🚀[Feature]: Use Git natives for authentication for git commands

[MariusStorhaug]

Description

Official git docs on the matter:

• https://git-scm.com/docs/gitcredentials
• https://git-scm.com/docs/git-credential
• https://git-scm.com/doc/credential-helpers

Implementations:

• https://github.blog/security/application-security/git-credential-manager-authentication-for-everyone/
• GitHub App credentials Cache rather than Store and multiple Orgs runatlantis/atlantis#4704
• https://github.com/bdellegrazie/git-credential-github-app

[MariusStorhaug]

Credential helper with a custom command, or use the native credential with the info from the github context?

[MariusStorhaug]

Below is one acceptable solution. The idea is to write a PowerShell script that implements the Git credential‐helper protocol: it reads key–value pairs (one per line) on its standard input, then (for a “get” operation) writes out the credentials (including an expiration date) on standard output. (Git ignores extra fields but your script can use the expiration value to decide when to re‐query GitHub.) You can then configure Git to call your script.

In the example below the placeholder function Get-InstallationToken is where you would call GitHub’s API (or otherwise generate a GitHub App installation access token). (For a GitHub App the token will expire, so we output an “expiration” field along with the “password” which is really the token.)

Note: Git’s credential helper protocol is simple:

Git calls your helper with input lines such as protocol=..., host=..., etc., terminated by an empty line.
If the action is “get” (or no “action” is supplied) your script must output lines such as username=... and password=.... Any extra fields (like “expiration”) are for your own use.
For “store” and “erase” actions you can add logic as needed (or leave them empty).
Below is a complete sample PowerShell script:

# git-credential-helper.ps1

#---------------------------------------------------------------------
# This function should be replaced with code that retrieves a valid
# GitHub App installation access token (and its expiration date).
# In this example it returns dummy values.
#---------------------------------------------------------------------
function Get-InstallationToken {
    param(
        [string]$Host,
        [string]$User
    )
    # TODO: Insert code here to call the GitHub API and generate an
    # installation access token for the given host/user.
    #
    # For demonstration, we return a dummy token that expires in 1 hour.
    return @{
        access_token = "my_generated_token_ABC123"
        expires_at   = (Get-Date).AddHours(1).ToString("o")  # ISO 8601 format
    }
}

#---------------------------------------------------------------------
# Read key=value lines from standard input until an empty line.
#---------------------------------------------------------------------
$inputData = @{}
while ($line = [Console]::In.ReadLine()) {
    if ([string]::IsNullOrEmpty($line)) { break }
    if ($line -match "^(?<key>[^=]+)=(?<value>.*)$") {
        $inputData[$matches['key']] = $matches['value']
    }
}

# Determine the action (default is "get")
$action = if ($inputData.ContainsKey("action")) { $inputData["action"] } else { "get" }

switch ($action) {
    "get" {
        # You may use the host and/or username to decide which token to get.
        $host = $inputData["host"]
        # Often GitHub tokens use a dummy username (such as "x-access-token")
        $user = if ($inputData.ContainsKey("username")) { $inputData["username"] } else { "x-access-token" }
        
        # Retrieve token (and its expiration date)
        $tokenInfo = Get-InstallationToken -Host $host -User $user
        
        # Write out the credentials for Git.
        Write-Output "username=$user"
        Write-Output "password=$($tokenInfo.access_token)"
        Write-Output "expiration=$($tokenInfo.expires_at)"
    }
    "store" {
        # Optional: implement storing credentials if desired.
    }
    "erase" {
        # Optional: implement erasing credentials if desired.
    }
}

Tell Git to Use It
Run the following command in your shell (adjusting the path as needed):

git config --global credential.helper "!powershell -NoProfile -ExecutionPolicy Bypass -File 'C:/tools/git-credential-helper.ps1'"

Test It Out

When Git needs credentials (for example, when you clone a repository), it will call your PowerShell script. Your script will then output the username, password (token), and expiration date. (Git uses only “username” and “password”, but you can use the expiration field to decide when your token must be refreshed.)

Customizing for GitHub Apps

Replace the body of Get-InstallationToken with code that:

Authenticates your GitHub App (using its private key, app ID, etc.)
Calls GitHub’s create installation access token API
Parses the response to obtain both the access_token and its expires_at timestamp
That way your helper always returns a valid (non‐expired) token to Git.

This solution meets the requirements: it uses a PowerShell script as a Git credential helper, it configures Git to invoke that script, and it returns both a password (installation access token) and an expiration date. Feel free to adjust the script as necessary for your environment and authentication flow.