Pinning a gh account with `GH_TOKEN="$(gh auth token --user X)"`? Check it's non-empty
A common pattern for scripts that must always hit GitHub as a specific account, regardless of whatever account is currently active, is:
GH_TOKEN="$(gh auth token --user work-account)" gh workflow run ...
This works — until gh auth token --user work-account fails and returns an empty string. GH_TOKEN="" is not treated as "unset" by your shell, but it is treated as unset by gh itself, which then silently falls back to whatever account is currently active in the keyring. If that's your personal account and the target repo belongs to an org it can't see, you get a confusing HTTP 404: Not Found — which reads like a missing-repo problem, not an auth problem.
Guard the lookup instead of trusting it inline:
TOKEN="$(gh auth token --user work-account)"
if [ -z "$TOKEN" ]; then
echo "Error: could not obtain gh token for work-account" >&2
exit 1
fi
GH_TOKEN="$TOKEN" gh workflow run ...
Same fix applies to any wrapper that routes gh calls by repo owner: resolve the token first, fail loudly if it's empty, and only then invoke the real gh binary. Silent fallback to the active account is the failure mode to design out.