Skip to content

feat: support VIP_CLI_TOKEN environment variable for keychain-free authentication#2946

Draft
spenserhale wants to merge 1 commit into
Automattic:trunkfrom
spenserhale:add/vip-cli-token-env-var
Draft

feat: support VIP_CLI_TOKEN environment variable for keychain-free authentication#2946
spenserhale wants to merge 1 commit into
Automattic:trunkfrom
spenserhale:add/vip-cli-token-env-var

Conversation

@spenserhale

@spenserhale spenserhale commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Description

Adds support for a VIP_CLI_TOKEN environment variable that supplies the Personal Access Token directly, bypassing OS keychain storage entirely.

Use case: authenticated VIP-CLI usage in environments where the OS keychain is unavailable — SSH sessions on macOS (the keychain ACL authorization prompt requires a GUI and cannot be shown, so token reads fail), CI pipelines, containers, and scripting. This follows the pattern established by gh's GH_TOKEN and this repo's own WPVIP_DEPLOY_TOKEN.

Behavior:

  • When VIP_CLI_TOKEN is set (non-empty after trimming), Token.get() builds the token from the environment and never touches the keychain. It takes precedence over stored credentials.
  • A malformed env token fails with an actionable error naming the variable and the token URL (a new EnvTokenError), rather than silently falling back to the keychain or crashing with an opaque message.
  • vip login prints a note when the env var is set (the newly stored token won't be used until the variable is unset).
  • vip logout does not invalidate a user-managed VIP_CLI_TOKEN server-side (matching gh semantics); it purges stored credentials as usual and prints a note that the env var continues to authenticate until unset.

Known behavior: if VIP_CLI_TOKEN is set but malformed, vip login also exits with the actionable error rather than starting the login flow. This is intentional — the env var takes precedence, so a broken value should be fixed or unset first rather than silently ignored.

Related: pairs with #2947, which skips the token read for commands that don't require auth; the two are independent and address different use cases.

Changelog Description

Added

  • Added support for the VIP_CLI_TOKEN environment variable to authenticate directly without OS keychain storage, for use in SSH sessions, CI, and other non-graphical environments.

Pull request checklist

Steps to Test

  1. Check out PR.
  2. Run npm run build.
  3. Get a Personal Access Token from https://dashboard.wpvip.com/me/cli/token
  4. Run VIP_CLI_TOKEN=<token> node ./dist/bin/vip.js whoami — authenticates using the env token; the keychain read for auth is bypassed. (Note: with DEBUG=@automattic/vip:keychain you may still see one keychain line from the analytics UUID lookup — that is unrelated to authentication and its errors are swallowed by the tracker.)
  5. Run VIP_CLI_TOKEN=not-a-jwt node ./dist/bin/vip.js app list — prints an actionable error naming VIP_CLI_TOKEN instead of an unhandled crash.
  6. With VIP_CLI_TOKEN set, run node ./dist/bin/vip.js logout — stored credentials are purged, and a note explains the env var still authenticates until unset.
  7. Best exercised over SSH to a macOS machine, where keychain-based auth fails but VIP_CLI_TOKEN works.

…thentication

Add a VIP_CLI_TOKEN environment variable that, when set (non-empty after
trimming), authenticates VIP-CLI directly and bypasses the OS keychain
entirely. This unblocks headless, SSH, and CI sessions where the keychain
is unavailable, and makes scripting easier. It mirrors the existing
WPVIP_DEPLOY_TOKEN precedent.

The env token takes precedence over stored credentials: a malformed value
throws an EnvTokenError with an actionable message naming the variable and
token URL, surfaced cleanly instead of crashing. The login flow warns that
the env var overrides any token you log in with, and logout skips the
server-side call so it never invalidates a user-managed token, while still
purging local state and reminding the user to unset the variable.
@spenserhale spenserhale force-pushed the add/vip-cli-token-env-var branch from 3d9110b to 00cd924 Compare July 10, 2026 08:57
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant