GitHub

GitHub adds remote context to local Git data: PRs you opened or reviewed, issues you commented on, and review verdicts.

Connect

devrecall auth github                    # OAuth (default)
devrecall auth github --method pat       # personal access token
devrecall auth github --method gh-cli    # reuse `gh auth token`

Three auth methods — pick whichever matches your trust model:

1. OAuth (default)

Opens a browser, the callback round-trips through relay.devrecall.dev. Easiest setup; the relay never sees the token itself, only forwards the OAuth code.

2. Personal access token (no relay)

devrecall auth github --method pat

Generate a classic PAT at github.com/settings/tokens with repo and read:user scopes, then paste it when prompted. The token goes directly from your machine to GitHub — nothing touches relay.devrecall.dev and no DevRecall-owned OAuth app is involved.

Recommended if you’d rather skip our relay entirely.

Use classic, not fine-grained

GitHub has signalled fine-grained PATs as the eventual default, but classic PATs are not deprecated today and have no sunset date. DevRecall recommends classic for one practical reason: fine-grained PATs require selecting each repo by name and have no “all repos I can access” mode, which breaks our auto-discovery of recently-active repos.

If your employer’s GitHub Enterprise plan disables classic PATs at the org level, use OAuth (default) or gh-cli instead.

SAML SSO orgs

If you belong to a GitHub org that enforces SAML SSO (the IdP — Google, Okta, Microsoft, etc. — doesn’t matter), the PAT must be explicitly authorized for that org or GitHub silently returns empty results for org-owned repos (no error, just zero PRs and reviews).

You can tell SSO is enforced if you’ve ever been bounced through a “Single sign-on” page when visiting the org or pulling a private repo from it.

To authorize the token:

1. Open github.com/settings/tokens
2. Find the token you just created
3. Click the Configure SSO dropdown next to it
4. Find your org and click Authorize
5. Complete the SSO redirect

Repeat for each SSO-enforced org. Orgs that have SSO enabled but not enforced don’t need this step.

3. gh CLI (zero setup)

devrecall auth github --method gh-cli

If gh is already installed and authenticated, DevRecall reuses its token via gh auth token. Also fully local — no relay.

Tokens are validated against /user and stored at ~/.devrecall/tokens/github.json (0600).

What gets collected

Activity	What
Pull requests	Title, description, state, merge date
PR reviews	Verdict (approve/request changes), inline comment counts
Issues	Issues you authored or were assigned
Comments	Comments you wrote on PRs and issues

Repos are auto-discovered via GET /user/repos?sort=pushed — DevRecall syncs the most recently active ones first.

Required scopes

Scope	Purpose
repo	Read PRs, issues, and code reviews from private repos
read:user	Get your profile and verified email

repo is what makes code-review tracking work. The collector calls /search/issues?q=type:pr reviewed-by:<you> and then /repos/{owner}/{repo}/pulls/{n}/reviews to record each review with its verdict (APPROVED / CHANGES_REQUESTED / COMMENTED).

Read-only — DevRecall never writes to GitHub.

Rate limits

Authenticated users get 5,000 requests/hour. DevRecall:

• Uses conditional requests (If-Modified-Since/ETag) to avoid quota burn
• Syncs incrementally with since timestamps
• Backs off exponentially on 429

A typical daily sync is <50 requests.

GitLab and Bitbucket

GitLab and Bitbucket use the same shape: devrecall auth gitlab / devrecall auth bitbucket. Scopes are read_api (GitLab) or app password (Bitbucket). Activities normalize to the same schema as GitHub.

For self-hosted GitLab, pass --base-url https://gitlab.example.com.