github jdx/fnox v1.24.0
v1.24.0: GitHub OAuth lease backend
on GitHub

6 hours ago

A focused release that adds a new github-oauth lease backend for minting short-lived, user-attributed GitHub tokens via OAuth device flow — without distributing an app private key.

Added

github-oauth lease backend (#464) -- @jdx

A new lease type that creates GitHub App user access tokens using the OAuth device flow and injects them as GITHUB_TOKEN (or a custom env var) for the duration of fnox exec. It is the recommended option for local development and user-attributed gh / GitHub API usage where you want a short-lived token tied to the signed-in user instead of a long-lived PAT in fnox.toml. 

[leases.github]
type = "github-oauth"
client_id = "Iv1.yourgithubappclientid"
scope = "repo read:org workflow"
duration = "8h"
fnox exec -- gh pr list

On first run, fnox prints a verification URL and user code, optionally opens the URL in your browser, and polls GitHub until you approve the device prompt. Subsequent runs reuse the cached token until it expires.

Highlights of the backend:

  • Only the GitHub App client ID is required — no app private key and no client secret, so the lease config can be checked in and shared across a team. (The existing github-app backend remains the right choice for installation tokens in CI.)
  • OS keyring caching of access and refresh tokens, keyed by client id + scope + endpoints. Disable with keyring_cache = false to force the device flow on every lease.
  • Refresh token reuse when GitHub issues one — refreshes happen transparently; if the refresh fails, fnox falls back to a fresh device flow.
  • Configurable env var via env_var (e.g. "GH_TOKEN") and configurable auth_base / api_base for GitHub Enterprise Server.
  • open_browser controls whether fnox tries to launch the verification URL automatically (uses open / xdg-open / start).

The supported-backends table in the leases guide is updated, and the github-app docs now point local/user-attributed workflows at github-oauth. See the GitHub OAuth lease docs for the full reference.

Full Changelog: v1.23.1...v1.24.0

💚 Sponsor fnox

fnox is maintained by @jdx under en.dev — a small independent studio building developer tooling like mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.

If fnox is handling secrets or config for you or your team, please consider sponsoring at en.dev. Sponsorships are what let fnox stay independent and the project keep moving.

Check out latest releases or
releases around jdx/fnox v1.24.0

Don't miss a new fnox release

NewReleases is sending notifications on new releases.

Get notifications