github · lpcox · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.changeset/patch-fix-configure-gh-for-ghe-gh-token.md b/.changeset/patch-fix-configure-gh-for-ghe-gh-token.md
diff --git a/actions/setup/sh/configure_gh_for_ghe.sh b/actions/setup/sh/configure_gh_for_ghe.sh
@@ -76,40 +76,24 @@ main() {
     exit 1
   fi
 
-  # Check if GH_TOKEN is set
-  if [ -z "${GH_TOKEN}" ]; then
-    echo "::error::GH_TOKEN environment variable is not set. gh CLI requires authentication."
-    exit 1
-  fi
-
-  # Configure gh to use the enterprise host
-  # We use 'gh auth login' with the token to configure the host
-  echo "Authenticating gh CLI with host: ${github_host}"
-
-  # Use gh auth login with --with-token to configure the host
-  # This sets up gh to use the correct API endpoint for the enterprise host
-  echo "${GH_TOKEN}" | gh auth login --hostname "${github_host}" --with-token
-
-  if [ $? -eq 0 ]; then
-    echo "✓ Successfully configured gh CLI for ${github_host}"
-
-    # Verify the configuration
-    if gh auth status --hostname "${github_host}" &> /dev/null; then
-      echo "✓ Verified gh CLI authentication for ${github_host}"
-    else
-      echo "::warning::gh CLI configured but authentication verification failed"
+  # When GH_TOKEN is already set in the environment, running 'gh auth login' would fail with:
+  #   "The value of the GH_TOKEN environment variable is being used for authentication.
+  #    To have GitHub CLI store credentials instead, first clear the value from the environment."
+  # In this case, gh CLI will already authenticate via GH_TOKEN. This script still requires gh
+  # to be installed (checked above); here we only need to set GH_HOST so gh knows which host
+  # to target.
+  if [ -n "${GH_TOKEN}" ]; then
+    echo "GH_TOKEN is set — skipping gh auth login and exporting GH_HOST (gh CLI must already be installed)"
+    export GH_HOST="${github_host}"
+    if [ -n "${GITHUB_ENV:-}" ]; then
+      echo "GH_HOST=${github_host}" >> "${GITHUB_ENV}"
     fi
-  else
-    echo "::error::Failed to configure gh CLI for ${github_host}"
-    exit 1
+    echo "✓ Set GH_HOST=${github_host}"
+    return 0
   fi
 
-  # Set GH_HOST environment variable to ensure gh uses the correct host for subsequent commands
-  export GH_HOST="${github_host}"
-  if [ -n "${GITHUB_ENV:-}" ]; then
-    echo "GH_HOST=${github_host}" >> "${GITHUB_ENV}"
-  fi
-  echo "✓ Set GH_HOST environment variable to ${github_host}"
+  echo "::error::GH_TOKEN environment variable is not set. gh CLI requires authentication."
+  exit 1
 }
 
 # Run main function

diff --git a/actions/setup/sh/configure_gh_for_ghe_test.sh b/actions/setup/sh/configure_gh_for_ghe_test.sh
@@ -39,10 +39,12 @@ fi
 # Test 3: Test host detection from GITHUB_SERVER_URL
 echo ""
 echo "Test 3: Testing host detection from GITHUB_SERVER_URL..."
-export GITHUB_SERVER_URL="https://myorg.ghe.com"
-export GH_TOKEN="test-token"
-# Use the real detect_github_host implementation from configure_gh_for_ghe.sh
-output=$(bash -c "source '${CONFIGURE_GH_SCRIPT}'; detect_github_host" 2>&1)
+# Source with no GHE vars (so main is a no-op), then call detect_github_host directly.
+unset GITHUB_SERVER_URL GITHUB_ENTERPRISE_HOST GITHUB_HOST GH_HOST GH_TOKEN
+output=$(bash -c "
+  source '${CONFIGURE_GH_SCRIPT}' >/dev/null 2>&1
+  GITHUB_SERVER_URL='https://myorg.ghe.com' detect_github_host
+" 2>/dev/null)
 if [ "$output" = "myorg.ghe.com" ]; then
   echo "PASS: Correctly extracted host from GITHUB_SERVER_URL"
 else
@@ -53,10 +55,11 @@ fi
 # Test 4: Test host detection from GITHUB_ENTERPRISE_HOST
 echo ""
 echo "Test 4: Testing host detection from GITHUB_ENTERPRISE_HOST..."
-unset GITHUB_SERVER_URL
-export GITHUB_ENTERPRISE_HOST="enterprise.github.com"
-# Use the real detect_github_host implementation from configure_gh_for_ghe.sh
-output=$(bash -c "source '${CONFIGURE_GH_SCRIPT}'; detect_github_host" 2>&1)
+unset GITHUB_SERVER_URL GITHUB_ENTERPRISE_HOST GITHUB_HOST GH_HOST GH_TOKEN
+output=$(bash -c "
+  source '${CONFIGURE_GH_SCRIPT}' >/dev/null 2>&1
+  GITHUB_ENTERPRISE_HOST='enterprise.github.com' detect_github_host
+" 2>/dev/null)
 if [ "$output" = "enterprise.github.com" ]; then
   echo "PASS: Correctly extracted host from GITHUB_ENTERPRISE_HOST"
 else
@@ -99,6 +102,83 @@ for input in "${!test_cases[@]}"; do
   fi
 done
 
+# Test 6: GHE host + GH_TOKEN set — must skip gh auth login and only export GH_HOST
+echo ""
+echo "Test 6: Testing GHE host with GH_TOKEN set (should skip gh auth login)..."
+unset GITHUB_SERVER_URL GITHUB_ENTERPRISE_HOST GITHUB_HOST GH_HOST
+export GITHUB_SERVER_URL="https://myorg.ghe.com"
+export GH_TOKEN="test-token"
+
+# Stub a fake gh binary so configure_gh_for_ghe.sh can find it via command -v gh
+FAKE_GH_DIR=$(mktemp -d)
+FAKE_GH="${FAKE_GH_DIR}/gh"
+cat > "${FAKE_GH}" << 'EOF'
+#!/usr/bin/env bash
+exit 0
+EOF
+chmod +x "${FAKE_GH}"
+export PATH="${FAKE_GH_DIR}:${PATH}"
+
+FAKE_GITHUB_ENV=$(mktemp)
+output=$(bash -c "
+  GITHUB_ENV='${FAKE_GITHUB_ENV}' \
+  GITHUB_SERVER_URL='https://myorg.ghe.com' \
+  GH_TOKEN='test-token' \
+  source '${CONFIGURE_GH_SCRIPT}'
+" 2>&1)
+exit_code=$?
+
+if [ $exit_code -ne 0 ]; then
+  echo "FAIL: Script exited with code $exit_code"
+  echo "Output: $output"
+  rm -f "${FAKE_GITHUB_ENV}"
+  rm -rf "${FAKE_GH_DIR}"
+  exit 1
+fi
+
+if ! echo "$output" | grep -q "GH_TOKEN is set"; then
+  echo "FAIL: Expected 'GH_TOKEN is set' message. Output: $output"
+  rm -f "${FAKE_GITHUB_ENV}"
+  rm -rf "${FAKE_GH_DIR}"
+  exit 1
+fi
+
+if ! grep -q "GH_HOST=myorg.ghe.com" "${FAKE_GITHUB_ENV}"; then
+  echo "FAIL: GH_HOST=myorg.ghe.com was not written to GITHUB_ENV"
+  cat "${FAKE_GITHUB_ENV}"
+  rm -f "${FAKE_GITHUB_ENV}"
+  rm -rf "${FAKE_GH_DIR}"
+  exit 1
+fi
+rm -f "${FAKE_GITHUB_ENV}"
+echo "PASS: Skipped gh auth login and exported GH_HOST when GH_TOKEN is set"
+
+# Test 7: GHE host without GH_TOKEN set — must error
+echo ""
+echo "Test 7: Testing GHE host without GH_TOKEN set (should error)..."
+unset GITHUB_SERVER_URL GITHUB_ENTERPRISE_HOST GITHUB_HOST GH_HOST GH_TOKEN
+exit_code=0
+output=$(bash -c "
+  GITHUB_SERVER_URL='https://myorg.ghe.com' \
+  source '${CONFIGURE_GH_SCRIPT}'
+" 2>&1) || exit_code=$?
+
+if [ $exit_code -eq 0 ]; then
+  echo "FAIL: Script should have failed but exited with 0"
+  rm -rf "${FAKE_GH_DIR}"
+  exit 1
+fi
+
+if ! echo "$output" | grep -q "GH_TOKEN environment variable is not set"; then
+  echo "FAIL: Expected 'GH_TOKEN environment variable is not set' error. Output: $output"
+  rm -rf "${FAKE_GH_DIR}"
+  exit 1
+fi
+echo "PASS: Correctly errors when GH_TOKEN is not set for GHE host"
+
+# Clean up fake gh directory
+rm -rf "${FAKE_GH_DIR}"
+
 echo ""
 echo "================================"
 echo "All tests passed!"