You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# (token is requested on first run and stored in the encrypted vault)
111
109
ghscaff
112
110
113
111
# Or directly with a subcommand
@@ -118,10 +116,52 @@ ghscaff apply owner/repo
118
116
119
117
# Preview changes without API calls
120
118
ghscaff --dry-run
119
+
120
+
# Reconfigure credentials
121
+
ghscaff config
121
122
```
122
123
123
124
---
124
125
126
+
## Authentication
127
+
128
+
ghscaff resolves the GitHub token in this order:
129
+
130
+
1.**`GITHUB_TOKEN` env var** — for CI/CD and backward compatibility
131
+
2.**Encrypted vault** (`~/.ghscaff/vault.enc`) — for secure local usage
132
+
3.**Interactive prompt** — on first run, asks for the token and saves it to the vault
133
+
134
+
### Encrypted Vault
135
+
136
+
Tokens are encrypted with **XSalsa20-Poly1305** and a key derived from:
137
+
138
+
| Factor | Purpose |
139
+
|--------|---------|
140
+
| Username | Only your OS user can decrypt |
141
+
| Hostname | Copying the vault to another machine won't work |
142
+
| Binary path | Other programs can't derive the same key |
143
+
| Passphrase (optional) | Extra protection if desired |
144
+
145
+
The vault file (`~/.ghscaff/vault.enc`) has `0600` permissions and the directory has `0700`. Writes are atomic (temp file + rename) to prevent corruption.
146
+
147
+
### Reconfiguring
148
+
149
+
```bash
150
+
ghscaff config
151
+
```
152
+
153
+
This wipes the vault (with confirmation) and starts fresh — new token, optional passphrase. Template secrets will be requested on the next run.
154
+
155
+
### Required token scopes
156
+
157
+
-`repo` — Repository access
158
+
-`workflow` — GitHub Actions access
159
+
-`read:org` — (Optional) Organization and team access
160
+
161
+
**Note on team access:** If your token lacks the `read:org` scope, the wizard will skip the team selection step with a warning, but the rest of the repository setup will continue normally.
162
+
163
+
---
164
+
125
165
## Wizard Flow
126
166
127
167
The wizard guides you through **7 interactive steps**:
@@ -139,8 +179,8 @@ Then **automatically**:
139
179
- Commits all boilerplate files in a single atomic commit (`chore: init repository`)
140
180
- Applies branch protection to main (and develop if created)
141
181
- Adds selected teams with their assigned permissions
142
-
-Syncs labels, topics, and CI/CD workflows
143
-
- Configures required GitHub Actions secrets from `secrets.toml`
182
+
-Enforces standard labels (creates missing, updates changed, removes non-standard)
`ghscaff` reads the GitHub token exclusively from the `GITHUB_TOKEN` environment variable:
188
-
189
-
```bash
190
-
export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
191
-
ghscaff
192
-
```
193
-
194
-
**Required token scopes:**
195
-
-`repo` — Repository access
196
-
-`workflow` — GitHub Actions access
197
-
-`read:org` — (Optional, for team access feature) Organization and team access
198
-
199
-
If the token is missing or invalid, ghscaff fails immediately with a clear error message before prompting anything else.
200
-
201
-
**Note on team access:** If your token lacks the `read:org` scope, the wizard will skip the team selection step with a warning, but the rest of the repository setup will continue normally.
202
-
203
-
**Security note:** Never hardcode tokens. Use environment variables or secret managers.
204
-
205
-
---
206
-
207
225
## Boilerplate Templates
208
226
209
227
Each language template includes:
@@ -221,15 +239,16 @@ All files are merged into a single atomic `chore: init repository` commit.
221
239
222
240
## Standard Label Set
223
241
224
-
6 core labels are auto-created with every new repo:
242
+
7 labels are enforced on every repo. Non-standard labels are removed.
225
243
226
244
| Label | Color | Description |
227
245
|-------|-------|-------------|
228
246
|`bug`|`#d73a4a`| Something isn't working |
229
247
|`feature`|`#a2eeef`| New feature or request |
230
248
|`documentation`|`#0075ca`| Improvements to docs |
|`good first issue`|`#7057ff`| Good for newcomers |
250
+
|`target:main`|`#1d76db`| Targets the main branch |
251
+
|`target:develop`|`#0e8a16`| Targets the develop branch |
233
252
|`help wanted`|`#008672`| Extra attention needed |
234
253
235
254
---
@@ -242,15 +261,18 @@ When enabled, applies to the default branch:
242
261
- ✅ Dismiss stale reviews
243
262
- ✅ Disallow force-push
244
263
245
-
--
264
+
---
246
265
247
266
### Secrets Configuration
248
267
249
-
If you're extending `ghscaff` with new templates or modifying the release workflow, you may need to set up GitHub Actions secrets for your development fork:
268
+
Templates can declare required secrets in `secrets.toml`. ghscaff resolves them in order:
269
+
270
+
1.**Encrypted vault** — previously saved secrets
271
+
2.**Environment variable** — e.g. `CARGO_REGISTRY_TOKEN`
272
+
3.**Interactive prompt** — with option to save to vault for future use
250
273
251
-
-**`CARGO_REGISTRY_TOKEN`** — Required for publishing Rust crates to crates.io
252
-
- Get your token from [crates.io/me](https://crates.io/me)
253
-
- Add it as a repository secret in GitHub (`Settings > Secrets and variables > Actions`)
274
+
For the Rust template:
275
+
-**`CARGO_REGISTRY_TOKEN`** — Required for publishing to crates.io ([get one here](https://crates.io/me))
0 commit comments