gh CLI 2.x stores OAuth credentials in the OS keyring (libsecret/keychain), not in ~/.config/gh/hosts.yml. Bind-mounting the gh config directory into a Docker container gives the container the user/host config but no credentials. gh auth status reports 'The token in default is invalid' because hosts.yml contains only the username — no oauth_token field. Running gh auth login --with-token on the host writes the credential back to the keyring, not the flat file. There is no config flag to force flat-file credential storage in current gh versions.
Pass the credential as an environment variable instead of relying on the config mount. gh reads GH_TOKEN before checking config files. Add GH_TOKEN to docker-compose.yml environment, and set export GH_TOKEN=$(gh auth token) in the host shell profile. The OAuth credential from gh auth login is long-lived and does not expire unless revoked, so this is a one-time setup.