A GitHub CLI extension that automatically switches your GitHub CLI account and enforces the correct Git identity (name, email, signing) based on the repository path.
When working with multiple GitHub accounts (e.g., personal and company), it's easy to:
- Commit with the wrong email/name
- Use the wrong GitHub CLI account for
gh pr,gh issue, etc. - Accidentally push to the wrong account
This extension solves these issues by automatically matching repositories to profiles based on their path.
- π― Auto-switch GitHub CLI account when you enter a repo
- π Enforce correct Git identity (name, email, signing) per repository
- π Path-based profile matching (longest match wins)
- π‘οΈ Optional shell hooks for automatic enforcement on directory change
- βοΈ Simple YAML configuration
- π¨ Beautiful interactive setup with optional UI enhancements
gh extension install <your-username>/gh-account-guardOr install locally for development:
gh extension install .Zero external dependencies! This extension uses pure bash for all operations. Only requires:
- GitHub CLI (
gh) - Already required for GitHub CLI extensions - Git - Standard on most development machines
For a more beautiful and interactive experience, install these optional tools:
-
gum - Beautiful CLI prompts and interactive menus (highly recommended!)
- macOS:
brew install gum - Makes prompts, selects, and confirmations much prettier
- The extension automatically detects and uses
gumif available
- macOS:
-
fzf - Fuzzy finder for interactive selection (highly recommended for menus!)
- macOS:
brew install fzf - Provides beautiful arrow-key navigation menus
- Arrow keys: navigate, Enter: select, Esc: cancel
- Used for interactive menu selection in
setupcommand
- macOS:
-
bat - Syntax highlighting for config files
- macOS:
brew install bat - Makes config files easier to read
- macOS:
Note: All UI enhancements are optional. The extension works perfectly fine without them, but they make the experience much nicer!
Zero Dependencies: This extension uses pure bash YAML parsing and requires no external tools beyond git and gh (which are needed for the tool's core functionality).
-
Run the interactive setup:
gh account-guard setup
This will guide you through configuring your profiles interactively. You can:
- Add multiple profiles (work, personal, clients, etc.)
- Name profiles whatever you want
- Add more profiles later without overwriting existing ones
- Configure GitHub Enterprise patterns
If config exists, you'll be asked to:
- Add a new profile (keeps existing ones)
- Start fresh (overwrites existing config)
- Cancel
Alternatively, create a template config manually:
gh account-guard init
Then edit
~/.config/gh/account-guard.ymlwith your actual:- Repository paths
- GitHub usernames
- Git names and emails
- Signing keys (if using commit signing)
-
Test it:
cd ~/work/company/some-repo gh account-guard status # Check which profile matches gh account-guard fix # Apply the profile to this repo gh account-guard switch # Switch gh CLI account
-
(Optional) Install shell hook for automatic enforcement:
# For zsh gh account-guard install-shell-hook >> ~/.zshrc # For bash gh account-guard install-shell-hook >> ~/.bashrc # For fish gh account-guard install-shell-hook >> ~/.config/fish/config.fish
This will automatically run
fixandswitchwhen youcdinto a git repository.
gh account-guard setup- Interactive setup wizard to configure profiles (recommended)gh account-guard edit- Interactive editor to modify existing profile configurationsgh account-guard init- Create example config template filegh account-guard config- Manage extension settings (default directory, etc.)gh account-guard status- Show which profile matches current directory and current gh/git identitygh account-guard fix- Apply matching profile to current repo (git config, signing)gh account-guard switch- Rungh auth switchto the matching profilegh account-guard install- Install shell hook and git pre-commit hook (recommended)gh account-guard install-shell-hook- Print shell hook snippet for auto-enforcementgh account-guard install-git-hook- Install a pre-commit hook (use--globalfor all repos)gh account-guard create-alias- Create 'gh ag' alias for 'gh account-guard'
The config file is located at ~/.config/gh/account-guard.yml (or $XDG_CONFIG_HOME/gh/account-guard.yml).
Example with multiple profiles:
profiles:
- name: work
path: ~/work/company/ # any repo under here
gh_username: yourcompany-username
git:
name: "Your Name"
email: "[email protected]"
signingkey: "ssh-ed25519 AAAA...company"
gpgsign: true
gpgformat: ssh
remote_match: "github.enterprise.com" # GitHub Enterprise - matches all orgs
- name: personal
path: ~/personal/
gh_username: yourpersonal-username
git:
name: "Your Name (Personal)"
email: "[email protected]"
signingkey: "ssh-ed25519 AAAA...personal"
gpgsign: true
gpgformat: ssh
- name: client1
path: ~/clients/client1/
gh_username: client1-username
git:
name: "Your Name"
email: "[email protected]"
signingkey: ""
gpgsign: false
gpgformat: ssh
remote_match: "github.com/Client1Org/"You can have as many profiles as you need. Profile names are arbitrary - use whatever makes sense for your setup.
Profiles are matched by path prefix. The longest matching path wins. For example:
~/work/company/project/matches theworkprofile~/personal/project/matches thepersonalprofile~/clients/client1/project/matches theclient1profile- If no specific path matches, the profile with path
~/(if any) acts as a fallback
-
name: Profile name (for display) -
path: Path prefix to match (supports~expansion) -
gh_username: GitHub username forgh auth switch -
git.name: Gituser.name -
git.email: Gituser.email -
git.signingkey: SSH or GPG signing key (optional) -
git.gpgsign: Enable commit signing (true/false) -
git.gpgformat: Signing format (sshorgpg) -
remote_match: Optional remote URL pattern to validate (warns if mismatch)What is
remote_match? This is an optional safety check. If set, the extension will warn you if a repo's remote URL doesn't match the pattern. Examples:- GitHub Enterprise:
github.enterprise.com(matches entire enterprise, all orgs) - Specific org:
github.com/YourOrg/(matches repos under that org) - User account:
github.com/username/(matches repos under that user) - If you see a warning, it means the repo's remote doesn't match what you'd expect for that profile
- Leave empty to skip remote validation
- GitHub Enterprise:
-
When you run
gh account-guard fix, it:- Finds the matching profile for the current directory
- Sets local git config (
user.name,user.email, signing settings) - Validates remote URL if
remote_matchis configured
-
When you run
gh account-guard switch, it:- Finds the matching profile
- Runs
gh auth switch -u <gh_username>
-
With the shell hook installed:
- Automatically runs
fixandswitchwhen youcdinto a git repository - Silently fails if no profile matches (won't interrupt your workflow)
- Automatically runs
- Git is the source of truth for commit author/compliance. The extension sets repo-local
user.*config so commits are correct even outsidegh. - Multiple GitHub accounts: Make sure both accounts are logged in:
gh auth login -u yourcompany-usernameandgh auth login -u yourpersonal-username - Windows: Update
path:globs to Windows paths (e.g.,C:/Users/you/work/company/) - Signing: Supports both SSH and GPG signing. Configure
gpgformataccordingly.
Contributions are welcome! Please see:
- Contributing Guide - How to contribute and commit message format
- Code of Conduct
- Security Policy
MIT
- Command Reference - Complete command reference with all options
- Quick Start - Getting started guide
- Troubleshooting - Common issues and solutions
- Architecture - How it works (for developers)
- Changelog - Version history and changes
- Release Process - How releases work