# Git pull on production using HTTPS (no SSH)

If you get `Permission denied (publickey)` with SSH, use HTTPS and a Personal Access Token.

## 1. Remote back to HTTPS

```bash
cd /var/www/boundary-fastapiandnextjs
git remote set-url origin https://gitlab.com/boundarycomission/boundary-fastapiandnextjs.git
git remote -v
```

## 2. Create a Personal Access Token (PAT) in GitLab

1. Log in to GitLab → **Profile (avatar)** → **Preferences** → **Access Tokens**  
   (or: **Settings** → **Access Tokens**)
2. **Token name:** e.g. `production-server-pull`
3. **Expiration:** pick a date or leave empty
4. **Scopes:** tick **read_repository** (and **write_repository** only if you push from the server)
5. **Create token** and **copy the token** (you won’t see it again).

## 3. Store the token so `git pull` doesn’t ask every time

Replace `YOUR_GITLAB_USERNAME` and `YOUR_PAT` with your GitLab username and the token you copied.

```bash
# One-time setup (run as the user that runs git, e.g. root)
printf '%s\n' 'https://YOUR_GITLAB_USERNAME:YOUR_PAT@gitlab.com' > ~/.git-credentials
chmod 600 ~/.git-credentials
git config --global credential.helper store
```

Example (fake token):

```bash
printf '%s\n' 'https://josephdilas:glpat-xxxxxxxxxxxxxxxxxxxx@gitlab.com' > ~/.git-credentials
chmod 600 ~/.git-credentials
git config --global credential.helper store
```

## 4. Pull

```bash
cd /var/www/boundary-fastapiandnextjs
git pull origin master
```

Git will use the credentials from `~/.git-credentials` and won’t prompt.

## Security

- Keep `~/.git-credentials` readable only by you (`chmod 600`).
- Prefer a PAT with only **read_repository**.
- Rotate the token if it might be leaked (revoke in GitLab and create a new one, then update `~/.git-credentials`).