Gitea/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2025-10-31 10:08:37 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: Gitea:a7fcda9e319b44aace522a79bf0a079c071ab5c2
Branches Tags
Gitea:main
Gitea:users/ericsciple/25-10-cred
Gitea:dependabot/github_actions/minor-actions-dependencies-ad3029623a
Gitea:dependabot/npm_and_yarn/minor-npm-dependencies-14ee30afef
Gitea:dependabot/npm_and_yarn/types/node-22.5.4
Gitea:dependabot/npm_and_yarn/typescript-eslint/parser-7.18.0
Gitea:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.4.0
Gitea:dependabot/npm_and_yarn/multi-87b2ad6fb3
Gitea:jww3-patch-1
Gitea:jww3-minversion-v5
Gitea:releases/v4.0.0
Gitea:takost/test-package-update
Gitea:test-show-progress
Gitea:releases/v3
Gitea:users/vanzeben/lfs-credentials-helper
Gitea:luketomlinson/tags
Gitea:fhammerl/releasev3.6.0
Gitea:releases/v2
Gitea:users/vmjoseph/checkout-upgrade-1.1.3
Gitea:fhammerl/bump-gh-package-versions
Gitea:users/vmjoseph/no-proxy
Gitea:vmjoseph/toolkit-windows-exec
Gitea:vmjoseph/silent-rev-parse
Gitea:ericsciple-patch-1
Gitea:hross-zeit-vercel
Gitea:master
Gitea:users/ericsciple/m167workflow
Gitea:users/ericsciple/m167sub
Gitea:test-data/v2/submodule-ssh-url-level-2
Gitea:test-data/v2/submodule-ssh-url
Gitea:test-data/v2/submodule-ssh-url-level-1
Gitea:test-data/v2/submodule
Gitea:users/ericsciple/m166refs
Gitea:users/tihuang/proxysupport
Gitea:users/ericsciple/m164submodule
Gitea:users/ericsciple/m163tarball_temp
Gitea:users/ericsciple/m163tarball_efficient_download
Gitea:users/ericsciple/m162pr
Gitea:users/ericsciple/test-pr
Gitea:test-data/v2/basic
Gitea:test-data/v2/submodule-level-1
Gitea:test-data/v2/submodule-level-2
Gitea:test-data/v2/lfs
Gitea:test-data/v2/side-by-side-2
Gitea:test-data/v2/side-by-side-1
Gitea:revert-56-users/tihuang/checkoutV1_1
Gitea:releases/v1
Gitea:Update-description
Gitea:v5
Gitea:v5.0.0
Gitea:v4.3.0
Gitea:v4.2.2
Gitea:v4
Gitea:v4.2.1
Gitea:v4.2.0
Gitea:v4.1.7
Gitea:v4.1.6
Gitea:v4.1.5
Gitea:v4.1.4
Gitea:v4.1.3
Gitea:v4.1.2
Gitea:v4.1.1
Gitea:v4.0.0
Gitea:v4.1.0
Gitea:v3.6.0
Gitea:v3
Gitea:v3.5.3
Gitea:v3.5.2
Gitea:v3.5.1
Gitea:v2
Gitea:v2.7.0
Gitea:v3.5.0
Gitea:v3.4.0
Gitea:v3.3.0
Gitea:v2.6.0
Gitea:v3.2.0
Gitea:v2.5.0
Gitea:v3.1.0
Gitea:v2.4.2
Gitea:v3.0.2
Gitea:v3.0.1
Gitea:v2.4.1
Gitea:v3.0.0
Gitea:v2.4.0
Gitea:v2.3.5
Gitea:v2.3.4
Gitea:v2.3.3
Gitea:v2.3.2
Gitea:v2.3.1
Gitea:v2.3.0
Gitea:v2.2.0
Gitea:v2.1.1
Gitea:v2.1.0
Gitea:v2.0.0
Gitea:v2-beta
Gitea:v1
Gitea:v1.2.0
Gitea:v1.1.0
Gitea:1.0.0
Gitea:v1.0.0
..
compare: Gitea:ebeaf55947019bea604d6e3f9a0ea3e1148a9380
Branches Tags
Gitea:users/ericsciple/25-10-cred
Gitea:main
Gitea:dependabot/github_actions/minor-actions-dependencies-ad3029623a
Gitea:dependabot/npm_and_yarn/minor-npm-dependencies-14ee30afef
Gitea:dependabot/npm_and_yarn/types/node-22.5.4
Gitea:dependabot/npm_and_yarn/typescript-eslint/parser-7.18.0
Gitea:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.4.0
Gitea:dependabot/npm_and_yarn/multi-87b2ad6fb3
Gitea:jww3-patch-1
Gitea:jww3-minversion-v5
Gitea:releases/v4.0.0
Gitea:takost/test-package-update
Gitea:test-show-progress
Gitea:releases/v3
Gitea:users/vanzeben/lfs-credentials-helper
Gitea:luketomlinson/tags
Gitea:fhammerl/releasev3.6.0
Gitea:releases/v2
Gitea:users/vmjoseph/checkout-upgrade-1.1.3
Gitea:fhammerl/bump-gh-package-versions
Gitea:users/vmjoseph/no-proxy
Gitea:vmjoseph/toolkit-windows-exec
Gitea:vmjoseph/silent-rev-parse
Gitea:ericsciple-patch-1
Gitea:hross-zeit-vercel
Gitea:master
Gitea:users/ericsciple/m167workflow
Gitea:users/ericsciple/m167sub
Gitea:test-data/v2/submodule-ssh-url-level-2
Gitea:test-data/v2/submodule-ssh-url
Gitea:test-data/v2/submodule-ssh-url-level-1
Gitea:test-data/v2/submodule
Gitea:users/ericsciple/m166refs
Gitea:users/tihuang/proxysupport
Gitea:users/ericsciple/m164submodule
Gitea:users/ericsciple/m163tarball_temp
Gitea:users/ericsciple/m163tarball_efficient_download
Gitea:users/ericsciple/m162pr
Gitea:users/ericsciple/test-pr
Gitea:test-data/v2/basic
Gitea:test-data/v2/submodule-level-1
Gitea:test-data/v2/submodule-level-2
Gitea:test-data/v2/lfs
Gitea:test-data/v2/side-by-side-2
Gitea:test-data/v2/side-by-side-1
Gitea:revert-56-users/tihuang/checkoutV1_1
Gitea:releases/v1
Gitea:Update-description
Gitea:v5
Gitea:v5.0.0
Gitea:v4.3.0
Gitea:v4.2.2
Gitea:v4
Gitea:v4.2.1
Gitea:v4.2.0
Gitea:v4.1.7
Gitea:v4.1.6
Gitea:v4.1.5
Gitea:v4.1.4
Gitea:v4.1.3
Gitea:v4.1.2
Gitea:v4.1.1
Gitea:v4.0.0
Gitea:v4.1.0
Gitea:v3.6.0
Gitea:v3
Gitea:v3.5.3
Gitea:v3.5.2
Gitea:v3.5.1
Gitea:v2
Gitea:v2.7.0
Gitea:v3.5.0
Gitea:v3.4.0
Gitea:v3.3.0
Gitea:v2.6.0
Gitea:v3.2.0
Gitea:v2.5.0
Gitea:v3.1.0
Gitea:v2.4.2
Gitea:v3.0.2
Gitea:v3.0.1
Gitea:v2.4.1
Gitea:v3.0.0
Gitea:v2.4.0
Gitea:v2.3.5
Gitea:v2.3.4
Gitea:v2.3.3
Gitea:v2.3.2
Gitea:v2.3.1
Gitea:v2.3.0
Gitea:v2.2.0
Gitea:v2.1.1
Gitea:v2.1.0
Gitea:v2.0.0
Gitea:v2-beta
Gitea:v1
Gitea:v1.2.0
Gitea:v1.1.0
Gitea:1.0.0
Gitea:v1.0.0

1 Commits
a7fcda9e31 ... ebeaf55947

Author SHA1 Message Date
eric sciple
ebeaf55947
Merge b13eccf351 into ff7abcd0c3 2025-10-14 19:07:18 +00:00
3 changed files with 76 additions and 153 deletions
Show Stats Expand all files Collapse all files

11
__test__/git-auth-helper.test.ts
View File

@ -595,14 +595,11 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth() await authHelper.configureSubmoduleAuth()
// Assert // Assert
// Should get submodule config paths (1 call) and configure insteadOf (2 calls for two values)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4) expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/ /unset-all.*insteadOf/
) )
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
/show-origin.*remote\.origin\.url/
)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
/url.*insteadOf.*git@github.com:/ /url.*insteadOf.*git@github.com:/
) )
@ -637,14 +634,11 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth() await authHelper.configureSubmoduleAuth()
// Assert // Assert
// Should get submodule config paths (1 call) and configure sshCommand (1 call)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3) expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/ /unset-all.*insteadOf/
) )
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
/show-origin.*remote\.origin\.url/
)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/) expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
} }
) )
@ -782,7 +776,6 @@ async function setup(testName: string): Promise<void> {
await fs.promises.mkdir(tempHomedir, {recursive: true}) await fs.promises.mkdir(tempHomedir, {recursive: true})
process.env['RUNNER_TEMP'] = runnerTemp process.env['RUNNER_TEMP'] = runnerTemp
process.env['HOME'] = tempHomedir process.env['HOME'] = tempHomedir
process.env['GITHUB_WORKSPACE'] = workspace
// Create git config // Create git config
globalGitConfigPath = path.join(tempHomedir, '.gitconfig') globalGitConfigPath = path.join(tempHomedir, '.gitconfig')

87
dist/index.js vendored
View File

@ -163,7 +163,7 @@ class GitAuthHelper {
this.sshKnownHostsPath = ''; this.sshKnownHostsPath = '';
this.temporaryHomePath = ''; this.temporaryHomePath = '';
this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
this.credentialsIncludeKeys = []; // Track includeIf config keys for cleanup this.credentialsIncludeKeys = []; // Track includeIf/include config keys for cleanup
this.git = gitCommandManager; this.git = gitCommandManager;
this.settings = gitSourceSettings || {}; this.settings = gitSourceSettings || {};
// Token auth header // Token auth header
@ -268,37 +268,20 @@ class GitAuthHelper {
configureSubmoduleAuth() { configureSubmoduleAuth() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
// Remove possible previous HTTPS instead of SSH // Remove possible previous HTTPS instead of SSH
yield this.removeSubmoduleGitConfig(this.insteadOfKey); yield this.removeGitConfig(this.insteadOfKey, true);
if (this.settings.persistCredentials) { if (this.settings.persistCredentials) {
// Credentials config path // TODO: UPDATE THIS
const credentialsConfigPath = yield this.getCredentialsConfigPath(); // Configure a placeholder value. This approach avoids the credential being captured
// Container credentials config path // by process creation audit events, which are commonly logged. For more information,
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
// Container repo path const output = yield this.git.submoduleForeach(
const workingDirectory = this.git.getWorkingDirectory(); // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
const githubWorkspace = process.env['GITHUB_WORKSPACE']; `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); // Replace the placeholder
let relativePath = path.relative(githubWorkspace, workingDirectory);
relativePath = relativePath.replace(/\\/g, '/');
const containerRepoPath = path.posix.join('/github/workspace', relativePath);
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = yield this.git.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, this.settings.nestedSubmodules);
// Extract config file paths from the output (lines starting with "file:").
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []; const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const configPath of configPaths) { for (const configPath of configPaths) {
// The config file is at .git/modules/submodule-name/config core.debug(`Replacing token placeholder in '${configPath}'`);
let submoduleConfigDir = path.dirname(configPath); yield this.replaceTokenPlaceholder(configPath);
submoduleConfigDir = submoduleConfigDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
// Configure host includeIf
yield this.git.config(`includeIf.gitdir:${submoduleConfigDir}.path`, credentialsConfigPath, false, false, configPath);
// Configure container includeIf
let relativeSubmoduleConfigDir = path.relative(githubWorkspace, submoduleConfigDir);
relativeSubmoduleConfigDir = relativeSubmoduleConfigDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleConfigDir);
yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath);
} }
if (this.settings.sshKey) { if (this.settings.sshKey) {
// Configure core.sshCommand // Configure core.sshCommand
@ -402,23 +385,27 @@ class GitAuthHelper {
yield this.git.config('include.path', credentialsConfigPath, true); yield this.git.config('include.path', credentialsConfigPath, true);
} }
else { else {
// Host git directory // For local config, use includeIf.gitdir to match the .git directory.
// Configure for both host and container paths to support Docker container actions.
let gitDir = path.join(this.git.getWorkingDirectory(), '.git'); let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows console.log(`Git dir: ${gitDir}`);
// Configure host includeIf core.info(`Git dir: ${gitDir}`);
// Use forward slashes for git config, even on Windows
gitDir = gitDir.replace(/\\/g, '/');
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`; const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
yield this.git.config(hostIncludeKey, credentialsConfigPath); yield this.git.config(hostIncludeKey, credentialsConfigPath);
this.credentialsIncludeKeys.push(hostIncludeKey); this.credentialsIncludeKeys.push(hostIncludeKey);
// Container git directory // Configure for container scenario where paths are mapped to fixed locations
const githubWorkspace = process.env['GITHUB_WORKSPACE']; const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
// Calculate the relative path of the working directory from GITHUB_WORKSPACE
const workingDirectory = this.git.getWorkingDirectory(); const workingDirectory = this.git.getWorkingDirectory();
let relativePath = path.relative(githubWorkspace, workingDirectory); let relativePath = path.relative(githubWorkspace, workingDirectory);
relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
// Use forward slashes for git config
relativePath = relativePath.replace(/\\/g, '/');
const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git'); const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
// Container credentials config path
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
yield this.git.config(containerIncludeKey, containerCredentialsPath); yield this.git.config(containerIncludeKey, containerCredentialsPath);
this.credentialsIncludeKeys.push(containerIncludeKey); this.credentialsIncludeKeys.push(containerIncludeKey);
@ -465,22 +452,18 @@ class GitAuthHelper {
} }
// SSH command // SSH command
yield this.removeGitConfig(SSH_COMMAND_KEY); yield this.removeGitConfig(SSH_COMMAND_KEY);
yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
}); });
} }
removeToken() { removeToken() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
var _a; var _a;
// Remove HTTP extra header // HTTP extra header
yield this.removeGitConfig(this.tokenConfigKey); yield this.removeGitConfig(this.tokenConfigKey);
yield this.removeSubmoduleGitConfig(this.tokenConfigKey); // Remove include/includeIf config entries
// Remove includeIf
for (const includeKey of this.credentialsIncludeKeys) { for (const includeKey of this.credentialsIncludeKeys) {
yield this.removeGitConfig(includeKey); yield this.removeGitConfig(includeKey);
} }
this.credentialsIncludeKeys = []; this.credentialsIncludeKeys = [];
// Remove submodule includeIf
yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`, true);
// Remove credentials config file // Remove credentials config file
if (this.credentialsConfigPath) { if (this.credentialsConfigPath) {
try { try {
@ -493,20 +476,18 @@ class GitAuthHelper {
} }
}); });
} }
removeGitConfig(configKey) { removeGitConfig(configKey_1) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) {
if ((yield this.git.configExists(configKey)) && if (!submoduleOnly) {
!(yield this.git.tryConfigUnset(configKey))) { if ((yield this.git.configExists(configKey)) &&
// Load the config contents !(yield this.git.tryConfigUnset(configKey))) {
core.warning(`Failed to remove '${configKey}' from the git config`); // Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`);
}
} }
});
}
removeSubmoduleGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
const pattern = regexpHelper.escape(configKey); const pattern = regexpHelper.escape(configKey);
yield this.git.submoduleForeach( yield this.git.submoduleForeach(
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true); `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
}); });
} }

131
src/git-auth-helper.ts
View File

@ -44,7 +44,7 @@ class GitAuthHelper {
private sshKnownHostsPath = '' private sshKnownHostsPath = ''
private temporaryHomePath = '' private temporaryHomePath = ''
private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
private credentialsIncludeKeys: string[] = [] // Track includeIf config keys for cleanup private credentialsIncludeKeys: string[] = [] // Track includeIf/include config keys for cleanup
constructor( constructor(
gitCommandManager: IGitCommandManager, gitCommandManager: IGitCommandManager,
@ -168,76 +168,26 @@ class GitAuthHelper {
async configureSubmoduleAuth(): Promise<void> { async configureSubmoduleAuth(): Promise<void> {
// Remove possible previous HTTPS instead of SSH // Remove possible previous HTTPS instead of SSH
await this.removeSubmoduleGitConfig(this.insteadOfKey) await this.removeGitConfig(this.insteadOfKey, true)
if (this.settings.persistCredentials) { if (this.settings.persistCredentials) {
// Credentials config path // TODO: UPDATE THIS
const credentialsConfigPath = await this.getCredentialsConfigPath()
// Container credentials config path // Configure a placeholder value. This approach avoids the credential being captured
const containerCredentialsPath = path.posix.join( // by process creation audit events, which are commonly logged. For more information,
'/github/runner_temp', // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
path.basename(credentialsConfigPath)
)
// Container repo path
const workingDirectory = this.git.getWorkingDirectory()
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
let relativePath = path.relative(githubWorkspace, workingDirectory)
relativePath = relativePath.replace(/\\/g, '/')
const containerRepoPath = path.posix.join(
'/github/workspace',
relativePath
)
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = await this.git.submoduleForeach( const output = await this.git.submoduleForeach(
`git config --local --show-origin --name-only --get-regexp remote.origin.url`, // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
this.settings.nestedSubmodules this.settings.nestedSubmodules
) )
// Extract config file paths from the output (lines starting with "file:"). // Replace the placeholder
const configPaths = const configPaths: string[] =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [] output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const configPath of configPaths) { for (const configPath of configPaths) {
// The config file is at .git/modules/submodule-name/config core.debug(`Replacing token placeholder in '${configPath}'`)
let submoduleConfigDir = path.dirname(configPath) await this.replaceTokenPlaceholder(configPath)
submoduleConfigDir = submoduleConfigDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Configure host includeIf
await this.git.config(
`includeIf.gitdir:${submoduleConfigDir}.path`,
credentialsConfigPath,
false,
false,
configPath
)
// Configure container includeIf
let relativeSubmoduleConfigDir = path.relative(
githubWorkspace,
submoduleConfigDir
)
relativeSubmoduleConfigDir = relativeSubmoduleConfigDir.replace(
/\\/g,
'/'
) // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join(
'/github/workspace',
relativeSubmoduleConfigDir
)
await this.git.config(
`includeIf.gitdir:${containerSubmoduleGitDir}.path`,
containerCredentialsPath,
false,
false,
configPath
)
} }
if (this.settings.sshKey) { if (this.settings.sshKey) {
@ -366,34 +316,38 @@ class GitAuthHelper {
// Global config file is temporary // Global config file is temporary
await this.git.config('include.path', credentialsConfigPath, true) await this.git.config('include.path', credentialsConfigPath, true)
} else { } else {
// Host git directory // For local config, use includeIf.gitdir to match the .git directory.
// Configure for both host and container paths to support Docker container actions.
let gitDir = path.join(this.git.getWorkingDirectory(), '.git') let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows console.log(`Git dir: ${gitDir}`)
core.info(`Git dir: ${gitDir}`)
// Configure host includeIf // Use forward slashes for git config, even on Windows
gitDir = gitDir.replace(/\\/g, '/')
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path` const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
await this.git.config(hostIncludeKey, credentialsConfigPath) await this.git.config(hostIncludeKey, credentialsConfigPath)
this.credentialsIncludeKeys.push(hostIncludeKey) this.credentialsIncludeKeys.push(hostIncludeKey)
// Container git directory // Configure for container scenario where paths are mapped to fixed locations
const githubWorkspace = process.env['GITHUB_WORKSPACE'] const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
// Calculate the relative path of the working directory from GITHUB_WORKSPACE
const workingDirectory = this.git.getWorkingDirectory() const workingDirectory = this.git.getWorkingDirectory()
let relativePath = path.relative(githubWorkspace, workingDirectory) let relativePath = path.relative(githubWorkspace, workingDirectory)
relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
// Use forward slashes for git config
relativePath = relativePath.replace(/\\/g, '/')
const containerGitDir = path.posix.join( const containerGitDir = path.posix.join(
'/github/workspace', '/github/workspace',
relativePath, relativePath,
'.git' '.git'
) )
// Container credentials config path
const containerCredentialsPath = path.posix.join( const containerCredentialsPath = path.posix.join(
'/github/runner_temp', '/github/runner_temp',
path.basename(credentialsConfigPath) path.basename(credentialsConfigPath)
) )
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
await this.git.config(containerIncludeKey, containerCredentialsPath) await this.git.config(containerIncludeKey, containerCredentialsPath)
this.credentialsIncludeKeys.push(containerIncludeKey) this.credentialsIncludeKeys.push(containerIncludeKey)
@ -443,26 +397,18 @@ class GitAuthHelper {
// SSH command // SSH command
await this.removeGitConfig(SSH_COMMAND_KEY) await this.removeGitConfig(SSH_COMMAND_KEY)
await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
} }
private async removeToken(): Promise<void> { private async removeToken(): Promise<void> {
// Remove HTTP extra header // HTTP extra header
await this.removeGitConfig(this.tokenConfigKey) await this.removeGitConfig(this.tokenConfigKey)
await this.removeSubmoduleGitConfig(this.tokenConfigKey)
// Remove includeIf // Remove include/includeIf config entries
for (const includeKey of this.credentialsIncludeKeys) { for (const includeKey of this.credentialsIncludeKeys) {
await this.removeGitConfig(includeKey) await this.removeGitConfig(includeKey)
} }
this.credentialsIncludeKeys = [] this.credentialsIncludeKeys = []
// Remove submodule includeIf
await this.git.submoduleForeach(
`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`,
true
)
// Remove credentials config file // Remove credentials config file
if (this.credentialsConfigPath) { if (this.credentialsConfigPath) {
try { try {
@ -476,20 +422,23 @@ class GitAuthHelper {
} }
} }
private async removeGitConfig(configKey: string): Promise<void> { private async removeGitConfig(
if ( configKey: string,
(await this.git.configExists(configKey)) && submoduleOnly: boolean = false
!(await this.git.tryConfigUnset(configKey)) ): Promise<void> {
) { if (!submoduleOnly) {
// Load the config contents if (
core.warning(`Failed to remove '${configKey}' from the git config`) (await this.git.configExists(configKey)) &&
!(await this.git.tryConfigUnset(configKey))
) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`)
}
} }
}
private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
const pattern = regexpHelper.escape(configKey) const pattern = regexpHelper.escape(configKey)
await this.git.submoduleForeach( await this.git.submoduleForeach(
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
true true
) )