From 24b7effa4d7886eb52874c8ef03d1eff22946f29 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Fri, 17 Oct 2025 18:04:39 +0000 Subject: [PATCH] . --- .github/workflows/test.yml | 2 +- __test__/verify-submodules-recursive.sh | 2 ++ __test__/verify-submodules-true.sh | 2 ++ dist/index.js | 40 +++++++++++-------------- src/git-auth-helper.ts | 27 +++++++---------- 5 files changed, 32 insertions(+), 41 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index daeacc9..7c47d7b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -299,7 +299,7 @@ jobs: test-output: runs-on: ubuntu-latest steps: - # Download the action at the current ref + # Clone this repo - name: Checkout uses: actions/checkout@v4.1.6 with: diff --git a/__test__/verify-submodules-recursive.sh b/__test__/verify-submodules-recursive.sh index cf249b6..3af246f 100755 --- a/__test__/verify-submodules-recursive.sh +++ b/__test__/verify-submodules-recursive.sh @@ -19,6 +19,7 @@ echo "Testing persisted credential" pushd ./submodules-recursive/submodule-level-1/submodule-level-2 # Check if credentials are configured +echo "Testing for extraheader in git config" git config list | grep -q "http.*extraheader" if [ "$?" != "0" ]; then echo "Failed to validate persisted credential - no http extraheader found" @@ -27,6 +28,7 @@ if [ "$?" != "0" ]; then fi # Try to ls-remote to validate credentials work +echo "Testing git ls-remote to validate credentials" git ls-remote origin >/dev/null if [ "$?" != "0" ]; then echo "Failed to validate persisted credential - git ls-remote failed" diff --git a/__test__/verify-submodules-true.sh b/__test__/verify-submodules-true.sh index 8ffabb1..e4c1b6f 100755 --- a/__test__/verify-submodules-true.sh +++ b/__test__/verify-submodules-true.sh @@ -19,6 +19,7 @@ echo "Testing persisted credential" pushd ./submodules-true/submodule-level-1 # Check if credentials are configured +echo "Testing for extraheader in git config" git config list | grep -q "http.*extraheader" if [ "$?" != "0" ]; then echo "Failed to validate persisted credential - no http extraheader found" @@ -27,6 +28,7 @@ if [ "$?" != "0" ]; then fi # Try to ls-remote to validate credentials work +echo "Testing git ls-remote to validate credentials" git ls-remote origin >/dev/null if [ "$?" != "0" ]; then echo "Failed to validate persisted credential - git ls-remote failed" diff --git a/dist/index.js b/dist/index.js index bdc80bc..4a57cea 100644 --- a/dist/index.js +++ b/dist/index.js @@ -255,17 +255,10 @@ class GitAuthHelper { // Remove possible previous HTTPS instead of SSH yield this.removeSubmoduleGitConfig(this.insteadOfKey); if (this.settings.persistCredentials) { - // Credentials config path - const credentialsConfigPath = yield this.getCredentialsConfigPath(); + // Get the credentials config file path in RUNNER_TEMP + const credentialsConfigPath = this.getCredentialsConfigPath(); // Container credentials config path const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); - // Container repo path - const workingDirectory = this.git.getWorkingDirectory(); - const githubWorkspace = process.env['GITHUB_WORKSPACE']; - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); - let relativePath = path.relative(githubWorkspace, workingDirectory); - relativePath = relativePath.replace(/\\/g, '/'); - const containerRepoPath = path.posix.join('/github/workspace', relativePath); // Get submodule config file paths. const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules); // For each submodule, configure includeIf entries pointing to the shared credentials file. @@ -276,10 +269,13 @@ class GitAuthHelper { submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows // Configure host includeIf yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, false, configPath); - // Configure container includeIf + // Container submodule git directory + const githubWorkspace = process.env['GITHUB_WORKSPACE']; + assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir); relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir); + // Configure container includeIf yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath); } if (this.settings.sshKey) { @@ -379,7 +375,7 @@ class GitAuthHelper { configureToken(globalConfig) { return __awaiter(this, void 0, void 0, function* () { // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = yield this.getCredentialsConfigPath(); + const credentialsConfigPath = this.getCredentialsConfigPath(); // Write placeholder to the separate credentials config file using git config. // This approach avoids the credential being captured by process creation audit events, // which are commonly logged. For more information, refer to @@ -408,9 +404,9 @@ class GitAuthHelper { const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`; yield this.git.config(hostIncludeKey, credentialsConfigPath); // Container git directory + const workingDirectory = this.git.getWorkingDirectory(); const githubWorkspace = process.env['GITHUB_WORKSPACE']; assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); - const workingDirectory = this.git.getWorkingDirectory(); let relativePath = path.relative(githubWorkspace, workingDirectory); relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git'); @@ -427,18 +423,16 @@ class GitAuthHelper { * @returns The absolute path to the credentials config file */ getCredentialsConfigPath() { - return __awaiter(this, void 0, void 0, function* () { - if (this.credentialsConfigPath) { - return this.credentialsConfigPath; - } - const runnerTemp = process.env['RUNNER_TEMP'] || ''; - assert.ok(runnerTemp, 'RUNNER_TEMP is not defined'); - // Create a unique filename for this checkout instance - const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`; - this.credentialsConfigPath = path.join(runnerTemp, configFileName); - core.debug(`Credentials config path: ${this.credentialsConfigPath}`); + if (this.credentialsConfigPath) { return this.credentialsConfigPath; - }); + } + const runnerTemp = process.env['RUNNER_TEMP'] || ''; + assert.ok(runnerTemp, 'RUNNER_TEMP is not defined'); + // Create a unique filename for this checkout instance + const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`; + this.credentialsConfigPath = path.join(runnerTemp, configFileName); + core.debug(`Credentials config path: ${this.credentialsConfigPath}`); + return this.credentialsConfigPath; } /** * Removes SSH authentication configuration by cleaning up SSH keys, diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index 18ad968..d96cc3b 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -154,8 +154,8 @@ class GitAuthHelper { await this.removeSubmoduleGitConfig(this.insteadOfKey) if (this.settings.persistCredentials) { - // Credentials config path - const credentialsConfigPath = await this.getCredentialsConfigPath() + // Get the credentials config file path in RUNNER_TEMP + const credentialsConfigPath = this.getCredentialsConfigPath() // Container credentials config path const containerCredentialsPath = path.posix.join( @@ -163,17 +163,6 @@ class GitAuthHelper { path.basename(credentialsConfigPath) ) - // Container repo path - const workingDirectory = this.git.getWorkingDirectory() - const githubWorkspace = process.env['GITHUB_WORKSPACE'] - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') - let relativePath = path.relative(githubWorkspace, workingDirectory) - relativePath = relativePath.replace(/\\/g, '/') - const containerRepoPath = path.posix.join( - '/github/workspace', - relativePath - ) - // Get submodule config file paths. const configPaths = await this.git.getSubmoduleConfigPaths( this.settings.nestedSubmodules @@ -195,7 +184,9 @@ class GitAuthHelper { configPath ) - // Configure container includeIf + // Container submodule git directory + const githubWorkspace = process.env['GITHUB_WORKSPACE'] + assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') let relativeSubmoduleGitDir = path.relative( githubWorkspace, submoduleGitDir @@ -205,6 +196,8 @@ class GitAuthHelper { '/github/workspace', relativeSubmoduleGitDir ) + + // Configure container includeIf await this.git.config( `includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, @@ -327,7 +320,7 @@ class GitAuthHelper { */ private async configureToken(globalConfig?: boolean): Promise { // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = await this.getCredentialsConfigPath() + const credentialsConfigPath = this.getCredentialsConfigPath() // Write placeholder to the separate credentials config file using git config. // This approach avoids the credential being captured by process creation audit events, @@ -373,9 +366,9 @@ class GitAuthHelper { await this.git.config(hostIncludeKey, credentialsConfigPath) // Container git directory + const workingDirectory = this.git.getWorkingDirectory() const githubWorkspace = process.env['GITHUB_WORKSPACE'] assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') - const workingDirectory = this.git.getWorkingDirectory() let relativePath = path.relative(githubWorkspace, workingDirectory) relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows const containerGitDir = path.posix.join( @@ -400,7 +393,7 @@ class GitAuthHelper { * Gets or creates the path to the credentials config file in RUNNER_TEMP. * @returns The absolute path to the credentials config file */ - private async getCredentialsConfigPath(): Promise { + private getCredentialsConfigPath(): string { if (this.credentialsConfigPath) { return this.credentialsConfigPath }