GitHub plugin silently injects expired/invalid token with no fallback or error message #584
Description
Summary
When the GitHub PAT stored in 1Password expires or is revoked, the gh shell plugin continues to inject it as GITHUB_TOKEN on every invocation. This causes all gh commands to fail with 401 Bad credentials — with no indication that 1Password is the source of the problem. Users can spend significant time debugging what looks like a gh config issue.
Reproduction
- Set up the GitHub shell plugin (
alias gh='op plugin run -- gh') - Let the GitHub PAT in the 1Password vault expire or revoke it on github.com
- Run any
ghcommand:
$ gh api user
Bad credentials (HTTP 401)
gh auth status(through the plugin) shows a confusing mixed state:
github.com
X Failed to log in to github.com using token (GITHUB_TOKEN)
- Active account: true
- The token in GITHUB_TOKEN is invalid.
✓ Logged in to github.com account <user> (keyring)
- Active account: false
- But
GITHUB_TOKENis not in the environment — the plugin injects it at runtime:
$ echo $GITHUB_TOKEN
(empty)
- Bypassing the plugin shows clean, working auth:
$ \gh auth status
github.com
✓ Logged in to github.com account <user> (keyring)
- Active account: true
Additional issue: deleting the vault item breaks op plugin clear
After identifying that the 1Password-stored PAT was the problem and deleting it from the vault, both gh (via plugin) and op plugin clear gh fail:
$ gh auth status
[ERROR] "na7q7..." isn't an item in the "c7rse..." vault. To no longer use this item, run 'op plugin clear gh'
$ op plugin clear gh
[ERROR] "na7q7..." isn't an item in the "c7rse..." vault.
The suggested fix (op plugin clear gh) fails with the same error, creating a dead end. The only recovery was manually deleting ~/.config/op/plugins/gh.json.
Expected behavior
- Don't inject invalid tokens. If the stored PAT is expired/revoked, either detect it or fall through to
gh's native auth (keyring/config). - Surface a clear error when the token is bad: e.g., "1Password GitHub token is expired, please update it in your vault."
op plugin clearshould work even when the referenced vault item has been deleted — it's a cleanup command, not a vault read.
Actual behavior
- The plugin silently injects the expired token as
GITHUB_TOKEN ghprioritizesGITHUB_TOKENover keyring auth, so all commands fail- No feedback points to 1Password as the cause
- Deleting the vault item makes
op plugin clearfail too - Only manual deletion of
~/.config/op/plugins/gh.jsonrecovers the state
Environment
- 1Password CLI: 2.x
ghCLI: 2.x- macOS