The Problem with Git Credentials
Here's the dirty secret of every developer's git workflow: the credentials are wrong. Not syntactically wrong — they work fine. Wrong in the security sense. Too broad, too long-lived, too powerful.
GitHub introduced fine-grained personal access tokens in 2022 specifically to fix this. Instead of a classic PAT that can read and write every repo you own until 2087, you can now create a token that's scoped to a single repository, expires in a few days, and only has the permissions it needs. This is genuinely good security design.
Nobody uses them.
The reason is friction. Creating a fine-grained PAT through the GitHub UI takes 10+ clicks across multiple dropdowns, search boxes, radio buttons, and a confirmation page. You need to name the token, set an expiry, choose "Only select repositories," search for and select your repo, expand the permissions accordion, find "Contents" in a wall of 30+ permission categories, set it to "Read and write," then click Generate and confirm. By the time you're done, you've spent two minutes on what should be a zero-thought operation.
So developers take the shortcut: generate a classic token with repo scope that expires in 90 days (or never), paste it into their ~/.gitconfig or credential manager, and forget about it. That token can read and write every repository they own. If it leaks — and tokens leak all the time, in dotfiles, in CI logs, in screenshots — everything is exposed.
PushGit is the fix. One click, and you have a token scoped to a single repo that expires in days. The secure option becomes the easy option.
How It Works
PushGit is a Chrome extension. When you click the icon, you get a small popup:
- Repo detection — if you're on a GitHub repo page, PushGit auto-detects
owner/repofrom the URL. Otherwise, type it in. - Expiry — pick 1, 7, 30, or 90 days. Defaults to 7. Short is the point.
- Click "Open GitHub → Create Token" — PushGit opens GitHub's fine-grained token page and takes over.
What happens next is fully automated. The extension's content script runs on the GitHub token creation page and fills in every field:
- Token name:
push-{reponame}-{YYYY-MM-DD}— descriptive and unique by date - Expiry: set to your chosen duration
- Repository access: selects "Only select repositories," opens the repo picker, searches for your repo, clicks it, closes the dialog
- Generate: clicks "Generate token" automatically, handles the confirmation page, clicks through again if needed
The token appears on screen. Copy it, paste it into your terminal, push your code. Done. The token will be dead in a few days. If it leaks, the blast radius is one repo for a short window.
The Shotgun Credential Philosophy
The mental model behind PushGit is what I call a "shotgun credential" — a token you create for a specific task, use for minutes, and let expire. You don't store it. You don't put it in a credential manager. You don't even need to revoke it; it dies on its own.
This is how credentials should work. The traditional model — create a powerful token once, store it forever, reuse it everywhere — exists because creating credentials was painful. PushGit removes the pain, so you can afford to create credentials that are disposable by design.
Need to push to my-project? Create a token. Push. The token expires tomorrow. Next week, need to push again? Create another one. Each credential is a single-use shell casing. No accumulation of long-lived secrets. No credential sprawl. No "I should probably rotate that token I created six months ago" guilt.
What PushGit Doesn't Do
PushGit never touches your token. This is a critical design choice. The extension fills in the form on GitHub's own page and clicks the buttons. The token is generated by GitHub, displayed by GitHub, and copied by you from GitHub's page. PushGit has no token storage, no clipboard access, no network requests to anywhere except github.com.
The extension doesn't need a backend, an account, or any server infrastructure. It's a content script that automates a web form. The source is fully auditable — it's a few hundred lines of JavaScript.
Technical Details
Under the hood, PushGit is a Chrome Manifest v3 extension with three moving parts:
- popup.js — handles the extension popup UI, validates the
owner/repoinput, stores the last-used repo inchrome.storage.local, and opens the GitHub token page with query parameters encoding the user's choices. - content.js — the content script that runs on the GitHub token creation page. Uses
MutationObserverand polling to wait for GitHub's dynamically-loaded form elements, then fills them in sequence: name, expiry, repo picker, permissions, and the generate button. - detect.js — a lightweight content script that runs on all
github.com/*/*pages to detect the current repo from the URL and relay it to the popup.
The hardest part was handling GitHub's repo picker, which is a dynamically-loaded dialog with search-as-you-type behavior. The content script types the repo name character by character, waits for search results to appear, clicks the correct result, then waits for the dialog to close before proceeding. Timing is handled with a combination of MutationObserver callbacks and fallback polling — GitHub's SPA architecture means elements appear and disappear unpredictably.
The confirmation page was the other challenge. GitHub shows a confirmation step after you click "Generate token," and the button on the confirmation page has the exact same text. The content script detects the page transition and clicks through again, polling for the final github_pat_ token string to appear on screen before showing a success banner.
Permissions
The extension requests three permissions:
| Permission | Why |
|---|---|
storage | Remember the last repo you used |
tabs | Open the GitHub token page |
github.com/* | Detect current repo + auto-fill the token form |
No clipboardWrite. No webRequest. No wildcard host permissions. The extension can only interact with GitHub pages. This is by design — a credential management tool with broad permissions would be its own security risk.
Get It
PushGit is open source and available now:
- GitHub: github.com/benolenick/pushgit_realgood
- Install from source: clone the repo, go to
chrome://extensions, enable Developer mode, click "Load unpacked," select the folder
Chrome Web Store listing is coming soon. In the meantime, loading from source takes thirty seconds and gives you the latest version.
Stop reusing that classic PAT from 2024. Shotgun your credentials.