fix(github): raise credential_command priority above github_tokens.toml and gh CLI

[jdx]

Summary

• Moves credential_command from priority 5 (last resort, tied with git credential fill) to priority 3 (after env vars, before file-based sources)
• credential_command is an explicit user configuration, so it should take precedence over passive file-based sources like github_tokens.toml and gh CLI's hosts.yml
• git credential fill remains as the lowest-priority fallback (priority 6) and is no longer blocked when credential_command is set but returns no token

New priority order:

#	Source
1	MISE_GITHUB_ENTERPRISE_TOKEN env var (non-github.com only)
2	MISE_GITHUB_TOKEN / GITHUB_API_TOKEN / GITHUB_TOKEN env vars
3	credential_command (if set)
4	github_tokens.toml (per-host)
5	gh CLI token (from hosts.yml)
6	git credential fill (if enabled)

Test plan

• E2E tests pass locally (mise run test:e2e test_github_token)
• Added tests verifying credential_command beats both gh CLI and github_tokens.toml
• CI passes

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes GitHub authentication token resolution order, which can alter which credentials are sent to GitHub/GHE and affect rate limits or access in CI/dev environments. Scope is small and covered by updated e2e tests, but impacts a cross-cutting auth path.

Overview
Updates GitHub token resolution to check credential_command before github_tokens.toml and gh CLI hosts.yml, making the explicit user-configured command take precedence over file-based sources.

Refreshes docs to reflect the new priority order for both github.com and GitHub Enterprise, and extends the test_github_token e2e coverage to assert credential_command wins over gh CLI and github_tokens.toml.

^{Written by Cursor Bugbot for commit 74570de. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request reconfigures the GitHub token resolution mechanism within mise to prioritize explicitly defined credential_command settings over passively discovered file-based tokens. This change enhances user control and predictability by ensuring that custom credential commands are honored earlier in the token lookup process, providing a more robust and intuitive experience for managing GitHub authentication.

Highlights

• Credential Command Priority: The credential_command configuration now takes higher precedence (priority 3) in GitHub token resolution, moving it above file-based sources like github_tokens.toml and gh CLI tokens.
• Documentation Updates: The documentation for GitHub token priority in docs/dev-tools/github-tokens.md has been updated to reflect the new order for both github.com and GitHub Enterprise hosts.
• Git Credential Fallback: git credential fill is now consistently the lowest priority (priority 6) and is no longer blocked if credential_command is set but returns no token.
• New E2E Tests: New end-to-end tests were added to verify that credential_command correctly overrides github_tokens.toml and gh CLI tokens.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This PR promotes credential_command from the lowest-priority fallback (position 5, tied with git credential fill) to an explicit mid-tier priority (position 3), sitting after environment variables but before the file-based sources (github_tokens.toml and gh CLI's hosts.yml). The motivation is sound: an explicit user-configured command should outrank passive, file-based token sources.

Key changes:

• src/github.rs: credential_command block moved from priority 5 to priority 3 in resolve_token; the old guard that blocked git credential fill when credential_command returned nothing is removed, letting the fallback chain continue naturally.
• e2e/cli/test_github_token: New tests 8b (credential_command beats github_tokens.toml) and renaming/renumbering of existing tests; test state (file creation/cleanup) is managed correctly across the sequence.
• docs/dev-tools/github-tokens.md: Priority tables for github.com and GHE updated to reflect the new 7-step and 6-step orders; inline prose corrected to match.

Confidence Score: 5/5

• Safe to merge — the change is targeted, logically correct, and covered by updated e2e tests.
• The core logic change is a simple reordering of two independent code blocks with no shared state. The fallthrough behaviour for an empty credential_command result is intentional and documented in the PR description. Tests were added specifically for the new priority assertions, existing tests pass, and the documentation is consistent with the implementation.
• No files require special attention.

Important Files Changed

Filename	Overview
src/github.rs	Priority reordering of credential_command from position 5 to position 3 — logic is clean and the removal of the git credential fill block (when credential_command returns nothing) is intentional and correctly implemented.
e2e/cli/test_github_token	New tests 8b–8e verify credential_command beats gh CLI and github_tokens.toml; test numbering updated throughout; state management (file creation/cleanup) is correct across the sequence.
docs/dev-tools/github-tokens.md	Documentation accurately reflects the new 7-step priority table for github.com and 6-step table for GHE; prose updated to note credential_command runs before file-based sources.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[resolve_token called] --> B{MISE_GITHUB_ENTERPRISE_TOKEN set\nand non-github.com host?}
    B -- Yes --> Z1[Return EnvVar token]
    B -- No --> C{MISE_GITHUB_TOKEN /\nGITHUB_API_TOKEN /\nGITHUB_TOKEN set?}
    C -- Yes --> Z2[Return EnvVar token]
    C -- No --> D{credential_command\nconfigured?}
    D -- Yes, returns token --> Z3[Return CredentialCommand token ✅ NEW PRIORITY]
    D -- Yes, returns nothing --> E
    D -- No --> E{github_tokens.toml\nhas entry for host?}
    E -- Yes --> Z4[Return TokensFile token]
    E -- No --> F{gh CLI hosts.yml\nhas entry for host?}
    F -- Yes --> Z5[Return GhCli token]
    F -- No --> G{use_git_credentials\nenabled?}
    G -- Yes --> Z6[Return GitCredential token]
    G -- No --> Z7[Return None]

    style Z3 fill:#d4edda,stroke:#28a745
    style D fill:#fff3cd,stroke:#ffc107

Loading

_{Reviews (3): Last reviewed commit: "[autofix.ci] apply automated fixes (atte..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request reorders the priority of GitHub token resolution, specifically elevating credential_command to be checked before file-based sources like github_tokens.toml and gh CLI tokens. The documentation and e2e tests have been updated to reflect this new priority. Feedback includes suggestions to improve the consistency of the github.com token priority table in the documentation and to make a code block in src/github.rs more concise.

[gemini-code-assist]

For consistency with the GitHub Enterprise hosts table and the code comments in src/github.rs, consider grouping the environment variables for github.com into a single priority. This would make the documentation easier to follow and more consistent across different sections.

Suggested change

	| Priority | Source |
	| -------- | ---------------------------------- |
	| 1 | `MISE_GITHUB_TOKEN` env var |
	| 2 | `GITHUB_API_TOKEN` env var |
	| 3 | `GITHUB_TOKEN` env var |
	| 4 | `credential_command` (if set) |
	| 5 | `github_tokens.toml` (per-host) |
	| 6 | gh CLI token (from `hosts.yml`) |
	| 7 | `git credential fill` (if enabled) |
	| Priority | Source |
	| -------- | ------------------------------------------------------------------ |
	| 1 | `MISE_GITHUB_TOKEN` / `GITHUB_API_TOKEN` / `GITHUB_TOKEN` env vars |
	| 2 | `credential_command` (if set) |
	| 3 | `github_tokens.toml` (per-host) |
	| 4 | gh CLI token (from `hosts.yml`) |
	| 5 | `git credential fill` (if enabled) |

[gemini-code-assist]

This block can be made more concise by removing the intermediate credential_command variable.

Suggested change

	let credential_command = &settings.github.credential_command;
	if !credential_command.is_empty() {
	if let Some(token) = get_credential_command_token(credential_command, lookup_host) {
	return Some((token, TokenSource::CredentialCommand));
	}
	}
	if !settings.github.credential_command.is_empty() {
	if let Some(token) =
	get_credential_command_token(&settings.github.credential_command, lookup_host)
	{
	return Some((token, TokenSource::CredentialCommand));
	}
	}

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.14 x -- echo	18.9 ± 0.6	17.4	21.3	1.00
mise x -- echo	19.0 ± 0.5	17.9	25.0	1.01 ± 0.04

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.14 env	18.8 ± 0.8	17.5	28.3	1.01 ± 0.05
mise env	18.7 ± 0.5	17.1	20.6	1.00

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.14 hook-env	19.0 ± 0.6	17.9	24.7	1.00
mise hook-env	19.2 ± 0.6	17.8	27.6	1.01 ± 0.04

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.14 ls	19.5 ± 0.6	18.3	22.8	1.00
mise ls	19.7 ± 0.5	18.5	22.2	1.01 ± 0.04

xtasks/test/perf

Command	mise-2026.3.14	mise	Variance
install (cached)	119ms	119ms	+0%
ls (cached)	70ms	69ms	+1%
bin-paths (cached)	70ms	69ms	+1%
task-ls (cached)	719ms	713ms	+0%