Restrict push access to GitHub public repository

Hi!

I’m quite a beginner to version controlling and also to GitHub. So, if it’s an easy question, or this has already been asked and I just failed to find it, please provide me the link to the official documentation.

I created my personal account on GitHub, and a few public repositories on GitHub. Then I uploaded some files, and even made a few changes to them and committed, all via GUI. There was no problem so far.

Then, I cloned my repository on my office laptop. I made some changes and committed. Then I was able to push those changes to my remote master branch directly, and I was not asked to authenticate, not even once.

Just to be explicit, GitHub recognises that it’s not been done by me. In commit history, I can see my old commits made via GUI are marked as verified, and the new commits are not. They are associated to that user name (different from my GitHub user name) which was configured in my global git configurations in my office laptop, but I do not find any reference to the user email (again different from the email address associated with my Github account), which was also configured globally.

Is this supposed to happen? Does anyone have write access to all the public repositories? I never changed any of the default settings, so I thought by default it should accept changes to be pushed if it’s only by me. Is that a wrong and/or unjustifiable assumption?

Thanks.

Is it possible that you used the office laptop with your GitHub account before, and still have credentials available? E.g. if you used SSH and the key is registered on your account you wouldn’t be asked to authenticate again, same if you have a valid token (or password) cached on the laptop. Being able to push without authentication is definitely not expected.

That’s not an issue, there are many scenarios where you’re expected to push commits not made by you, e.g. if you merge commits made by someone else locally and then push the merged branch to your repository.

I do not think so. Still, to be sure, I checked ~/.gitconfig and ~/.ssh/known_hosts. As far as I can tell, SSH one contained info regarding to office work only, and the global configurations just have my name and official email address.

I created a new public repository, and able to commit and push from laptop once again, and without any authentication. I checked the local configs as well via git config --list, and found nothing related to any authentication.

Is there any other way I can check? I am on Mac 10.15.5, if that matters.

First thing to check would be if the push URL for your repository (git remote show origin) is using SSH or HTTPS, because that tells you which kind of credentials to look for.

If SSH: Check if any of the keys registered in your GitHub account (Settings > SSH and GPG keys) matches any of your identity files (~/.ssh/id_*.pub, assuming OpenSSH and the same paths as on Linux). If so, login is expected to work without configuration in git.

If HTTPS: I haven’t used this from the command line so this is going to be vague, but you’d be looking for a cached password or access token. While looking up other stuff earlier I noticed that on Mac git can use the system keychain, so maybe it’s that?

1 Like

Clearing GitHub account from the keychain did the job. I verified by trying to push another commit. Thanks :slight_smile:

2 Likes