Create a New GitHub Repository Using the Command Line
ACM.228 git command line versus the git CLI and related credential issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: GitHub Security | Application Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In my last post I cover the components I’m going to use for a static website that triggers a lambda function.
In this post, I want to automate the git repository creation.
I showed you in a prior post how to create personal access tokens with different permissions.
Create a GitHub Personal Access Token for Repo Administration
Before I run my code to create a repository I’m going to set up a personal access token which has permission to create new repositories. I am only going to use that token when I’m managing repositories. It will be separate from the token I use to add and remove code from repositories.
Click on your profile picture in GitHub and choose settings.
Scroll to the bottom and click on Developer settings.
Click on Personal access tokens > Fine-grained access tokens.
Click Generate new token.
I’m going to call this token repo_admin
Make sure you select the correct owner where you want to create the repository. If you are part of an organization and want to create the repository in your organization, make sure that you create the personal access token for your org not your personal account.
Because the repositories I want to create don’t exist yet, I have to select All Repositories.
Grant read and write access for administration.
Click Generate token.
Make a copy of your token and store it somewhere secure as you won’t be able to see this token again on GitHub.
Directory for GitHub Automation
I’m going to create a new directory in my repository for GitHub related scripts.
Script to Create a New Repository
I want to create a script to create a new repository. We’ll use this command:
The command looks like this:
git remote add origin https://github.com/OWNER/REPOSITORY.gitI’m going to prompt the user for he owner an repository name.
On my first attempt I got this error:
pathspec ‘repository’ did not match any file(s) known to git
Simple fix once I figured it out.
Next problem — it says the repository is not found when I try to push. I tried a few more things and thought I was having permissions issues. I wasn’t, but in in the process I added these permissions to my token, just FYI.
I added the ability to read and write contents:
Also commit statuses:
After spending time looking into this a bit further, it appears that you must first manually go add a repository on GitHub before you run a script with the above command in it. Well, that’s not ideal.
We do have another option. We can try to use the GitHub CLI. It has a method to create a repository. We could also try to use the GitHub API directly, but I’m going to start with the CLI as it looks simple.
Famous last words. This took me down a rabbit hole for a few hours.
Installing the GitHub CLI
I went ahead and created a script for AWS Linux and Ubuntu (the two platforms I’m using) based on these instructions:
check the version to make sure it’s installed properly.
That part was easy.
Using the GitHub CLI to Create a New Repository
Now as a reminder, I have the cache setup for the GitHub credential.helper.
As explained in that post, I hope that I can set and clear the cache before and after the CLI calls and it will work the same way. The CLI is supposed to work with Git credential.helper.
I’m using these instructions to create the repo:
Specifically:
- First I need to login. I tried use the gh auth login command and the with-token flag in my script but it didn’t work.
- I tested the login command outside of the script and it’s kind of hokey but I got it to work. I was able to login without a browser.
- However, after getting it to work I added it back to my script and the script would just hang.
- Then I tried to login outside of the script and it no longer worked.
- Next I tried to logout and test the login command again and it failed.
I don’t know how I got it to ever work in the first place, but after multiple rounds of trial and error this worked:
But that led me to one of those hokey browser experiences I explained why I don’t like in prior posts. Ick.
These types of flows are just so clunky to me. I also don’t like the attack surface as I wrote about in another post.
So what if someone stole my token. Would this method actually help? They are using my token somewhere and they get a code on the screen. Then they have to go to a browser and enter the code and click a button. Hmm. Did I have to be logged in also?
I know this is an attempt at MFA but I find it very cumbersome. I’d much rather enter a code on the command line. But I get what they are trying to do here.
There must be a way to turn off the browser thing. It looks like my only option is to sent an environment variable? Well, I don’t really like environment variables. But the thing is, you can set a variable within a script that only exists for the life of the script and then it goes away. I think that will be OK. I don’t want my token hanging around in a permanent environment variable that any malware that gets on the machine can read — even when I’m not actively using it.
At first I read in the token and tried to pass it to the command as shown above. I made the variable name GH_TOKEN as directed by the instructions. After a bit of trial and error I realized that you don’t even have to pass the variable to the auth login command. You simply set it and the GitHub CLI finds it.
Here’s my script and notice that I’m reading the value of the token I enter with the -s option so it’s not printed to the screen.
Here’s what it looks like when you run it.
The owner name is tradichel (me).
The new repo name is CoolNewRepo.
After I got done running my script I of course checked to see that my repo exists in GitHub. It does.
Then I wanted to see if the access token was in my bash history.
Here’s the thing. It’s not there from the script I ran, but it is there from a prior test where I execute gh auth login from the command line and passed in the token. And that, my friends, is why you shouldn’t enter passwords and secrets in plain text on the command line.
Let’s clear that out with:
history -cRun that grep command again and you won’t find the token or any other prior commands.
The other two commands I ran were:
set | grep github
env | grep githubI did find the token in both those places. I don’t know if that was from prior testing or my script. I ran the following command:
unset GH_TOKENThat cleared out my token from environment variables.
Let’s add those two commands to the end of the script. I’m going to do one other thing and set the variable which may have a value hanging around in memory to an empty string. Now let’s turn the script again.
Now there’s no trace of my token in these locations:
Hopefully that will keep our token reasonably secure. I need to think about this a bit more but I’m going with this for now.
Now that I have a repository I can go ahead and move the static content for each web site I want to deploy into its own repository.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab