Create/Revoke Personal Access Tokens

[CalvinRodo]

Describe the feature or problem you’d like to solve

I would like to be able to create and revoke personal access tokens from the CLI

Proposed solution

Calling gh token create will create a new token and output the token value
Calling gh token revoke will revoke the token passed in

TOKEN="$(gh token create --scope scope.json)" 
github-label-sync -a "$TOKEN" 
gh token revoke "$TOKEN"

### Additional context

Add any other context like screenshots or mockups are helpful, if applicable.

[insanitybit]

Currently there's no API for revoking tokens and it's expected that users will manage this themselves. This is really frustrating for any organization, we obviously can't rely on users to open up their browsers and check which tokens to revoke, we need to build this into scripts.

The ability to revoke tokens would really help a lot.

[tylerschoppe]

Any updates on a projected timeline for this addition? Thanks!

[0xdevalias]

Was just setting up a new work environment and was surprised to find that the gh CLI doesn't support creating/listing/revoking tokens from it.

---

We still plan to do this, but we are a way off still. We might need to first convert our OAuth app to a "GitHub App" before we can improve the user experience of minting tokens with specific privileges and expiration.

@aslilac For authenticating Docker, see this workaround: #5150 (comment)

Originally posted by @mislav in #3855 (comment)

[0xdevalias]

Even if the token couldn't be created through the CLI due to missing API's/etc at the moment, having a command that even directs us to do so in the web UI in the meantime would aid in discovery/etc.

Particularly given the URL can be guided with url params (unsure if there are others besides description):

https://github.com/settings/tokens/new?description=useful-forks%20(no%20scope%20required)

[mislav]

@0xdevalias The scopes query parameter seems to work:
https://github.com/settings/tokens/new?description=useful-forks&scopes=repo:invite,read:public_key

[0xdevalias]

The scopes query parameter seems to work:

Ah, nice. I thought i'd seen that done, but couldn't remember the specifics for it.

[smheidrich]

For anyone who doesn't want to wait until this gets an official API and implementation, here is a 3rd party CLI tool and Python library to create, list and delete fine-grained tokens (which are a bit different from classic personal access tokens, but if anyone wants, I can probably write a similar thing for the classic ones...): https://smheidrich.gitlab.io/github-fine-grained-token-client/

This is achieved by simulating the requests that would be triggered by a user clicking through the web interface. Obviously this approach can't be very stable because the web interface is subject to change without warning, so I'd strongly recommend against using this for anything critical. Intended usage is to just run this locally to make creating tokens less annoying, a bit faster and scriptable.

[andyfeller]

@samcoe @williammartin: I think this issue might need to be closed due to the limitations of GitHub APIs around PATs and uncertainty when such APIs will materialize. GitHub has heard feedback around this area, however I haven't seen anything on the GitHub public roadmap to set reasonable expectations for this. Though tools like those mentioned #2531 (comment) are plausible, I don't recommend we implement something out of band of official GitHub APIs.

My recommendation for this issue is that we close it until there's a better GitHub API story around token management.

Thoughts?

[0xdevalias]

Personally I don't close issues just because of a lack of upstream support; as that tends to have the effect of hiding the demand/interest/etc among the noise.

I would usually add a 'blocked by upstream' type tag to signal it's not something that can be actively worked on, then leave it open.

/2c

[samcoe]

@andyfeller I would agree with @0xdevalias with marking it blocked by the platform but leaving it open so it is easier to for users to find.

[ydekel6]

How can we surface this issue? it doesn't make sense to leave it behind for 3 years

[andyfeller]

How can we surface this issue? it doesn't make sense to leave it behind for 3 years

@ydekel6 : I can assure you that this has been raised to Engineering and Product. I don't think there is much else the GitHub CLI team can do independently as there are broader API and security design issues that go beyond our team.

My advice is for you to engage the broader GitHub community through one of the 🔄API and Webhooks discussions that have touched on this. This is the best place for you to engage directly with the Engineering and Product hubbers around our APIs.

[bchase-humana]

Additional commentary. The ability. for Enterprise customers, to generate tokens on behalf of a user account could be beneficial. Especially in an environment where service accounts (bots) are used to setup integrations and PATs are required but enabling 2FA on the EMU platform would effectively disable those accounts from creating their own PAT by the respective owning team.

[illrill]

I too deeply need an API for issuing and revoking PATs.

[z-sourcecode]

+1