Authentication
Copybara needs authentication to read from origins and write to destinations.
Authentication Methods
Section titled “Authentication Methods”| Method | Use Case | Security |
|---|---|---|
| Personal Access Token (Classic) | Quick setup | Medium |
| Fine-Grained Token | Scoped access | High |
| SSH Key | Traditional Git auth | Medium |
| Deploy Key | Single repo write | High |
| GitHub App | Enterprise automation | High |
Personal Access Token (Classic)
Section titled “Personal Access Token (Classic)”- Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click “Generate new token (classic)”
- Select scopes:
repo(full repository access)workflow(if modifying workflows)
- Generate and copy the token
See GitHub’s token documentation for details.
Configure Git to use your token via the credential helper:
# Enable credential storagegit config --global credential.helper store
# Git will prompt for credentials on first use# Username: x-access-token# Password: <your-token>In GitHub Actions, use the built-in GITHUB_TOKEN or configure credentials via environment:
- name: Configure Git env: GH_TOKEN: ${{ secrets.PAT }} run: | git config --global credential.helper '!f() { echo "username=x-access-token"; echo "password=${GH_TOKEN}"; }; f'Fine-Grained Token (Recommended)
Section titled “Fine-Grained Token (Recommended)”More secure than classic tokens with repository-scoped access:
- Go to GitHub Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Click “Generate new token”
- Set expiration
- Select repository access: “Only select repositories”
- Choose the destination repository
- Set permissions:
- Contents: Read and write
- Pull requests: Read and write
- Metadata: Read
Same credential helper approach as classic tokens:
git config --global credential.helper store# Git prompts for credentials on first authenticated operationSSH Key
Section titled “SSH Key”Traditional Git authentication using SSH:
-
Generate SSH key:
Terminal window ssh-keygen -t ed25519 -C "copybara@example.com" -f ~/.ssh/copybara_key -
Add public key to GitHub:
- Settings → SSH and GPG keys → New SSH key
- Or repository Settings → Deploy keys (for single repo)
See GitHub’s SSH documentation for complete setup.
# Add key to SSH agenteval "$(ssh-agent -s)"ssh-add ~/.ssh/copybara_key
# Or specify key file directlyGIT_SSH_COMMAND="ssh -i ~/.ssh/copybara_key" java -jar copybara.jar ...In GitHub Actions:
- name: Configure SSH uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}Use SSH URL in config:
destination = git.destination( url = "git@github.com:org/repo.git", push = "main",)Deploy Key
Section titled “Deploy Key”SSH key scoped to a single repository:
-
Generate SSH key:
Terminal window ssh-keygen -t ed25519 -C "copybara-deploy" -f ~/.ssh/deploy_key -
Add to repository:
- Repository Settings → Deploy keys
- Add deploy key (paste the
.pubfile contents) - Enable “Allow write access”
- name: Configure Deploy Key uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: ${{ secrets.DEPLOY_KEY }}GitHub App
Section titled “GitHub App”Best for enterprise and multi-repo automation:
-
Create GitHub App:
- Organization Settings → Developer settings → GitHub Apps
- New GitHub App
- Set permissions:
- Contents: Read and write
- Pull requests: Read and write
- Metadata: Read
- Install on required repositories
-
Note the App ID and generate a private key
See GitHub Apps documentation for complete setup.
- name: Generate token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} repositories: destination-repo
- name: Configure Git env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | git config --global credential.helper '!f() { echo "username=x-access-token"; echo "password=${GH_TOKEN}"; }; f'GitLab Authentication
Section titled “GitLab Authentication”For GitLab repositories, create a personal access token:
- Go to User Settings → Access Tokens
- Create token with scopes:
read_repository,write_repository - Use
oauth2as username with your token as password
See GitLab token documentation.
Gerrit Authentication
Section titled “Gerrit Authentication”For Gerrit destinations, generate an HTTP password:
- Go to Gerrit Settings → HTTP Credentials
- Generate new password
- Configure Git credential helper with your username and HTTP password
Security Best Practices
Section titled “Security Best Practices”- Use fine-grained tokens when possible
- Limit scope to only required repositories
- Set expiration on tokens (30-90 days recommended)
- Rotate regularly (especially after team changes)
- Use CI/CD secrets - never commit credentials to repositories
- Audit access periodically via GitHub/GitLab audit logs
- Use GitHub Apps for production automation
Troubleshooting
Section titled “Troubleshooting””Authentication failed”
Section titled “”Authentication failed””- Verify token hasn’t expired
- Check token has required scopes (
repofor full access) - Test with:
git ls-remote <repository-url> - For fine-grained tokens, verify the repository is selected
”Permission denied (publickey)”
Section titled “”Permission denied (publickey)””- Verify SSH key is added to ssh-agent:
ssh-add -l - Test SSH connection:
ssh -T git@github.com - Check key is added to GitHub/GitLab
”Host key verification failed”
Section titled “”Host key verification failed””Add the host to known hosts:
ssh-keyscan github.com >> ~/.ssh/known_hostsssh-keyscan gitlab.com >> ~/.ssh/known_hostsToken Scope Reference
Section titled “Token Scope Reference”| Operation | Required GitHub Scope |
|---|---|
| Read public repo | (none) |
| Read private repo | repo |
| Push to repo | repo |
| Create pull request | repo |
| Modify GitHub Actions | repo, workflow |