Summary
When the GitHub PAT stored in 1Password expires or is revoked, the gh shell plugin continues to inject it as GITHUB_TOKEN on every invocation. This causes all gh commands to fail with 401 Bad credentials — with no indication that 1Password is the source of the problem. Users can spend significant time debugging what looks like a gh config issue.
Reproduction
- Set up the GitHub shell plugin (
alias gh='op plugin run -- gh')
- Let the GitHub PAT in the 1Password vault expire or revoke it on github.com
- Run any
gh command:
$ gh api user
Bad credentials (HTTP 401)
gh auth status (through the plugin) shows a confusing mixed state:
github.com
X Failed to log in to github.com using token (GITHUB_TOKEN)
- Active account: true
- The token in GITHUB_TOKEN is invalid.
✓ Logged in to github.com account <user> (keyring)
- Active account: false
- But
GITHUB_TOKEN is not in the environment — the plugin injects it at runtime:
$ echo $GITHUB_TOKEN
(empty)
- Bypassing the plugin shows clean, working auth:
$ \gh auth status
github.com
✓ Logged in to github.com account <user> (keyring)
- Active account: true
Additional issue: deleting the vault item breaks op plugin clear
After identifying that the 1Password-stored PAT was the problem and deleting it from the vault, both gh (via plugin) and op plugin clear gh fail:
$ gh auth status
[ERROR] "na7q7..." isn't an item in the "c7rse..." vault. To no longer use this item, run 'op plugin clear gh'
$ op plugin clear gh
[ERROR] "na7q7..." isn't an item in the "c7rse..." vault.
The suggested fix (op plugin clear gh) fails with the same error, creating a dead end. The only recovery was manually deleting ~/.config/op/plugins/gh.json.
Expected behavior
- Don't inject invalid tokens. If the stored PAT is expired/revoked, either detect it or fall through to
gh's native auth (keyring/config).
- Surface a clear error when the token is bad: e.g., "1Password GitHub token is expired, please update it in your vault."
op plugin clear should work even when the referenced vault item has been deleted — it's a cleanup command, not a vault read.
Actual behavior
- The plugin silently injects the expired token as
GITHUB_TOKEN
gh prioritizes GITHUB_TOKEN over keyring auth, so all commands fail- No feedback points to 1Password as the cause
- Deleting the vault item makes
op plugin clear fail too
- Only manual deletion of
~/.config/op/plugins/gh.json recovers the state
Environment
- 1Password CLI: 2.x
gh CLI: 2.x- macOS
Summary
When the GitHub PAT stored in 1Password expires or is revoked, the
ghshell plugin continues to inject it asGITHUB_TOKENon every invocation. This causes allghcommands to fail with401 Bad credentials— with no indication that 1Password is the source of the problem. Users can spend significant time debugging what looks like aghconfig issue.Reproduction
alias gh='op plugin run -- gh')ghcommand:gh auth status(through the plugin) shows a confusing mixed state:GITHUB_TOKENis not in the environment — the plugin injects it at runtime:Additional issue: deleting the vault item breaks
op plugin clearAfter identifying that the 1Password-stored PAT was the problem and deleting it from the vault, both
gh(via plugin) andop plugin clear ghfail:The suggested fix (
op plugin clear gh) fails with the same error, creating a dead end. The only recovery was manually deleting~/.config/op/plugins/gh.json.Expected behavior
gh's native auth (keyring/config).op plugin clearshould work even when the referenced vault item has been deleted — it's a cleanup command, not a vault read.Actual behavior
GITHUB_TOKENghprioritizesGITHUB_TOKENover keyring auth, so all commands failop plugin clearfail too~/.config/op/plugins/gh.jsonrecovers the stateEnvironment
ghCLI: 2.x