feat: support VIP_CLI_TOKEN environment variable for keychain-free authentication#2946
Draft
spenserhale wants to merge 1 commit into
Draft
feat: support VIP_CLI_TOKEN environment variable for keychain-free authentication#2946spenserhale wants to merge 1 commit into
spenserhale wants to merge 1 commit into
Conversation
5 tasks
…thentication Add a VIP_CLI_TOKEN environment variable that, when set (non-empty after trimming), authenticates VIP-CLI directly and bypasses the OS keychain entirely. This unblocks headless, SSH, and CI sessions where the keychain is unavailable, and makes scripting easier. It mirrors the existing WPVIP_DEPLOY_TOKEN precedent. The env token takes precedence over stored credentials: a malformed value throws an EnvTokenError with an actionable message naming the variable and token URL, surfaced cleanly instead of crashing. The login flow warns that the env var overrides any token you log in with, and logout skips the server-side call so it never invalidates a user-managed token, while still purging local state and reminding the user to unset the variable.
3d9110b to
00cd924
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Description
Adds support for a
VIP_CLI_TOKENenvironment variable that supplies the Personal Access Token directly, bypassing OS keychain storage entirely.Use case: authenticated VIP-CLI usage in environments where the OS keychain is unavailable — SSH sessions on macOS (the keychain ACL authorization prompt requires a GUI and cannot be shown, so token reads fail), CI pipelines, containers, and scripting. This follows the pattern established by
gh'sGH_TOKENand this repo's ownWPVIP_DEPLOY_TOKEN.Behavior:
VIP_CLI_TOKENis set (non-empty after trimming),Token.get()builds the token from the environment and never touches the keychain. It takes precedence over stored credentials.EnvTokenError), rather than silently falling back to the keychain or crashing with an opaque message.vip loginprints a note when the env var is set (the newly stored token won't be used until the variable is unset).vip logoutdoes not invalidate a user-managedVIP_CLI_TOKENserver-side (matchingghsemantics); it purges stored credentials as usual and prints a note that the env var continues to authenticate until unset.Known behavior: if
VIP_CLI_TOKENis set but malformed,vip loginalso exits with the actionable error rather than starting the login flow. This is intentional — the env var takes precedence, so a broken value should be fixed or unset first rather than silently ignored.Related: pairs with #2947, which skips the token read for commands that don't require auth; the two are independent and address different use cases.
Changelog Description
Added
VIP_CLI_TOKENenvironment variable to authenticate directly without OS keychain storage, for use in SSH sessions, CI, and other non-graphical environments.Pull request checklist
Steps to Test
npm run build.VIP_CLI_TOKEN=<token> node ./dist/bin/vip.js whoami— authenticates using the env token; the keychain read for auth is bypassed. (Note: withDEBUG=@automattic/vip:keychainyou may still see one keychain line from the analytics UUID lookup — that is unrelated to authentication and its errors are swallowed by the tracker.)VIP_CLI_TOKEN=not-a-jwt node ./dist/bin/vip.js app list— prints an actionable error namingVIP_CLI_TOKENinstead of an unhandled crash.VIP_CLI_TOKENset, runnode ./dist/bin/vip.js logout— stored credentials are purged, and a note explains the env var still authenticates until unset.VIP_CLI_TOKENworks.