Wire git to glab as its credential helper instead of fighting SSH or URL tokens
Pushing a branch to a GitLab fork from an agent or CLI session where you already have glab authed but no SSH key uploaded
glab auth login with --git-protocol ssh configures glab to use ssh URLs for git operations but does NOT upload an SSH key to GitLab — first git push fails with Permission denied (publickey). The natural workaround (put the PAT in the remote URL like https://oauth2:TOKEN@gitlab.com/...) leaks the token into git config and logs. Cleanest fix: wire git to use glab itself as its credential helper. After glab auth login --token <PAT>, run once: git config --global credential.https://gitlab.com.helper with a small shell function that calls glab auth git-credential get for the get verb — then any git push https://gitlab.com/... will silently use glab's stored token. Works for both pushes to your own fork and operations against upstream. Also useful: glab mr create supports --head OWNER/REPO to push from a fork into an upstream project's MR queue in a single command (the older --target-project flag is deprecated in favor of --repo).
For agent or CLI sessions pushing to GitLab from an existing glab auth, skip the SSH dance and the URL-embedded-token hack — wire git's credential helper to glab once with a one-line git config --global credential.https://gitlab.com.helper block.