1Password Cli github alias causes automatic prompt for PAT (Personal Access Token)

Technophobe01
Technophobe01
Community Member
in CLI

I am using 1Password and the CLI with Github to manage SSH and project secrets across a project (N+ people). Everything works really well, though I encountered a problem with the gh plugin integration and wanted to understand the thinking behind the alias gh="op plugin run -- g Why? I would prefer not to create an anti-pattern and delete the alias across N machines. I am happy to get pointers on any documentation and be an alpha/beta tester.

1Password CLI Version: 2.30.3

Situation:

We're using 1Password Cli with GitHub to auto-setup SSH for each user. The keys are generated and then stored in 1Password alongside the secrets centrally. We then have each user login via the CLI and use the 1Password integration to pull and use the SSH keys and populate the secrets on the user's machine.

Result:
SSH is set for the user, and no secrets are kept on the machine.

Problem
The problem encountered is that 1Password sets up an alias for secret access alias gh="op plugin run -- g, we use SSH to access GitHub, and retrieve individual keys op read "$secret_path"

The alias is set in /Users/$USER/.config/op1 in the file plugins.sh

export OP_PLUGIN_ALIASES_SOURCED=1
alias gh="op plugin run -- gh"

Currently, with the alias set, a user will see:

gh repo clone github repo
# prompt to signin to 1password
? Locate your GitHub Personal Access Token:  [Use arrows to move, type to filter, ? for more help]
/> Import into 1Password...
  Search in 1Password..

As opposed to (Expected outcome)

gh repo clone target repo                                                               
Cloning into 'target repo'...
remote: Enumerating objects: XXXX, done.
remote: Counting objects: 100% (X/X), done.
remote: Compressing objects: 100% (X/X), done.
remote: Total XXXX (delta XX), reused XX (delta X), pack-reused 0 (from 0)
Receiving objects: 100% (X/X), X | X /s, done.
Resolving deltas: 100% (X/X), done.

Feedback:
So, there are a couple of things here:

  1. We're not using PAT's [Currently], so the alias gh="op plugin run -- g breaks GitHub functionality. Does a workaround exist, and are there any documentation pointers, etc.?

What am I doing wrong?

  1. Creating PATs (Personal Access tokens) in the 1Password application feels like it needs a template; the same is true of security tokens, etc. My sense is that in the 1Password application proper, there is an opportunity to expand beyond just the entries SSH Key and API Credential to include specific entries, such as "Github PAT."

Any pointers or recommendations are gratefully received. I should add I love the direction you are going in - it feels powerful.

Stay safe and well.

1Password Version: 8.10.56
Extension Version: 8.10.56.28
OS Version: Mac OS X 15.2 (24C101)
Browser: Chrome 131.0.6778.140 (Official Build) (arm64)