Skip to content

Plugin marketplace clone disables Git credential helpers, breaking private HTTPS repositories #4103

Description

@arnab9211

Describe the bug

Adding a plugin marketplace from a private Azure DevOps HTTPS repository fails even though cloning the same repository manually succeeds using Git Credential Manager.

This appears to be a regression related to the v1.0.70 change:

Fail fast when marketplace plugin git auth needs a terminal prompt

The current implementation disables credential helpers entirely, including helpers that can authenticate non-interactively using cached credentials.

Environment

• GitHub Copilot CLI:  1.0.71-0 
• OS: Windows
• Git:  2.54.0.vfs.0.4 
• Git Credential Manager:  2.8.0 
• Git host: Private Azure DevOps repository over HTTPS

Reproduction

copilot plugin marketplace add "https://dev.azure.com///_git/"

The equivalent interactive command also fails:

/plugin marketplace add https://dev.azure.com///_git/

Actual result

Failed to add marketplace: Failed to fetch git marketplace from the provided URL.
Please verify that the URL and reference are correct.

Details: Command failed: git clone --depth 1 --progress
Cloning into ''...
fatal: unable to get password from user

Expected result

Copilot CLI should use the configured Git credential chain. Cached credentials that require no interaction should continue to work.

If authentication would require an actual prompt, the operation can then fail immediately.

Investigation and root cause

The URL, repository permissions, Git configuration, and cached credentials were verified independently.

A normal clone succeeds:

git clone "https://dev.azure.com///_git/"

Git Credential Manager diagnostics also pass, and a credential can be returned with all interaction disabled:

$env:GIT_TERMINAL_PROMPT = "0"
$env:GCM_INTERACTIVE = "Never"

@"
protocol=https
host=dev.azure.com
path=//_git/

"@ | git credential fill

This successfully returns a cached username and credential.

Running the Copilot marketplace command with  GIT_TRACE2_EVENT  revealed the actual Git invocation:

git.exe
-c credential.helper=
-c core.askPass=
-c credential.interactive=never
clone --depth 1 --progress

The command-level setting:

-c credential.helper=

resets the credential-helper list and overrides both system and global configuration such as:

credential.helper=manager

Consequently, Git Credential Manager is never invoked. Git then cannot obtain a password because interactive prompting has also been disabled, resulting in:

fatal: unable to get password from user

This affects cached, fully non-interactive credentials—not only authentication flows that require a terminal prompt.

Suspected regression

Copilot CLI v1.0.70, released July 10, 2026, contains this release-note entry:

Fail fast when marketplace plugin git auth needs a terminal prompt

This behavior was reproduced with v1.0.71-0 and appears to be an overly broad implementation of that change.

The official marketplace documentation also supports arbitrary Git URLs but does not document that HTTPS credential helpers are disabled:

https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/plugins-finding-installing

Workaround

Clone the repository manually, then register it as a local marketplace:

git clone "https://dev.azure.com/<organization>/<project>/_git/<repository>"
"$env:LOCALAPPDATA\copilot\marketplace-sources<marketplace>"

copilot plugin marketplace add `
"$env:LOCALAPPDATA\copilot\marketplace-sources<marketplace>"

This works because the manual clone uses Git Credential Manager normally.

SSH URLs may provide another workaround when Azure DevOps SSH authentication is configured. Embedding a PAT in the URL is not a desirable workaround because it can expose the token through command history, logs, process arguments, or saved marketplace configuration.

Suggested fix

Do not reset  credential.helper  when invoking Git. Preserve the configured credential chain while suppressing interactive prompting, for example by using:

GIT_TERMINAL_PROMPT=0
GCM_INTERACTIVE=Never

or an equivalent non-interactive configuration.

This would allow cached credential helpers to authenticate while still failing quickly when user interaction is genuinely required.

Affected version

GitHub Copilot CLI 1.0.70-0

Steps to reproduce the behavior

copilot plugin marketplace add "https://dev.azure.com///_git/"

The equivalent interactive command also fails:

/plugin marketplace add https://dev.azure.com///_git/

Actual result -

Failed to add marketplace: Failed to fetch git marketplace from the provided URL.
Please verify that the URL and reference are correct.

Details: Command failed: git clone --depth 1 --progress
Cloning into ''...
fatal: unable to get password from user

Expected behavior

Copilot CLI should use the configured Git credential chain. Cached credentials that require no interaction should continue to work.

If authentication would require an actual prompt, the operation can then fail immediately.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authenticationLogin, OAuth, device auth, token management, and keychain integrationarea:pluginsPlugin system, marketplace, hooks, skills, extensions, and custom agents

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions