Tutorial: Git-Based Groves
What you will learn: How to create a grove from a GitHub repository, configure authentication with a fine-grained Personal Access Token, and start agents that clone and work on your code — all without a local checkout.
Local Worktrees vs. Hub Clones
Section titled “Local Worktrees vs. Hub Clones”Before diving in, it’s important to understand the two workspace models Scion offers for git repositories:
| Local Worktrees | Hub Clones (Git Groves) | |
|---|---|---|
| Where code lives | On your machine, as a git worktree | Inside the agent container, cloned at startup |
| Git credentials | Uses your local git/SSH config | Requires a GITHUB_TOKEN secret on the Hub |
| Isolation | Worktree per agent, shared .git | Full clone per agent, completely independent |
| Network | No network needed (local files) | HTTPS clone from GitHub on each start |
| Merging work | Merge worktree branches locally | Agent pushes to remote; merge via Pull Request |
| Hub required | No | Yes |
| Best for | Solo development, fast iteration | Team workflows, remote brokers, CI-like dispatch |
Key takeaway: When a grove is managed by the Hub — whether created from a URL or linked from a local directory — agents always use HTTPS clone-based provisioning. Local worktrees are a local-mode feature only. This is intentional: the Hub enforces a consistent workspace strategy across all brokers and users.
For the full technical details on workspace strategies, see About Workspaces.
Prerequisites
Section titled “Prerequisites”- A running Scion Hub that you are connected to (see Connecting to Hub)
- A GitHub repository (public or private) you want agents to work on
- A GitHub account with permission to create fine-grained Personal Access Tokens
Step 1: Create a GitHub Fine-Grained PAT
Section titled “Step 1: Create a GitHub Fine-Grained PAT”Scion uses a GitHub fine-grained Personal Access Token (PAT) to clone repositories over HTTPS inside agent containers. Fine-grained PATs are preferred over classic tokens because they can be scoped to specific repositories.
Generate the Token
Section titled “Generate the Token”- Go to GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens.
- Click Generate new token.
- Configure:
- Token name: Something descriptive, e.g.
scion-agents-acme-backend - Expiration: Choose an appropriate lifetime
- Repository access: Select Only select repositories and pick the repo(s) your agents will work on
- Permissions:
- Contents: Read and write (required for clone and push)
- Pull requests: Read and write (if you want agents to create PRs)
- Metadata: Read-only (automatically selected)
- Token name: Something descriptive, e.g.
- Click Generate token and copy the value (it starts with
github_pat_).
Step 2: Create a Git Grove
Section titled “Step 2: Create a Git Grove”Create a grove on the Hub from your repository URL:
scion hub grove create https://github.com/acme/backend.gitScion will auto-detect the default branch and derive a slug from the repository name:
Grove created: ID: a1b2c3d4-e5f6-5789-abcd-ef0123456789 Slug: acme-backend Remote: github.com/acme/backend Branch: mainOptional Flags
Section titled “Optional Flags”# Specify a branch (useful for long-lived feature branches)scion hub grove create https://github.com/acme/backend.git --branch develop
# Override the auto-generated slugscion hub grove create https://github.com/acme/backend.git --slug my-backendStep 3: Upload Your Token as a Secret
Section titled “Step 3: Upload Your Token as a Secret”Store the GitHub PAT as a grove-scoped secret so that all agents in this grove can authenticate:
scion hub secret set --grove acme-backend GITHUB_TOKEN github_pat_xxxxxxxxSecrets are write-only — the value is encrypted and can never be read back via the CLI or API. It is only decrypted at runtime and injected into the agent container as an environment variable.
User-Scoped vs. Grove-Scoped
Section titled “User-Scoped vs. Grove-Scoped”You can also set GITHUB_TOKEN at the user scope if your token covers multiple repositories:
# User-scoped: available to all your agents across all grovesscion hub secret set GITHUB_TOKEN github_pat_xxxxxxxxGrove-scoped secrets take priority over user-scoped ones (see Secret Management for the full resolution hierarchy).
Web Dashboard Alternative
Section titled “Web Dashboard Alternative”You can also upload secrets through the Web Dashboard:
- Navigate to the grove’s settings page.
- Open the Secrets tab.
- Click Add Secret, enter
GITHUB_TOKENas the key, paste the token value, and save.
Step 4: Start an Agent
Section titled “Step 4: Start an Agent”With the grove and token in place, start an agent targeting the grove:
scion start my-agent --grove acme-backend "add input validation to the /users endpoint"You’ll see the agent go through the clone-based startup:
Using hub, cloning repo https://github.com/acme/backend.git (Hub mode uses HTTPS clone with GITHUB_TOKEN; local worktrees are not used)
Agent 'my-agent' starting on broker 'us-west-01'... Status: CLONING (github.com/acme/backend @ main) Status: STARTING Status: RUNNINGWhat happens inside the container
Section titled “What happens inside the container”- The workspace is provisioned using a
git init+git fetchstrategy, which can handle workspaces that already contain.scionmetadata or.scion-volumesdirectories - A feature branch
scion/my-agentis created and checked out - Git identity is configured automatically
- The agent’s harness (Claude, Gemini, etc.) starts with the task prompt
Running multiple agents
Section titled “Running multiple agents”Each agent gets its own clone and its own scion/<agent-name> branch, so you can run several in parallel on the same grove:
scion start agent-auth --grove acme-backend "add OAuth2 support"scion start agent-tests --grove acme-backend "increase test coverage for pkg/api"scion start agent-docs --grove acme-backend "update the API documentation"Step 5: Monitor and Retrieve Work
Section titled “Step 5: Monitor and Retrieve Work”Check agent status
Section titled “Check agent status”scion list --grove acme-backendAttach to an agent
Section titled “Attach to an agent”If an agent is waiting for input or you want to observe it:
scion attach my-agent --grove acme-backendRetrieve the code
Section titled “Retrieve the code”Since agents push their branches to the remote, you can pull their work from any machine:
git fetch origin scion/my-agentgit log origin/scion/my-agentOr create a Pull Request directly from the branch on GitHub.
Linked Groves: When Local Becomes Remote
Section titled “Linked Groves: When Local Becomes Remote”If you already have a local checkout linked to the Hub via scion hub link, be aware that the workspace strategy changes. Once linked, even if the broker machine has the repository on disk, agents use clone-based provisioning — not local worktrees.
This means you need a GITHUB_TOKEN secret set on the grove, just like a grove created from a URL.
To temporarily fall back to local worktree mode:
# Disable hub for a single commandscion start my-agent --no-hub "quick local fix"
# Or disable hub integration entirelyscion hub disableTroubleshooting
Section titled “Troubleshooting”Agent fails with “authentication required” or “clone failed”
Section titled “Agent fails with “authentication required” or “clone failed””- Verify a
GITHUB_TOKENis set on the grove or at user scope:Terminal window scion hub secret get --grove acme-backend - Ensure the token has Contents: Read permission at minimum.
- Check that the token has not expired.
- For fine-grained PATs, confirm the target repository is included in the token’s repository access list.
Agent clones the wrong branch
Section titled “Agent clones the wrong branch”Use the --branch flag when creating the grove to set the default:
scion hub grove create https://github.com/acme/backend.git --branch developAgent needs full git history
Section titled “Agent needs full git history”Shallow clones (depth=1) are used by default for fast startup. If an agent needs full history for operations like git log or git blame, it can fetch the rest from inside its session:
git fetch --unshallow