Skip to content

docs(agents): gh-via-1Password patterns + launchctl host setup#7

Merged
arv merged 2 commits into
mainfrom
arv/agents-1password-launchctl-docs
Jun 15, 2026
Merged

docs(agents): gh-via-1Password patterns + launchctl host setup#7
arv merged 2 commits into
mainfrom
arv/agents-1password-launchctl-docs

Conversation

@arv

@arv arv commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

What

Documents how gh authentication actually works under agents v2.0.0 — the
setup turned out to be non-obvious in practice, so this captures it.

  • Re-applies the local-vs-headless split that didn't make it into feat(agents)!: authenticate gh via 1Password #6 (the
    squash merged just before that commit, so main's README still had the old
    single-pattern version):

    • Pattern A — local dev container (recommended): resolve the token on the
      host, forward GITHUB_TOKEN via remoteEnv, no ghTokenSecretRef. Leads
      with the key non-obvious fact: 1Password's desktop-app/Touch ID
      integration does not work inside a container      , so op can't run there.
    • Pattern B — headless (Codespaces/CI): in-container op read via
      ghTokenSecretRef + a scoped service-account token.

  • Expands the host setup with launchctl coverage — the practical path for
    Dock/Spotlight launches and the no-checkout "Clone Repository in Container
    Volume" flow, where you never launch the editor from a terminal:

    • launchctl setenv GITHUB_TOKEN "$(op read '…')", with the caveats that you
      must relaunch the editor, it's cleared on logout/restart, and it's
      session-wide.
    • An optional collapsible LaunchAgent to re-apply it at login (with the
      caveat that op read only works non-interactively if 1Password can
      authorize without a prompt).
    • Keeps the terminal-launch option as the scoped alternative.
    • Documents the gotchas we actually hit: installing op without a package
      manager, and ~/.zshrc vs ~/.zsh_rc.

  • Makes the generic Usage example neutral (no ghTokenSecretRef baked in)
    and points it at the two patterns.

Docs only — no feature behavior change.

Generated by Claude Code

@claude
docs(agents): document gh-via-1Password patterns + launchctl host setup
f6b4097 
Re-applies the local-vs-headless split that didn't make it into #6, and
expands the host setup with launchctl coverage (the practical path for
Dock/Spotlight launches and the no-checkout Clone-in-Volume flow):

- Pattern A (local, recommended): resolve on host, forward GITHUB_TOKEN via
  remoteEnv. Documents the op-install/.zshrc/editor-launch gotchas.
- launchctl setenv for GUI launches, with relaunch / not-persistent /
  session-wide caveats and an optional login LaunchAgent.
- Pattern B (headless): in-container op read via ghTokenSecretRef + service
  account.
@github-actions github-actions Bot requested a review from aboodman June 15, 2026 09:02
@claude
docs(agents): document only the host-forward gh auth approach
5970490 
Drop the two-pattern framing and the headless/service-account (Pattern B)
option; document just the local host-forward GITHUB_TOKEN approach.
@arv arv requested review from grgbkr and removed request for aboodman June 15, 2026 09:10
@arv arv merged commit cc48d2b into main Jun 15, 2026
6 checks passed
@arv arv deleted the arv/agents-1password-launchctl-docs branch June 15, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grgbkr grgbkr Awaiting requested review from grgbkr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arv @claude