[BUG]: tokenFromGHCLI fails to resolve token for GHEC (.ghe.com) hosts — causes silent fallback to unauthenticated client #3188
Description
Expected Behavior
When
gh auth login --hostname my-enterprise.ghe.com has been completed and no explicit [token] is set in the provider config, the provider should resolve the token from the gh CLI and make authenticated API requests.
Actual Behavior
The provider passes api.my-enterprise.ghe.com (with api. prefix) to gh auth token --hostname, which doesn't match how gh stores GHEC credentials (my-enterprise.ghe.com). The lookup fails silently, the provider falls back to an unauthenticated client, and all API calls return:
Debug logs confirm unauthenticated requests (X-Ratelimit-Limit=60 instead of 5,000+).
Terraform Version
OpenTofu v1.11.4
on linux_amd64
- provider registry.opentofu.org/integrations/github v6.11.1
Affected Resource(s)
All resources and data sources — the issue is in provider-level authentication, not resource-specific logic.
Reproduced with:
github_repository
Terraform Configuration Files
provider "github" {
owner = "my-org"
base_url = "https://api.my-enterprise.ghe.com/"
# no token set — relying on gh CLI fallback
}
resource "github_repository" "repos" {
for_each = toset(["my-repo"])
name = each.key
}Steps to Reproduce
Authenticate with gh:
gh auth login --hostname my-enterprise.ghe.com- Configure the provider with a GHEC base_url and no explicit [token]
- Run
terraform planortofu plan - All API calls fail with
401 Must authenticate to access this API.
Debug Output
Panic Output
Code of Conduct
- I agree to follow this project's Code of Conduct