Chore/gh config rw (#18)

laurenceputra · web-flow · commit 895220b6aa47 · 2026-02-11T08:22:01.000+08:00
* feat: mount gh config with --gh flag

* chore: bump version to 1.1.7
diff --git a/.codex_yolo.sh b/.codex_yolo.sh
@@ -304,6 +304,12 @@ if [[ "${MOUNT_GH}" == "1" ]]; then
   if [[ -d "${HOME}/.copilot" ]]; then
     docker_args+=("-v" "${HOME}/.copilot:${CONTAINER_HOME}/.copilot")
     log_info "Warning: ${HOME}/.copilot is now mounted inside the container."
+    if [[ -d "${HOME}/.config/gh" ]]; then
+      docker_args+=("-v" "${HOME}/.config/gh:${CONTAINER_HOME}/.config/gh")
+      log_info "Warning: ${HOME}/.config/gh is now mounted inside the container."
+    else
+      log_info "Warning: ${HOME}/.config/gh does not exist on the host; gh auth state may be unavailable inside the container."
+    fi
     log_info "This enables gh workflows and GitHub Copilot-related host context access."
   else
     log_error "--gh enabled but ${HOME}/.copilot does not exist or is not a directory."
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -101,6 +101,8 @@ Prerequisites:
 - Host is already authenticated (`gh auth login`)
 - Host `~/.copilot` directory exists
 
+When enabled, `~/.copilot` is mounted and `~/.config/gh` is also mounted if it exists on the host.
+
 ### Dry Run
 Preview Docker commands without executing:
 ```bash
diff --git a/README.md b/README.md
@@ -122,6 +122,7 @@ are shared between runs.
 For security reasons, `codex_yolo` **does not** mount by default:
 - `~/.ssh` - SSH keys are not available inside the container by default
 - `~/.copilot` - GitHub Copilot/GitHub CLI related state is not available unless explicitly enabled
+- `~/.config/gh` - GitHub CLI host auth config is not available unless explicitly enabled
 - SSH agent forwarding is disabled
 - No other host directories are mounted by default
 
@@ -156,6 +157,7 @@ Requirements for `--gh`:
 - `~/.copilot` must exist on the host.
 
 When enabled, `~/.copilot` is mounted into the container at `~/.copilot`.
+If present on the host, `~/.config/gh` is also mounted into the container at `~/.config/gh`.
 
 ## Troubleshooting
 
@@ -202,7 +204,7 @@ Available options:
 - `--pull` flag to force a pull when running `./.codex_yolo.sh`
 - `--verbose` or `-v` flag to enable verbose output
 - `--mount-ssh` flag to enable SSH key mounting for git push access; see security warning above
-- `--gh` flag to mount host `~/.copilot` after validating host `gh` auth
+- `--gh` flag to mount host `~/.copilot` and host `~/.config/gh` (if present) after validating host `gh` auth
 - Each run checks npm for the latest `@openai/codex` version (unless skipped)
   and rebuilds the image if it is out of date.
 - Each run checks for codex_yolo script updates (unless skipped with `CODEX_SKIP_UPDATE_CHECK=1`)
@@ -224,7 +226,7 @@ Add these lines to your `.bashrc` or `.zshrc` for persistent completion.
 
 ## Security note
 
-`codex_yolo` deliberately limits what gets mounted from the host. See the "What gets mounted from the host" section above for details. By default, your SSH agent is not forwarded and `~/.ssh`/`~/.copilot` are not mounted, keeping the blast radius smaller when running in `--yolo` mode. This comes at the cost of private repo access from inside the container unless you explicitly enable SSH mounting with `--mount-ssh` and GitHub Copilot state mounting with `--gh`.
+`codex_yolo` deliberately limits what gets mounted from the host. See the "What gets mounted from the host" section above for details. By default, your SSH agent is not forwarded and `~/.ssh`/`~/.copilot`/`~/.config/gh` are not mounted, keeping the blast radius smaller when running in `--yolo` mode. This comes at the cost of private repo access from inside the container unless you explicitly enable SSH mounting with `--mount-ssh` and GitHub Copilot/GitHub CLI state mounting with `--gh`.
 
 The container enables passwordless `sudo` for the mapped user to allow system installs. Use with care; `sudo` writes into `/workspace` are cleaned up via a chown on exit, but they still run as root inside the container.
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1.6
+1.1.7
diff --git a/tests/integration_tests.sh b/tests/integration_tests.sh
@@ -354,7 +354,7 @@ if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then
   }
   trap cleanup_test_20 EXIT
 
-  mkdir -p "${test_home}/.copilot" "${test_home}/.codex"
+  mkdir -p "${test_home}/.copilot" "${test_home}/.codex" "${test_home}/.config/gh"
   cat > "${fake_bin}/gh" <<'TESTEOF'
 #!/usr/bin/env bash
 if [[ "${1:-}" == "auth" ]] && [[ "${2:-}" == "status" ]]; then
@@ -374,11 +374,11 @@ TESTEOF
   cleanup_test_20
   trap - EXIT
 
-  if echo "${output}" | grep -q "\.copilot" && echo "${output}" | grep -q "Dry run"; then
-    log_pass "--gh flag mounts ~/.copilot in dry run output"
+  if echo "${output}" | grep -q "\.copilot" && echo "${output}" | grep -q "\.config/gh" && echo "${output}" | grep -q "Dry run"; then
+    log_pass "--gh flag mounts ~/.copilot and ~/.config/gh in dry run output"
   else
-    log_fail "--gh flag did not mount ~/.copilot as expected"
-    log_info "Output snippet: $(echo "${output}" | grep -i copilot | head -5)"
+    log_fail "--gh flag did not mount ~/.copilot and ~/.config/gh as expected"
+    log_info "Output snippet: $(echo "${output}" | grep -E -i 'copilot|config/gh' | head -5)"
   fi
 else
   log_skip "Docker not available, skipping --gh flag test"
