diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index cfb2d32..6d363b6 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -203,12 +203,15 @@ in
     flake = "$HOME/code/nixfiles";
   };
 
-  # GitHub CLI. Prefer SSH for any git operations it drives, matching the
-  # ssh-based remotes used elsewhere.
-  programs.gh = {
-    enable = true;
-    settings.git_protocol = "ssh";
-  };
+  # GitHub CLI. `programs.gh.settings` is deliberately unset: home-manager renders
+  # ~/.config/gh/config.yml as a read-only /nix/store symlink whenever the module
+  # is enabled, but gh must rewrite that file on `gh auth login` and `gh config
+  # set`, which then fail with a permission error. Suppress the managed config.yml
+  # (below) and let gh own it. The token lives in hosts.yml, which is never
+  # Nix-managed. Set the SSH protocol once at runtime: `gh config set git_protocol
+  # ssh` (it can't be declarative here without recreating the immutable file).
+  programs.gh.enable = true;
+  xdg.configFile."gh/config.yml".enable = lib.mkForce false;
 
   programs.tmux = {
     enable = true;