environment variable out?
GitHub Copilot in the CLI currently works with OAuth tokens, but we have plans to support PATs in the near term. For now, using a PAT will trigger this error message.
Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.
Thanks for creating our first issue, @gr2m! 🎉
🫡
Since you're overriding the
GITHUB_TOKEN, could you confirm that is a OAuth token (gho_...) or try clearing the environment variable out?
I think it's a classic personal access token ghp_..., which is an OAuth token under the hood right?
curl -H"Authorization: token $GITHUB_TOKEN" https://api.github.com/user -I
HTTP/2 200
# ...
x-oauth-scopes: notifications, project, repo, workflow, write:org
I think it's a classic personal access token
ghp_..., which is an OAuth token under the hood right?
😬 so we might need to improve the messaging here because you need to authenticate via the OAuth app in the web browser, not using a PAT. 🤔
$ gh auth login
? What account do you want to log into? GitHub.com
? What is your preferred protocol for Git operations? HTTPS
? How would you like to authenticate GitHub CLI? Login with a web browser
! First copy your one-time code: X#X#-X#X#
Press Enter to open github.com in your browser...
Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.
@user ➜ /workspaces/project (main) $ ?? this is a test
✗ Error: No valid OAuth token detected
To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.
@user ➜ /workspaces/project(main) $ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.
Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.
@user ➜ /workspaces/project (main) $ ?? this is a test ✗ Error: No valid OAuth token detected To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser. @user ➜ /workspaces/project(main) $ gh auth login --web -h github.com The value of the GITHUB_TOKEN environment variable is being used for authentication. To have GitHub CLI store credentials instead, first clear the value from the environment.
Thank you for adding to this issue, @gabynevada! This is absolutely a limitation with the current way GitHub Codespaces provides an automatic token when a codespace is created.
As mentioned in "Troubleshooting authentication to a repository", this token is not a standard personal access token (PAT) or a token from authenticating GitHub or OAuth app but a user-to-server token (ghu_...).
Internally, discussions on how to extend Copilot integration support to PATs has been under discussion. I will make sure to bring up this aspect of leveraging with Codespaces ❤
Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.
Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.
Yes, kind of, using the device flow: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
I think it's off topic for this question though, best to ask in https://github.com/orgs/community/discussions/categories/api-and-webhooks, feel free to ping me in there
I use 1Password to store my PAT, which has its own plugin for gh.
Just wanted to throw out another use case where OAuth is cumbersome
Hello @andyfeller
My specific question is not about the CLI but it seems very related to the topic and I'm hoping you can assist.
You wrote:
Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.
Question
Does this mean that the copilot access does not go through any scope?
That it is instead the approval for a specific client_id of the oAuth app which provides the authorization for copilot?
Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?
- https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
- It seems to have been done for the github copilot Plugin for JetBrains products.
Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?
@bd82 : No, not currently. 😞
I have hopes given work around improving rate limit handling with the GitHub Copilot platform that this might change in the future. For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.
My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.
My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.
@diminutivesloop : Could you share more about how your team is using gh for installing npm packages?
I know some GitHub APIs don't support GitHub or OAuth tokens, which might be why your team needs a PAT working with npm. However the GitHub CLI doesn't have any npm or GitHub packages support, so I assume your team is reusing gh as a generic token storage and integration tool.
@andyfeller We're not using gh directly, but in our projects we have our .npmrc configured as follows to authenticate against https://npm.pkg.github.com/ for private-scoped packages:
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
I use 1Password to store my PAT, which has its own plugin for gh.
Just wanted to throw out another use case where OAuth is cumbersome
Running into the same issue here and want to continue to use my 1password saved PAT as it's too handy to auth with biometrics and not looking to remove this workflow. Hopefully PAT are on the roadmap to become an acceptable solution soon.... Looks like it was mentioned almost a year ago on the roadmap but still not available.
For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.
Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using $GITHUB_TOKEN altogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.
Not trying to be a Negative Nancy, it's just weird that such a limiting factor isn't mentioned anywhere else in the repo that would be more visible. Besides the the main README, there's multiple spots in the GitHub Copilot in the CLI documentation where this could be mentioned.
For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.
Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using
$GITHUB_TOKENaltogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.
@jtabox : What would you recommend beyond the following in the quickstart doc section of the repo docs?
https://github.com/github/gh-copilot/blob/ce71f26804ef9ae706068e935f6e4558a2ff98b0/README.md?plain=1#L16-L19
For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.
Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using
$GITHUB_TOKENaltogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.@jtabox : What would you recommend beyond the following in the quickstart doc section of the repo docs?
https://github.com/github/gh-copilot/blob/ce71f26804ef9ae706068e935f6e4558a2ff98b0/README.md?plain=1#L16-L19
I can think of 3 possible places:
- Maybe a sentence in the note above the snippet you linked, e.g.:
[!NOTE] To use and install GitHub Copilot in the CLI, you must have an active GitHub Copilot subscription and have GitHub CLI installed. Also please note that GitHub Copilot in the CLI is currently available only if you use OAuth to authenticate in GitHub CLI and not the
GITHUB_TOKENenvironment variable.
- Potentially in the GitHub CLI manual's landing page, in Configuration:
Configuration
Run gh auth login to authenticate with your GitHub account. Alternatively, gh will respect the
GITHUB_TOKENenvironment variable, but this way of authentication will currently prevent you from using GitHub Copilot in the CLI.
- And finally maybe somewhere in the Copilot's Troubleshooting page:
Error: "No valid OAuth token detected" even though GitHub CLI is correctly authenticated via the
GITHUB_TOKENenvironment variableCurrently, using the
GITHUB_TOKENenvironment variable to authenticate in GitHub CLI will prevent you from using GitHub Copilot in the CLI, as it requires authentication via OAuth. Remove the GITHUB_TOKEN environment variable and use gh auth login to authenticate in GitHub CLI. For more details read here.
At least those were the places I looked in when trying to figure out why I got the error message :D
Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.
I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍
Happy to contribute :)
Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.
I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍
Happy to contribute :)
Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI. I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍
Sadly, these are changes on internal repos, but I appreciate your support 🙇
Happy to contribute :)
Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI. I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍
Sadly, these are changes on internal repos, but I appreciate your support 🙇
Yepp, I was a bit unclear in my reply I think. With "contribution" I meant my previous comment itself, with the suggestions. So "Happy to contribute" meant "Happy to have helped", not "I can open a PR with my suggestions if you'd like." 😄 But anyway, won't spam this thread any further 😄 For now I've switched to OAuth for gh and Copilot works fine, hopefully at some point it becomes available with GITHUB_TOKEN too.
it becomes available with
GITHUB_TOKENtoo.
@jtabox : Just to be clear, are you saying
GITHUB_TOKENenvironment variable doesn't work if you provide it with your GitHub CLI OAuth token at all- neither classic or fine-grain PATs are supported
I think you're saying the latter as below demonstrates that GITHUB_TOKEN environment variable should work if it is set to your GitHub CLI OAuth app token:
$ GITHUB_TOKEN=$(gh auth token --hostname github.com) gh copilot explain 'echo "hello world"'
Welcome to GitHub Copilot in the CLI!
version 1.0.5 (2024-09-12)
I'm powered by AI, so surprises and mistakes are possible. Make sure to verify any generated code or suggestions, and share feedback so that we can learn and improve. For more information, see https://gh.io/gh-copilot-transparency
Explanation:
• echo is used to print text to the terminal.
• "hello world" is the text that will be printed.
```
I'm not sure I understood your question correctly, so my reply might be completely irrelevant, in which case I apologize 😅
My GITHUB_TOKEN variable in Windows contains indeed a classic PAT (I think it's the same situation as many people in this thread, incl. the initial post). I've been using it in various programs that want my GitHub account's "API key".
When I first installed gh, seeing that the instructions mention that gh will use GITHUB_TOKEN if available for authentication, I just kept using the existing GITHUB_TOKEN, which indeed worked fine.
C:\gh auth status
github.com
✓ Logged in to github.com account jtabox (GITHUB_TOKEN)
- Token: ghp_************************************
But then when I tried to run Copilot I'd get an error.
C:\gh copilot explain "format C:"
✗ Error: No valid GitHub CLI OAuth token detected
To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.
I ran the suggested gh auth login --web ... command and the authentication process succeeded (though not sure how it would go if only the terminal was available). But going back to the command prompt and trying to run Copilot still gave the exact same error as above and suggested the same command, which is a loop I tried 2-3 times before I started suspecting it wouldn't work.
There wasn't any information anywhere that as long as I have a PAT as the GITHUB_TOKEN's value (which had worked fine for gh so far), Copilot won't run, and that I needed to change authentication method altogether and either replace the value of GITHUB_TOKEN with an OAuth token, or completely remove it as environment variable.
If I understood correctly, what you're suggesting is the first alternative? I.e. to swap to OAuth and then change GITHUB_TOKEN's value from a ghp_... token to an OAuth gho_... token every time I want to run Copilot? Since it can't be a permanent change, otherwise other programs that use it won't work. It's a solution, at least for Linux systems, since Windows will require a mini script for setting the variable before each run.
Thanks for clarifying, @jtabox! 👍 For clarity, I'm definitely not suggesting that people managing OAuth tokens in the environment variables; simply that it isn't a problem with environment variables as a mechanism but the nature of the token.
Good news: with the repository readme updated and GitHub Docs change being processed, I feel this issue can long be closed.
@andyfeller - I'm unclear on the solution. I too need the GITHUB_TOKEN present in the environment to access Github repository packages via npm/yarn.
So, I did the following:
unset GITHUB_TOKEN
gh auth login --web -h github.com
gh auth status ✘ 2
github.com
✓ Logged in to github.com account rosskevin (keyring)
- Active account: true
- Git operations protocol: https
- Token: gho_************************************
- Token scopes: 'gist', 'read:org', 'repo', 'workflow'
but when opening a new terminal, back to the same error:
✗ Error: No valid GitHub CLI OAuth token detected
So I need to unset GITHUB_TOKEN for every new terminal where I want to use authenticated gh? Or is there a better solution?
Maybe this needs to be new issue, but gh copilot really should support auth via PAT.
Maybe this needs to be new issue, but
gh copilotreally should support auth via PAT.
Yes, a separate issue for that would be ideal.
That said, please trust when I say it's a topic I've been raising internally since initial extension development. There are some broader Copilot ecosystem architecture discussions involved.
I've been trying to figure out how to use GH CLI and Copilot extension with PAT. Eventually I stumbled up this issue and the https://github.com/github/gh-copilot/issues/98 which seems to be «a separate issue for that would be ideal». @andyfeller Is that issue something you mean or there's a need to create something separate (in this case please briefly outline what info should be put on it)? Thanks.
