Authentication
Authentication
Section titled “Authentication”Copybara needs authentication to read from origins and write to destinations.
Authentication Methods
Section titled “Authentication Methods”| Method | Use Case | Security |
|---|---|---|
| Personal Access Token (Classic) | Quick setup | Medium |
| Fine-Grained Token | Scoped access | High |
| SSH Key | Traditional Git auth | Medium |
| Deploy Key | Single repo write | High |
| GitHub App | Enterprise automation | High |
Personal Access Token (Classic)
Section titled “Personal Access Token (Classic)”- Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click “Generate new token (classic)”
- Select scopes:
repo(full repository access)workflow(if modifying workflows)
- Generate and copy the token
# Configure Git credentialsgit config --global credential.helper storeecho "https://x-access-token:${TOKEN}@github.com" > ~/.git-credentialsIn GitHub Actions:
- name: Configure Git run: | git config --global credential.helper store echo "https://x-access-token:${{ secrets.PAT }}@github.com" > ~/.git-credentialsFine-Grained Token (Recommended)
Section titled “Fine-Grained Token (Recommended)”More secure than classic tokens:
- Go to GitHub Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Click “Generate new token”
- Set expiration
- Select repository access: “Only select repositories”
- Choose the destination repository
- Set permissions:
- Contents: Read and write
- Pull requests: Read and write
- Metadata: Read
Same as classic token:
git config --global credential.helper storeecho "https://x-access-token:${FINE_GRAINED_TOKEN}@github.com" > ~/.git-credentialsSSH Key
Section titled “SSH Key”Traditional Git authentication:
-
Generate SSH key:
Terminal window ssh-keygen -t ed25519 -C "copybara@example.com" -
Add public key to GitHub:
- Settings → SSH and GPG keys → New SSH key
- Or repository Settings → Deploy keys (for single repo)
# Add private key to agentssh-add ~/.ssh/id_ed25519
# Or specify key fileGIT_SSH_COMMAND="ssh -i ~/.ssh/copybara_key" java -jar copybara.jar ...In GitHub Actions:
- name: Configure SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan github.com >> ~/.ssh/known_hostsUse SSH URL in config:
destination = git.destination( url = "git@github.com:org/repo.git", push = "main",)Deploy Key
Section titled “Deploy Key”SSH key scoped to a single repository:
-
Generate SSH key:
Terminal window ssh-keygen -t ed25519 -C "copybara-deploy" -f copybara_deploy -
Add to repository:
- Repository Settings → Deploy keys
- Add deploy key
- Enable “Allow write access”
Same as SSH key:
- name: Configure Deploy Key run: | mkdir -p ~/.ssh echo "${{ secrets.DEPLOY_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan github.com >> ~/.ssh/known_hostsGitHub App
Section titled “GitHub App”Best for enterprise and multi-repo automation:
-
Create GitHub App:
- Organization Settings → Developer settings → GitHub Apps
- New GitHub App
- Set permissions:
- Contents: Read and write
- Pull requests: Read and write
- Metadata: Read
- Install on required repositories
-
Note the App ID and generate a private key
- name: Generate token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} repositories: destination-repo
- name: Configure Git run: | git config --global credential.helper store echo "https://x-access-token:${{ steps.app-token.outputs.token }}@github.com" > ~/.git-credentialsGerrit Authentication
Section titled “Gerrit Authentication”For Gerrit destinations:
# HTTP passwordgit config --global credential.helper storeecho "https://username:http-password@gerrit.example.com" > ~/.git-credentialsGenerate HTTP password in Gerrit: Settings → HTTP Credentials
Multi-Repository Access
Section titled “Multi-Repository Access”For workflows accessing multiple repositories:
# Use a PAT with access to all repos- name: Configure Git run: | echo "https://x-access-token:${{ secrets.MULTI_REPO_PAT }}@github.com" > ~/.git-credentialsOr use separate credentials:
- name: Configure credentials run: | cat > ~/.git-credentials << 'EOF' https://x-access-token:${{ secrets.ORIGIN_TOKEN }}@github.com https://x-access-token:${{ secrets.DEST_TOKEN }}@github.com EOFSecurity Best Practices
Section titled “Security Best Practices”- Use fine-grained tokens when possible
- Limit scope to only required repositories
- Set expiration on tokens
- Rotate regularly (especially after team changes)
- Use secrets in CI/CD (never hardcode)
- Audit access periodically
Troubleshooting
Section titled “Troubleshooting””Authentication failed"
Section titled “”Authentication failed"”# Test credentialsgit ls-remote https://github.com/org/repo
# Check configured credentialscat ~/.git-credentials"Permission denied”
Section titled “"Permission denied””- Verify token has required scopes
- Check repository access settings
- For fine-grained tokens, verify repository is selected
”Host key verification failed”
Section titled “”Host key verification failed””ssh-keyscan github.com >> ~/.ssh/known_hosts