Add GitHub credentials to Sandbox (#1487)

* Document gh auth token pattern in opencode_server example

Add guidance for using shell command substitution with $(gh auth token)
to pass GitHub credentials when launching the sandbox, enabling access
to private repositories without manually creating a PAT.

Co-authored-by: Modal Jazz <modal-jazz@modal.com>

* update formatting, adjust prose

* Pass GH_TOKEN to sandbox via Modal Secret

Allows authenticated gh commands inside the sandbox, not just repo cloning.

* Apply suggestion from @charlesfrye

---------

Co-authored-by: opencode <opencode@test.com>
Co-authored-by: Modal Jazz <modal-jazz@modal.com>
Co-authored-by: OpenCode <opencode@modal.com>

Author: 4 people

13_sandboxes/opencode_server.py

@@ -40,7 +40,7 @@
 def define_base_image() -> modal.Image:
     image = (
         modal.Image.debian_slim()
-        .apt_install("curl", "git")
+        .apt_install("curl", "git", "gh")
         .run_commands("curl -fsSL https://opencode.ai/install | bash")
         .env({"PATH": "/root/.opencode/bin:${PATH}"})
     )
@@ -127,7 +127,7 @@ def create_sandbox(
     image: modal.Image,
     timeout: int,
     app: modal.App,
-    password_secret: modal.Secret,
+    secrets: list[modal.Secret],
     working_dir: str | None = None,
 ) -> modal.Sandbox:
     print("🏖️  Creating sandbox")
@@ -141,7 +141,7 @@ def create_sandbox(
             "--log-level=DEBUG",
             "--print-logs",
             encrypted_ports=[OPENCODE_PORT],
-            secrets=[password_secret],
+            secrets=secrets,
             timeout=timeout,
             image=image,
             app=app,
@@ -204,8 +204,12 @@ def main(
 
     password = secrets.token_urlsafe(13)
     password_secret = modal.Secret.from_dict({"OPENCODE_SERVER_PASSWORD": password})
+    sandbox_secrets = [password_secret]
 
-    sandbox = create_sandbox(image, timeout, app, password_secret, "/root/code")
+    if github_token:
+        sandbox_secrets.append(modal.Secret.from_dict({"GH_TOKEN": github_token}))
+
+    sandbox = create_sandbox(image, timeout, app, sandbox_secrets, "/root/code")
     print_access_info(sandbox, password)
 
 
@@ -214,6 +218,13 @@ def main(
 # This script supports configuration via command-line arguments.
 # Run with `--help` to see all options.
 
+# To grant the agent the same GitHub permissions you have, you can pass a GitHub personal access token.
+# If you use the `gh` CLI, you can use shell command substitution to pass your current auth:
+
+# ```bash
+#     python 13_sandboxes/opencode_server.py --github-token $(gh auth token)
+# ```
+
 
 def parse_timeout(timeout_str: str) -> int:
     if timeout_str.endswith("h"):
@@ -267,7 +278,7 @@ def parse_timeout(timeout_str: str) -> int:
         "--github-token",
         type=str,
         default=None,
-        help="GitHub PAT for private repositories",
+        help="GitHub PAT for private repos and gh CLI auth. Tip: use $(gh auth token)",
     )
 
     args = parser.parse_args()