fix(install.sh): auto-run 'gh auth setup-git' so gist ops stop prompting#199
fix(install.sh): auto-run 'gh auth setup-git' so gist ops stop prompting#199
Conversation
Joel hit this on 2026-04-28 -- Windows install with gh authenticated in keyring (gh auth status: Logged in to github.com), but every git operation against gist.github.com triggered a GUI password popup. Repeating, every airc op that touched a gist fired a fresh prompt. Cause: gh auth login stores its token in keyring/credman, but does NOT automatically register itself as git's credential helper. So git itself doesn't know how to use gh's token -- it falls back to asking the user for a password on every HTTPS push/fetch. The official one-liner is `gh auth setup-git`, which registers `gh auth git-credential` as the credential helper for github.com URLs in ~/.gitconfig. After this, git sees an HTTPS github.com URL, delegates auth to gh, gh hands back the token from its store, no prompt. Microsoft-supported, idempotent, ships with gh CLI itself. This goes in ensure_prereqs right after the gh-auth-status check, so fresh installs get it automatically. Skipped if already configured (idempotency check via `git config --get-all credential.https://github.com.helper | grep gh`).
There was a problem hiding this comment.
Pull request overview
This PR updates the installer’s prerequisite flow to automatically register GitHub CLI authentication as Git’s HTTPS credential helper, aiming to prevent repeated password prompts during gist-backed git operations that airc relies on.
Changes:
- When
ghis installed and authenticated, rungh auth setup-gitto wire the token into git credential helper config. - Add an idempotency guard to avoid re-running setup on every install.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if gh auth setup-git 2>/dev/null; then | ||
| info " gh token wired into git credential helper (no more password popups for gist ops)" |
There was a problem hiding this comment.
gh auth setup-git failures are completely silenced (2>/dev/null) and there’s no warning path, so the installer can leave users in the original “password popup” state without any clue why. Suggest capturing stderr (or at least emitting a warn on non-zero) with a hint to run gh auth setup-git manually.
| if gh auth setup-git 2>/dev/null; then | |
| info " gh token wired into git credential helper (no more password popups for gist ops)" | |
| setup_git_output="$(gh auth setup-git 2>&1)" || setup_git_status=$? | |
| if [ "${setup_git_status:-0}" -eq 0 ]; then | |
| info " gh token wired into git credential helper (no more password popups for gist ops)" | |
| else | |
| warn "Couldn't wire gh into git's credential helper automatically." | |
| if [ -n "$setup_git_output" ]; then | |
| warn "gh auth setup-git output: $setup_git_output" | |
| fi | |
| warn "Run manually to avoid GitHub password prompts for gist ops:" | |
| warn " gh auth setup-git" |
| # Joel hit this on 2026-04-28 — Windows install where gh was | ||
| # auth'd-in-keyring but git itself didn't know. Resulted in a | ||
| # GUI password popup every airc operation that touched a gist. | ||
| if ! git config --global --get-all credential.https://github.com.helper 2>/dev/null | grep -q 'gh auth git-credential'; then |
There was a problem hiding this comment.
The idempotency guard only checks credential.https://github.com.helper, but airc also does raw git clone https://gist.github.com/<id>.git (e.g. airc:1998), which uses the gist.github.com host-specific credential key. If a user already has a helper configured for github.com but not for gist.github.com, this guard will skip gh auth setup-git and gist HTTPS ops may still prompt. Consider checking both credential.https://github.com.helper and credential.https://gist.github.com.helper for gh auth git-credential, or drop the guard and rely on gh auth setup-git’s own idempotency.
| if ! git config --global --get-all credential.https://github.com.helper 2>/dev/null | grep -q 'gh auth git-credential'; then | |
| # Check both github.com and gist.github.com host-specific helpers: | |
| # airc uses gist HTTPS URLs directly, and Git may consult the | |
| # gist.github.com-scoped credential key separately from github.com. | |
| if ! git config --global --get-all credential.https://github.com.helper 2>/dev/null | grep -q 'gh auth git-credential' || \ | |
| ! git config --global --get-all credential.https://gist.github.com.helper 2>/dev/null | grep -q 'gh auth git-credential'; then |
Summary
gh auth setup-gitto install.sh'sensure_prereqsflow when gh is authenticatedWhy this matters
gh auth loginputs the token in keyring/credman. But it does NOT register itself as git's credential helper unless the user explicitly runsgh auth setup-git. Most users don't know to do that. So gh CLI works (token-based, direct), but raw git HTTPS doesn't (it doesn't query keyring; falls back to GUI prompt).airc's substrate is gist.github.com — the monitor self-heal flow, gist-discovery, room-create, etc. all do git pushes against gist. Without this, every install hits a popup loop.
gh auth setup-gitis the official Microsoft-supported one-liner. Idempotent (no-op if already configured). I added an idempotency guard withgit config --get-all credential.https://github.com.helper | grep gh-credentialso we don't churn the gitconfig on every install.Test plan
git clone https://github.com/CambrianTech/airc.gitdoesn't prompt🤖 Generated with Claude Code