Claude → GitHub: Programmatic Connection Setup¶
Project: arlyn.io (ArlynLabs/arlyn-website) Date: March 2026
Overview¶
Claude connects to GitHub by authenticating as a human developer using a fine-grained Personal Access Token (PAT). This lets Claude clone the repo, commit changes, and push to main — which then triggers an automatic Cloudflare Pages deployment.
The PAT is stored as a plain-text file in the workspace and loaded into git's credential store at the start of each session.
Credential: Fine-Grained Personal Access Token¶
How to create it¶
- Log into GitHub as the personal account that owns the organization (
d-arlynlabs) - Go to Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Click Generate new token with these settings:
| Setting | Value |
|---|---|
| Token name | Claude Cowork (or similar) |
| Resource owner | Your personal account (d-arlynlabs) — not the org (see note below) |
| Expiration | Set to your preference |
| Repository access | Only select repositories → arlyn-website |
| Contents permission | Read and write |
| Metadata permission | Read-only (auto-selected) |
- Click Generate token, copy it immediately (shown only once)
Why personal account, not org? If you set the resource owner to the organization (ArlynLabs), GitHub requires an org admin to approve the token via ArlynLabs org settings → Personal access tokens → Pending requests before it activates. Setting your personal account as resource owner avoids this, because the personal account inherits full access to org repos as the org owner.
Where the token is stored¶
Save the token to:
This file is in the workspace root (the folder persisted on the user's computer). It is not committed to the git repo — it stays local.
The file contains only the raw token with no surrounding text:
File permissions are set to 600 (owner read/write only) by the setup script.
How Claude Uses the Token Each Session¶
Because the Linux sandbox resets between sessions, git credentials must be re-injected at the start of every session. The setup script at .claude/setup.sh handles this:
# Read the PAT from the secrets file
PAT=$(cat "$WORKSPACE/.secrets/github_pat" | tr -d '[:space:]')
# Set git identity
git config --global user.name "d-arlyn"
git config --global user.email "d@arlyn.dev"
# Store the PAT in git's credential store
git config --global credential.helper store
echo "https://x-token-auth:${PAT}@github.com" > ~/.git-credentials
chmod 600 ~/.git-credentials
# Clone (first session) or pull (returning sessions)
if [ -d "$REPO_DIR/.git" ]; then
git -C "$REPO_DIR" pull
else
git clone "$REPO_URL" "$REPO_DIR"
fi
After this runs, all git push / git pull commands authenticate automatically without any interactive prompt.
Note on the setup script path: The script has hardcoded paths referencing the original session ID. Each new Cowork session gets a fresh sandbox with a different session ID, so the setup script currently needs to be run manually with the correct paths substituted (or the CLAUDE.md instruction updated to call
bash .claude/setup.shusing a relative path). This is a known limitation to address.
Git Workflow (Ongoing)¶
cd /sessions/<session-id>/arlyn-website
# Edit site files...
git add -p # stage specific changes
git commit -m "describe change"
git push # pushes to main; triggers CF Pages deploy
Claude uses git add -p (interactive patch mode) rather than git add . to avoid accidentally staging secrets or unintended files.
Security Notes¶
- The PAT is scoped to a single repository (
arlyn-website) with only Contents + Metadata permissions — it cannot access other repos or org settings - The
.secrets/directory should be excluded from any future.gitignorepatterns that might accidentally commit it - The token can be revoked at any time from GitHub → Settings → Personal access tokens without affecting the domain, deployment, or Cloudflare setup
Key References¶
| Item | Value |
|---|---|
| GitHub org | ArlynLabs |
| Repository | ArlynLabs/arlyn-website |
| PAT location | .secrets/github_pat |
| Session setup script | .claude/setup.sh |
| Git identity | d-arlyn <d@arlyn.dev> |
| Auth method | https://x-token-auth:<PAT>@github.com via credential store |