From e8a255b450baa2e915e3f346cb400587e43b0bf7 Mon Sep 17 00:00:00 2001
From: Ben Baron <ben@einsteinx2.com>
Date: Mon, 6 Jan 2020 21:25:54 -0500
Subject: [PATCH] Public repos no longer include the auth token

When backing up repositories using an auth token and https, the GitHub personal auth token is leaked in each backed up repository. It is included in the URL of each repository's git remote url.

This is not needed as they are public and can be accessed without the token and can cause issues in the future if the token is ever changed, so I think it makes more sense not to have the token stored in each repo backup. I think the token should only be "leaked" like this out of necessity, e.g. it's a private repository and the --prefer-ssh option was not chosen so https with auth token was required to perform the clone.
---
 bin/github-backup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/github-backup b/bin/github-backup
index 06f3a42..e3fd1f8 100755
--- a/bin/github-backup
+++ b/bin/github-backup
@@ -394,7 +394,7 @@ def get_github_repo_url(args, repository):
         return repository['ssh_url']
 
     auth = get_auth(args, False)
-    if auth:
+    if auth and repository['private'] == True:
         repo_url = 'https://{0}@{1}/{2}/{3}.git'.format(
             auth,
             get_github_host(args),