Good question and thank you for highlighting! First things first - if you are at all concerned that your flox CLI token may have been compromised, please navigate to your flox CLI OAuth App page and select the Revoke access button.
Secondly, we completely agree - by way of background, we encountered a collision between the tokens being stored in the keychain for the gh app, employed a workaround as a temporary measure and neglected to return back to it. It was my mistake and it should only take a few hours to reinstate use of the keychain - I’ll get on that now and let you know when there’s a new version to test available in the flox/prerelease environment.
If it helps to allay your concerns, I also wanted to give some background to the flox-gh app. As I’m sure you’ve already realized flox-gh is a build of GitHub’s gh modified to authenticate against GitHub OAuth using a flox OAuth app ID which generates a separate token for the express purposes of authenticating with our flox cloud services. Notably, the token for this app has no scope privileges as you can confirm by way of the flox auth status command:
flox [flox/prerelease default] [brantley@clubsoda:~/src/flox]$ flox auth status
github.com
✓ Logged in to github.com as limeytexan (/home/brantley/.config/flox/gh/hosts.yml)
✓ Token: gho_************************************
✓ Token scopes: none
This is much different from the “gist, read:org, repo, workflow” scopes of tokens required by the gh app. For what it’s worth I am equally paranoid about the storage of those GitHub tokens!
Again, many thanks for highlighting this issue - I will get back to you with an update ASAP. 