Description
When two GitHub accounts are configured for the same host (github.com) using GH_CONFIG_DIR to separate configs, gh auth token retrieves the wrong token because the keychain lookup doesn't include the account name.
Steps to reproduce
- Set up two gh configs for different GitHub accounts on the same host:
# Default config (~/.config/gh/)
gh auth login # login as user-a
# Personal config (~/.config/gh-personal/)
GH_CONFIG_DIR=~/.config/gh-personal gh auth login # login as user-b
- Both tokens are stored correctly in the macOS Keychain as separate entries:
(service="gh:github.com", account="user-a") → token-a
(service="gh:github.com", account="user-b") → token-b
- Verify with
security:
security find-generic-password -s "gh:github.com" -a "user-a" -w # → token-a ✓
security find-generic-password -s "gh:github.com" -a "user-b" -w # → token-b ✓
- But
gh auth token returns the wrong token for one of the configs:
GH_CONFIG_DIR=~/.config/gh-personal gh auth status
# → "Logged in to github.com account user-b (keyring)" ✓
GH_CONFIG_DIR=~/.config/gh-personal gh auth token
# → token-a ✗ (wrong! should be token-b)
GH_CONFIG_DIR=~/.config/gh-personal gh api user --jq '.login'
# → "user-a" ✗
Root cause
The keychain lookup appears to query by service name only (gh:github.com) without passing the account field. macOS Keychain returns an arbitrary entry when multiple entries share the same service name. gh auth status reads the username from hosts.yml (correct), but the actual token retrieval doesn't use it as a filter.
Workaround
Read the keychain entry directly with the correct account and set GH_TOKEN:
_gh_token() {
local raw
raw=$(security find-generic-password -s "gh:github.com" -a "$1" -w 2>/dev/null) || return 1
echo "${raw#go-keyring-base64:}" | base64 -d
}
GH_CONFIG_DIR=~/.config/gh-personal \
GH_TOKEN=$(_gh_token user-b) \
gh api user --jq '.login'
# → "user-b" ✓
Expected behavior
gh auth token (and all commands that retrieve the token) should pass the account name from hosts.yml to the keychain lookup, so that multiple accounts for the same host can coexist.
Environment
- gh version: 2.74.0
- OS: macOS 15.5 (Darwin 25.3.0)
- Keychain backend: macOS Keychain (via go-keyring)
Description
When two GitHub accounts are configured for the same host (
github.com) usingGH_CONFIG_DIRto separate configs,gh auth tokenretrieves the wrong token because the keychain lookup doesn't include the account name.Steps to reproduce
security:gh auth tokenreturns the wrong token for one of the configs:Root cause
The keychain lookup appears to query by service name only (
gh:github.com) without passing the account field. macOS Keychain returns an arbitrary entry when multiple entries share the same service name.gh auth statusreads the username fromhosts.yml(correct), but the actual token retrieval doesn't use it as a filter.Workaround
Read the keychain entry directly with the correct account and set
GH_TOKEN:Expected behavior
gh auth token(and all commands that retrieve the token) should pass the account name fromhosts.ymlto the keychain lookup, so that multiple accounts for the same host can coexist.Environment