GitHub¶
URL Formats¶
| Format | Example |
|---|---|
| SSH | git@github.com:owner/repo.git |
| HTTPS | https://github.com/owner/repo.git |
Authentication¶
Personal Access Token (PAT)¶
The default authentication method:
Your token needs the repo scope to create PRs in target repositories.
GitHub App (Recommended for Enterprise)¶
For organizations that prefer GitHub Apps over PATs, see GitHub App Authentication for:
- Verified commits (signed by GitHub)
- Fine-grained permissions
- Better audit trails
GitHub Enterprise Server¶
xfg supports GitHub Enterprise Server (GHE) instances in addition to github.com.
GHE URL Formats¶
| Format | Example |
|---|---|
| SSH | git@github.mycompany.com:owner/repo.git |
| HTTPS | https://github.mycompany.com/owner/repo.git |
Configuration¶
To use GHE repositories, add the hostname(s) to the githubHosts array in your config:
githubHosts:
- github.mycompany.com
- ghe.internal.net
files:
config.json:
content:
key: value
repos:
- git: git@github.mycompany.com:owner/repo.git
- git: https://ghe.internal.net/org/project.git
GHE Authentication¶
Authenticate with each GHE instance using the --hostname flag:
Mixed Environments¶
You can use github.com and GHE repositories in the same config file:
githubHosts:
- github.mycompany.com
files:
shared-config.json:
content:
version: "1.0"
repos:
# github.com (no config needed)
- git: git@github.com:myorg/public-repo.git
# GitHub Enterprise
- git: git@github.mycompany.com:myorg/private-repo.git
Required Permissions¶
Your token needs the repo scope to create PRs in target repositories.
Auto-Merge¶
GitHub's auto-merge feature requires it to be enabled in the repository settings.
Check if enabled:
Enable it:
If auto-merge is not enabled, xfg will warn and leave the PR open for manual review.
PR Creation¶
xfg uses the gh CLI to:
- Create the PR with
gh pr create - Enable auto-merge with
gh pr merge --auto(if configured) - Force merge with
gh pr merge --admin(ifmerge: force)
Direct Push Mode¶
With merge: direct, xfg skips PR creation entirely and pushes directly to the default branch:
This is useful for repos without branch protection or when PR review isn't required. If the branch is protected, the push will fail with a helpful error suggesting to use merge: force instead.
When to use direct vs force:
direct: Repo has no branch protection, or you want to skip PR workflow entirelyforce: Repo has branch protection, but you have admin privileges to bypass it (creates a PR and merges with--admin)
GitHub Rulesets¶
The xfg settings command manages GitHub Rulesets declaratively. See GitHub Rulesets for full documentation.
settings:
rulesets:
main-protection:
target: branch
enforcement: active
conditions:
refName:
include: [refs/heads/main]
rules:
- type: pull_request
parameters:
requiredApprovingReviewCount: 1
Required Permissions for Rulesets¶
Managing rulesets requires admin access to the repository. Your token needs:
- PAT:
admin:reposcope - GitHub App: "Administration" permission set to "Read and write"
Rulesets vs Branch Protection¶
GitHub Rulesets are the modern replacement for branch protection rules. They offer:
- Pattern-based conditions (apply to multiple branches)
- Multiple rules per ruleset
- Bypass actors with fine-grained control
- Evaluate mode for testing
- Advanced rules (code scanning, workflows, file restrictions)
xfg uses the Rulesets API exclusively. If you need legacy branch protection rules, you'll need to manage those separately.