Disable auth check for gh extension install#13176
Conversation
Allow installing extensions without being authenticated. The install command can work with public repositories and local directories without requiring a login, so the auth gate is unnecessary. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Removes the root-level authentication gate for gh extension install so extensions can be installed without being logged in (e.g., enabling unauthenticated installs when GITHUB_TOKEN is unset to avoid SAML-scoped token 403s).
Changes:
- Disables the global auth check for the
extension installsubcommand viacmdutil.DisableAuthCheck(cmd).
Show a summary per file
| File | Description |
|---|---|
| pkg/cmd/extension/command.go | Marks gh extension install to skip the root PersistentPreRunE auth requirement. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
| cmd.Flags().BoolVar(&forceFlag, "force", false, "Force upgrade extension, or ignore if latest already installed") | ||
| cmd.Flags().StringVar(&pinFlag, "pin", "", "Pin extension to a release tag or commit ref") | ||
| cmdutil.DisableAuthCheck(cmd) |
There was a problem hiding this comment.
This change alters root-level auth gating behavior for gh extension install, but there isn't a test that exercises the root PersistentPreRunE path to ensure the command runs when unauthenticated (no hosts and no env token). Consider adding a regression test (likely under pkg/cmd/root) that executes gh extension install … with a blank config and asserts it does not fail with AuthError / auth help output.
williammartin
left a comment
There was a problem hiding this comment.
Just copying something I wrote internally to here:
For me it's never been just as obvious as "is going to happen unauthenticated whether we make it easier or not". The core problem has always been that unauthenticated requests are limited to 60 req/hr per IP, and by supporting an easy path for extension installation like this we risk people rate limiting others.
In practice I have to imagine there are lots of people out there doing unauthenticated requests to the API via curl in Codespaces or Actions so like...maybe it's not a real issue. We've faffed around on this question for so long and it causes so much friction in some cases that we should just do it and see whether that ever actually becomes a real problem. Thanks for taking the initiative.
Remove the authentication gate for
gh extension install, allowing users to install extensions without being logged in.Motivation
The global auth check blocks
gh extension installfrom running at all when a user isn't authenticated. This is unnecessarily restrictive since installing extensions from public repositories or local directories doesn't inherently require authentication.This is especially painful in Codespaces environments where SAML-scoped tokens trigger 403 errors when installing public extensions (#6675). Users currently have to
unset GITHUB_TOKENas a workaround.Why this is OK
Look at what
gh awneeds to do today to make extension installation reliable: https://github.com/github/gh-aw/blob/main/install-gh-aw.shWhat this says is that extension installation is going to happen unauthenticated whether we make it easier or not. We might as well make it easier and keep people installing through our core commands.
Related: #2680 (allow certain requests to be unauthenticated).
What this changes
Adds
cmdutil.DisableAuthCheckto theextension installsubcommand, bypassing the pre-execution login gate. This does not make unauthenticated API requests all the time. If a token is available it will still be used. It simply removes the requirement to be logged in before the command can run.