Problem Statement
It would be great if spec-kit could fetch private extension catalogs and extensions from GitHub Enterprise (GHES) instances which require authentication. Right now, private catalogs must be hosted on public unauthenticated endpoints.
Proposed Solution
If spec-kit is fetching a catalog or extension from the host configured in GH_HOST, it should send the token from GH_ENTERPRISE_TOKEN with the request.
Example:
export GH_HOST=ghes.local
export GH_ENTERPRISE_TOKEN = ********
Then fetching something like this should work:
https://raw.ghes.local/my-org/my-spec-kit-extensions-repo/main/catalog.json
The request could include:
Authorization: Bearer <GH_ENTERPRISE_TOKEN>
Same behavior should apply to extension URLs in the catalog if they also point to ghes.local.
I'm aware that only solves the problem for GitHub Enterprise and not every possible private catalog host, but it has the nice benefit that it does not require any CLI flags, catalog format changes, or other API changes. It just reuses env vars that many GitHub Enterprise users already have configured.
Alternatives Considered
A more complete solution would be to add a generic authentication mechanism that works with any private catalog or extension host, not just GitHub Enterprise. That would be more flexible, but it would likely require a larger design change, such as new configuration options, new CLI commands / flags (to pass the token, to rotate already configured tokens, etc.), or catalog schema updates.
Component
Specify CLI (initialization, commands)
AI Agent (if applicable)
No response
Use Cases
- A team hosts an internal spec-kit extension catalog on GitHub Enterprise Server (GHES).
- The catalog is private and requires authentication to access.
- The catalog points to one or more private extensions that are also hosted on the same GHES instance.
- Developers already have
GH_HOST and GH_ENTERPRISE_TOKEN configured for working with their GHES environment.
- When spec-kit fetches the catalog URL, it should recognize that the host matches
GH_HOST.
- spec-kit should then use
GH_ENTERPRISE_TOKEN to authenticate the request.
- The same authentication behavior should apply when spec-kit fetches private extension URLs from that catalog.
- This lets teams keep catalogs and extensions private without adding new CLI flags, changing the catalog format, or requiring separate spec-kit-specific auth config.
Acceptance Criteria
Additional Context
See https://cli.github.com/manual/gh_help_environment
Problem Statement
It would be great if spec-kit could fetch private extension catalogs and extensions from GitHub Enterprise (GHES) instances which require authentication. Right now, private catalogs must be hosted on public unauthenticated endpoints.
Proposed Solution
If spec-kit is fetching a catalog or extension from the host configured in
GH_HOST, it should send the token fromGH_ENTERPRISE_TOKENwith the request.Example:
Then fetching something like this should work:
https://raw.ghes.local/my-org/my-spec-kit-extensions-repo/main/catalog.jsonThe request could include:
Authorization: Bearer <GH_ENTERPRISE_TOKEN>Same behavior should apply to extension URLs in the catalog if they also point to
ghes.local.I'm aware that only solves the problem for GitHub Enterprise and not every possible private catalog host, but it has the nice benefit that it does not require any CLI flags, catalog format changes, or other API changes. It just reuses env vars that many GitHub Enterprise users already have configured.
Alternatives Considered
A more complete solution would be to add a generic authentication mechanism that works with any private catalog or extension host, not just GitHub Enterprise. That would be more flexible, but it would likely require a larger design change, such as new configuration options, new CLI commands / flags (to pass the token, to rotate already configured tokens, etc.), or catalog schema updates.
Component
Specify CLI (initialization, commands)
AI Agent (if applicable)
No response
Use Cases
GH_HOSTandGH_ENTERPRISE_TOKENconfigured for working with their GHES environment.GH_HOST.GH_ENTERPRISE_TOKENto authenticate the request.Acceptance Criteria
specify extension catalog addcan fetch a catalog from a private repository on GHES that requires authenticationspecify extension addcan fetch an extension from a private repository on GHES that requires authenticationAdditional Context
See https://cli.github.com/manual/gh_help_environment