Bugfix: tokenFromGHCLI not stripping api. from ghe.com hosts. Resolves #3188 (#3190)

clawster · web-flow · commit 1af72d441526 · 2026-02-23T16:52:26.000Z
* fix: resolve gh CLI token lookup for GHEC (.ghe.com) hosts tokenFromGHCLI only mapped api.github.com → github.com before calling `gh auth token --hostname`. For GHEC hosts (api.<slug>.ghe.com), the api. prefix was not stripped, causing the CLI lookup to fail silently and the provider to fall back to an unauthenticated client (401 errors). Strip the api. prefix for GHEC hosts using the existing GHECAPIHostMatch regex so the hostname matches how `gh` stores credentials. Fixes #3188 * Add test cases * Code updates according to PR feedback - move hostname modification to separate function for easier testing - test omdified to only test ghCLIHostFromAPIHost() without OS specific scripts - line ending fixed
diff --git a/github/provider.go b/github/provider.go
@@ -497,17 +497,27 @@ func providerConfigure(p *schema.Provider) schema.ConfigureContextFunc {
 	}
 }
 
+// ghCLIHostFromAPIHost maps an API hostname to the corresponding
+// gh-CLI --hostname value.  For example api.github.com -> github.com
+// and api.<slug>.ghe.com -> <slug>.ghe.com.
+// for unrecognized hostnames, input is returned unmodified.
+func ghCLIHostFromAPIHost(host string) string {
+	if host == DotComAPIHost {
+		return DotComHost
+	} else if GHECAPIHostMatch.MatchString(host) {
+		return strings.TrimPrefix(host, "api.")
+	}
+	return host
+}
+
 // See https://github.com/integrations/terraform-provider-github/issues/1822
 func tokenFromGHCLI(u *url.URL) string {
 	ghCliPath := os.Getenv("GH_PATH")
 	if ghCliPath == "" {
 		ghCliPath = "gh"
 	}
 
-	host := u.Host
-	if host == DotComAPIHost {
-		host = DotComHost
-	}
+	host := ghCLIHostFromAPIHost(u.Host)
 
 	out, err := exec.Command(ghCliPath, "auth", "token", "--hostname", host).Output()
 	if err != nil {
diff --git a/github/provider_test.go b/github/provider_test.go
@@ -259,3 +259,46 @@ data "github_ip_ranges" "test" {}
 		})
 	})
 }
+
+func Test_ghCLIHostFromAPIHost(t *testing.T) {
+	testCases := []struct {
+		name         string
+		host         string
+		expectedHost string
+	}{
+		{
+			name:         "dotcom API host is mapped to dotcom host",
+			host:         "api.github.com",
+			expectedHost: "github.com",
+		},
+		{
+			name:         "ghec API host has api. prefix stripped",
+			host:         "api.my-enterprise.ghe.com",
+			expectedHost: "my-enterprise.ghe.com",
+		},
+		{
+			name:         "ghec API host with numbers has api. prefix stripped",
+			host:         "api.customer-123.ghe.com",
+			expectedHost: "customer-123.ghe.com",
+		},
+		{
+			name:         "ghes host is passed through unchanged",
+			host:         "github.example.com",
+			expectedHost: "github.example.com",
+		},
+		{
+			name:         "ghes host with port is passed through unchanged",
+			host:         "github.example.com:8443",
+			expectedHost: "github.example.com:8443",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := ghCLIHostFromAPIHost(tc.host)
+			if got != tc.expectedHost {
+				t.Errorf("ghCLIHostFromAPIHost(%q) = %q, want %q", tc.host, got, tc.expectedHost)
+			}
+		})
+	}
+}
