Repositories > Clone
How to clone a repository to your workstation — HTTPS vs SSH, authentication options, common errors
The <> Code button at the top right of any repository detail page exposes both HTTPS and SSH clone URLs. This page covers when to use each, how to set up authentication, and where to look when things break.
TL;DR — Use HTTPS + Personal Access Token for everyday work on your laptop, SSH keys for unattended scripts that must run without user input, and JobToken (HTTPS, auto-injected) inside CI/CD pipelines.
Finding the clone URL
Open the repository → click <> Code in the top right → switch between the HTTPS and SSH tabs and copy the URL. Both URLs point to the same repository — only the transport and authentication differ.
# HTTPS — simplest for interactive use
https://<collabops-host>/<workspace>/<repository>.git
# SSH — requires key-based authentication
git@<collabops-host>:<workspace>/<repository>.gitThe <workspace>/<repository> portion is a human-readable (name-based) slug. If the workspace or repository name changes, the URL changes too — update your remote.
HTTPS vs SSH
| Aspect | HTTPS | SSH |
|---|---|---|
| Auth method | Personal Access Token (PAT) or password | SSH key pair |
| Setup | Issue a PAT once, store it in the credential helper | Generate a key pair, register the public key on your profile |
| Firewall friendliness | Port 443 — works almost everywhere | Port 22 may be blocked on hotel/cafe/corporate networks |
| Interactive prompts | Token entered once | Non-interactive if the key has no passphrase |
| Script automation | Use a credential helper or URL credential | Distribute the key, runs unattended |
| Permission scope | User account (PAT supports expiry) | Per-key (every key on the user profile carries full access) |
| Recommended for | Day-to-day clone / pull / push on your laptop | Daemons, cron jobs, mirrors |
Both methods grant the same read/write access. The choice is about where you use it, not security level.
HTTPS clone
1. Issue a Personal Access Token
Profile → Security → Personal Access Token. Set an expiry date and limit the scope (repository read/write).
2. Run clone
git clone https://<collabops-host>/<workspace>/<repository>.git
# Username for ...: <CollabOps username or email>
# Password for ...: <PAT issued above>3. Cache the token (optional)
To avoid retyping, use your OS credential helper. macOS uses keychain, Windows uses manager-core, Linux uses libsecret.
# macOS
git config --global credential.helper osxkeychain
# Windows
git config --global credential.helper manager-core
# Linux (libsecret)
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecretDo not embed the token directly in the URL (https://<token>@host/...). It leaks into git config, shell history, OS process lists, and any script you share with a teammate.
SSH clone
1. Generate a key pair
# Ed25519 recommended (shorter and stronger than RSA)
ssh-keygen -t ed25519 -C "you@example.com" -f ~/.ssh/id_ed25519_collabops
# When prompted for a passphrase, set one — it limits damage if the key file is ever stolen2. Register the public key
Profile → Security → SSH Keys → Add new. Paste the contents of ~/.ssh/id_ed25519_collabops.pub as-is. You can register multiple keys per user — issue one per machine so you can revoke a single laptop without disrupting the others.
3. SSH config (optional)
If you use different keys on different hosts, an alias in ~/.ssh/config keeps commands clean.
# ~/.ssh/config
Host collabops
HostName <collabops-host>
User git
IdentityFile ~/.ssh/id_ed25519_collabops
IdentitiesOnly yes4. Run clone
# Canonical URL
git clone git@<collabops-host>:<workspace>/<repository>.git
# With the alias from ~/.ssh/config
git clone collabops:<workspace>/<repository>.gitOne-liner with the co CLI
If the co CLI is installed, you can clone by repository name without copying the URL by hand. Default is SSH (uses your existing ~/.ssh keys); --https forces HTTPS.
co repo clone collabops-cli # current workspace, SSH
co repo clone collabops-one/collabops-cli # explicit workspace
co repo clone collabops-cli ./checkout-dir # target directory
co repo clone collabops-cli --https # force HTTPS
co repo clone collabops-cli -- --depth 1 # "--" passes through to git cloneCommon errors
| Symptom | Cause | Fix |
|---|---|---|
fatal: Authentication failed | PAT expired / wrong password / cached token has been revoked | Delete credentials from the helper, retry with a fresh PAT |
Permission denied (publickey) | Public key not registered, or another key is being tried first | Run ssh -vT git@<host> to see which key is offered → register / set IdentitiesOnly yes |
Could not resolve host | VPN not connected or DNS issue | Check VPN, then ping <collabops-host> |
port 22: Connection refused/timed out | Firewall (office, cafe) blocks port 22 | Switch to HTTPS, or use SSH-over-443 if a gateway is available |
remote: Repository not found | Wrong workspace / repo slug, or no membership | Re-copy the URL from the <> Code button, verify membership |
To switch the auth method on an already-cloned repository, only the remote URL changes:
# SSH → HTTPS
git remote set-url origin https://<collabops-host>/<workspace>/<repository>.git
# HTTPS → SSH
git remote set-url origin git@<collabops-host>:<workspace>/<repository>.git
# Verify
git remote -vCloning inside CI/CD pipelines
Pipeline checkout works differently. Instead of stuffing a personal PAT or SSH key into a workspace variable, the platform automatically injects a JobToken when the Job runs. Just put an HTTPS URL in repo-url.
# .collabops/workflows/build.yml
jobs:
build:
steps:
# JobToken is auto-injected — no auth input needed
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"Do not put a personal SSH key or PAT into a workspace variable for pipelines. The key holder's permissions transfer to every Job, and pipelines break the moment that user leaves or loses access.
Related
Repository detail — where the <> Code button lives