fix: revert XDG config mounting and add GitHub CLI auth support

lroolle · claude · lroolle · commit 2657a254cef2 · 2025-06-22T06:19:39.000-07:00
- Revert broad ~/.config mounting that caused issues - Restore specific ~/.config/gcloud mounting for Vertex AI - Add GH_TOKEN and GITHUB_TOKEN environment variable passthrough - Document GitHub CLI authentication in README - Research keyring vs container auth challenges in dev logs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/DEV-LOGS.md b/DEV-LOGS.md
@@ -5,6 +5,44 @@
 
 ## Issue Analysis: 2025-06-22
 
+### [problem-discovered] GitHub CLI auth fails in containers
+
+**Problem**: Mounting `~/.config/gh/` doesn't work for GitHub CLI authentication in containers.
+
+**Root Cause**: Modern `gh` uses secure keyring storage instead of plain text files:
+- **Host**: Tokens stored in macOS Keychain/Linux Secret Service/Windows Credential Manager
+- **Container**: No keyring access, auth fails even with mounted config directory
+- **Split State**: Config files present but tokens inaccessible
+
+**Technical Details**:
+```bash
+# Host auth state:
+~/.config/gh/config.yml     # Configuration
+~/.config/gh/hosts.yml      # May contain tokens OR keyring references
+System Keyring              # Actual tokens (secure storage)
+
+# Container reality:
+/root/.config/gh/config.yml # ✅ Mounted successfully
+/root/.config/gh/hosts.yml  # ✅ Mounted but may reference unavailable keyring
+No System Keyring          # ❌ DBus/keyring services not available
+```
+
+**Why This Matters**: Current codebase has complete auth system for Claude/AWS/GCloud but GitHub CLI missing.
+
+**Immediate Impact**: Cannot create PRs or manage GitHub repos from within containers.
+
+**Solutions Research**:
+1. **Environment Variable**: `GH_TOKEN="ghp_xxx"` - simple, headless-friendly
+2. **Insecure Storage**: `gh auth login --insecure-storage` on host, then mount works
+3. **Token Injection**: `echo $TOKEN | gh auth login --with-token` in container
+4. **Mount Strategy**: Add explicit GitHub CLI auth mounting to claude.sh
+
+**Status**: Research complete, need implementation decision.
+
+---
+
+## Issue Analysis: 2025-06-22
+
 ### [enhancement] Controlled auth directory mounting
 
 **Problem**: Symlinking all /root/* was too broad and risky.
diff --git a/README.md b/README.md
@@ -62,6 +62,21 @@ claude.sh --help                    # Show all options
 - **AWS Bedrock**: Uses `~/.aws` credentials - `--auth-with bedrock`
 - **Google Vertex**: Uses `~/.config/gcloud` credentials - `--auth-with vertex`
 
+## GitHub CLI Authentication
+
+For GitHub operations (creating PRs, managing repos), set the `GH_TOKEN` environment variable:
+
+```bash
+# Set your GitHub token
+export GH_TOKEN="ghp_xxxxxxxxxxxx"
+
+# Now gh commands work in containers
+claude-yolo .
+# Inside container: gh pr create, gh issue list, etc.
+```
+
+**Note**: This avoids mounting `~/.config/gh/` which fails due to secure keyring storage in modern GitHub CLI versions.
+
 ## Custom Volume Mounting
 
 You can mount additional configuration files or directories using the `-v` flag:
diff --git a/claude.sh b/claude.sh
@@ -60,6 +60,8 @@ show_help() {
     echo "  DISABLE_TELEMETRY           Disable Claude Code telemetry"
     echo "  CLAUDE_YOLO_DOCKER_SOCKET   Mount Docker socket (default: false, set to 'true' to enable)"
     echo "  CLAUDE_EXTRA_VOLUMES        Extra volumes to mount in the container"
+    echo "  GH_TOKEN                    GitHub CLI authentication token"
+    echo "  GITHUB_TOKEN                GitHub CLI authentication token (alternative)"
     echo ""
     echo "Available models: sonnet-4, opus-4, sonnet-3-7, sonnet-3-5, haiku-3-5, sonnet-3, opus-3, haiku-3, deepseek-r1"
     echo ""
@@ -72,6 +74,7 @@ show_help() {
     echo "  $0 --yolo --auth-with bedrock .               # YOLO mode with Bedrock"
     echo "  $0 --yolo -v ~/.ssh:/root/.ssh:ro .           # YOLO mode with volume mount"
     echo "  ANTHROPIC_MODEL=opus-4 $0 .                   # Use Opus 4 with default auth"
+    echo "  GH_TOKEN=ghp_xxx $0 --yolo .                  # YOLO mode with GitHub CLI auth"
     echo ""
 }
 
@@ -421,10 +424,6 @@ if [ -d "${CURRENT_DIR}/.claude" ]; then
     DOCKER_ARGS+=("-v" "${CURRENT_DIR}/.claude:${CURRENT_DIR}/.claude")
 fi
 
-# Mount .config directory for XDG-compliant tools (gh, gcloud, git, etc.)
-if [ -d "$HOME/.config" ]; then
-    DOCKER_ARGS+=("-v" "$HOME/.config:/root/.config:ro")
-fi
 
 # Mount for AWS bedrock api
 if [ -d "$HOME/.aws" ]; then
@@ -497,6 +496,10 @@ fi
 [ -n "$GIT_COMMITTER_NAME" ] && DOCKER_ARGS+=("-e" "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME")
 [ -n "$GIT_COMMITTER_EMAIL" ] && DOCKER_ARGS+=("-e" "GIT_COMMITTER_EMAIL=$GIT_COMMITTER_EMAIL")
 
+# Pass GitHub CLI authentication
+[ -n "$GH_TOKEN" ] && DOCKER_ARGS+=("-e" "GH_TOKEN=$GH_TOKEN")
+[ -n "$GITHUB_TOKEN" ] && DOCKER_ARGS+=("-e" "GITHUB_TOKEN=$GITHUB_TOKEN")
+
 # Pass Node.js development variables
 [ -n "$NODE_ENV" ] && DOCKER_ARGS+=("-e" "NODE_ENV=$NODE_ENV")
 [ -n "$DEBUG" ] && DOCKER_ARGS+=("-e" "DEBUG=$DEBUG")
@@ -608,7 +611,9 @@ case "$AUTH_MODE" in
     if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ] && [ -f "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
         DOCKER_ARGS+=("-v" "$GOOGLE_APPLICATION_CREDENTIALS:$GOOGLE_APPLICATION_CREDENTIALS")
     fi
-    # .config/gcloud is already mounted via the general .config mount above
+    if [ -d "$HOME/.config/gcloud" ]; then
+        DOCKER_ARGS+=("-v" "$HOME/.config/gcloud:/root/.config/gcloud")
+    fi
 
     echo "Main model: $ANTHROPIC_MODEL"
     echo "Fast model: $ANTHROPIC_SMALL_FAST_MODEL"
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -102,11 +102,12 @@ setup_nonroot_user() {
         ln -sfn /root/.claude.json "$CLAUDE_HOME/.claude.json"
     fi
 
-    # Essential: Handle .config directory (XDG - includes git, gh, gcloud, etc.)
-    if [ -d "/root/.config" ]; then
-        echo "[entrypoint] linking .config directory"
-        chmod -R 755 /root/.config 2>/dev/null || true
-        ln -sfn /root/.config "$CLAUDE_HOME/.config"
+    # Essential: Handle .config/gcloud directory for Google Vertex AI
+    if [ -d "/root/.config/gcloud" ]; then
+        echo "[entrypoint] linking .config/gcloud"
+        mkdir -p "$CLAUDE_HOME/.config"
+        chmod -R 755 /root/.config/gcloud 2>/dev/null || true
+        ln -sfn /root/.config/gcloud "$CLAUDE_HOME/.config/gcloud"
     fi
 
     # Common: AWS credentials
