github-clone GitHub accessλ︎
github-clone is Deprecated
Space g c now calls magit-clone which is a far more secure approach than previously provided by github-clone.
github-clone was removed as part of the deprecation of the github layer. Only the
git layer is now recommended.
The content below is kept for posterity and will be moved to the reference section.
Space g c can clone a remote repository from GitHub / GitLab.
Using an SSH URL and an SSH key, then no further configuration is required.
Using an HTTPS URL required the configuration of a developer token.
Use Magit as a GitHub Client
Magit and Magit Forge provides the majority of github-clojure features, except for searching GitHub for a repository. Magit Forge can use an
.authinfo.gpg which provides a high degree of security.
Configure developer tokenλ︎
Developer tokens should have limited life-span
Saving a developer token to the file space, especially in a file that could be included in version control and pushed to a remote server is a security issue.
Using GitHub CLI can minimise the risk by recycling the tokens. Or create tokens with a very short life-span via the GitHub / GitLab website.
The github-clone package in the Spacemacs GitHub layer requires a personal access token in
~/.gitconfig to access GitHub. As
~/.gitconfig is plain text, adding a token is a potential security risk.
If an access token is shared, it should be immediately deleted from your GitHub account. Personal access tokens do not provide access to a users GitHub account, so are less of a risk than using a password.
Add your GitHub account name to the Git configuration
Add the personal access token to Git configuration (using your own token)
Move token to config-privateλ︎
To help mistakenly committing the token to a shared repository, move the
[github] section from the Git Configuration file to a file called
[include] section in the Git configuration file to include the details from the
The Git configuration file can then safely be committed to a shared Git repository without exposing the access token.