Feature request: Respect GH_PAT, GITHUB_TOKEN, or GH_TOKEN in addition to GITHUB_PAT

[dvg-p4]

I believe the gh utility will use any of these environment variable as a PAT; pretty sure GITHUB_TOKEN is the recommended one (though the docs are a bit unclear).

[kevinushey]

We do try to use gitcreds already here:

renv/R/download.R

Lines 547 to 550 in 65ac9cb

	# if gitcreds is available, try to use it
	gitcreds <-
	getOption("renv.gitcreds.enabled", default = TRUE) &&
	requireNamespace("gitcreds", quietly = TRUE)

Does gh do something that gitcreds does not? Are there other places where we need to use this?

[kevinushey]

There's quite a few places where we use "GITHUB_PAT", so we'll probably need to audit all of these.

[dvg-p4]

On the other hand, looking through the link recommended by the error message (https://usethis.r-lib.org/articles/git-credentials.html)...

Allow tools to store and retrieve your credentials from the Git credential store. If you have previously set your GitHub PAT in .Renviron, stop doing that.

and gitcreds says:

However, we still suggest that you add your token to the git credential
store with gitcreds_set() and remove GITHUB_PAT from your
.Renviron file. The credential store is more secure than storing
tokens in files

So maybe the whole envar thing is an antipattern.

On the other other hand, man git-credential-store says:

Using this helper will store your passwords unencrypted on disk, protected only by filesystem permissions.

so at the end of the day I'm not sure that introducing the extra dependency here actually does all that much for security.

[dvg-p4]

It looks like gh actually just respects GITHUB_TOKEN and GH_TOKEN (but not *_PAT).

While gitcreds respects GITHUB_TOKEN and GITHUB_PAT (but not GH_*).

[kevinushey]

Should be resolved in 37f5b31 -- let me know if all seems well on your side.