.

2025-10-29 00:28:38 +08:00 · 2025-10-14 19:07:14 +00:00 · 2025-10-14 18:55:51 +00:00 · 2025-10-14 18:39:36 +00:00
2 changed files with 49 additions and 39 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -270,11 +270,12 @@ class GitAuthHelper {
            // Remove possible previous HTTPS instead of SSH
            yield this.removeGitConfig(this.insteadOfKey, true);
            if (this.settings.persistCredentials) {
                // TODO: UPDATE THIS
                // Configure a placeholder value. This approach avoids the credential being captured
                // by process creation audit events, which are commonly logged. For more information,
                // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
                const output = yield this.git.submoduleForeach(
-                // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+                // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
                `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
                // Replace the placeholder
                const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
@ -380,31 +381,34 @@ class GitAuthHelper {
            yield this.replaceTokenPlaceholder(credentialsConfigPath);
            // Add include or includeIf to reference the credentials config
            if (globalConfig) {
-                // For global config, use unconditional include.
+                // Global config file is temporary
                // No need to track for cleanup since the temp .gitconfig file (which contains
                // this include.path entry) gets deleted by removeGlobalConfig().
                yield this.git.config('include.path', credentialsConfigPath, true);
            }
            else {
                // For local config, use includeIf.gitdir to match the .git directory.
                // Configure for both host and container paths to support Docker container actions.
-                const gitDir = path.join(this.git.getWorkingDirectory(), '.git');
+                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
                console.log(`Git dir: ${gitDir}`);
                core.info(`Git dir: ${gitDir}`);
                // Use forward slashes for git config, even on Windows
                gitDir = gitDir.replace(/\\/g, '/');
                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
                this.credentialsIncludeKeys.push(hostIncludeKey);
                // Configure for container scenario where paths are mapped to fixed locations
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
-                if (githubWorkspace) {
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
-                    // Calculate the relative path of the working directory from GITHUB_WORKSPACE
+                // Calculate the relative path of the working directory from GITHUB_WORKSPACE
-                    const workingDirectory = this.git.getWorkingDirectory();
+                const workingDirectory = this.git.getWorkingDirectory();
-                    const relativePath = path.relative(githubWorkspace, workingDirectory);
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
-                    // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
+                // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
-                    const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
+                // Use forward slashes for git config
-                    const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                relativePath = relativePath.replace(/\\/g, '/');
-                    const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
+                const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
-                    yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
-                    this.credentialsIncludeKeys.push(containerIncludeKey);
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
-                }
+                yield this.git.config(containerIncludeKey, containerCredentialsPath);
                this.credentialsIncludeKeys.push(containerIncludeKey);
            }
        });
    }
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -171,11 +171,13 @@ class GitAuthHelper {
    await this.removeGitConfig(this.insteadOfKey, true)
    if (this.settings.persistCredentials) {
      // TODO: UPDATE THIS
      // Configure a placeholder value. This approach avoids the credential being captured
      // by process creation audit events, which are commonly logged. For more information,
      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
      const output = await this.git.submoduleForeach(
-        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+        // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
        this.settings.nestedSubmodules
      )
@ -311,40 +313,44 @@ class GitAuthHelper {
    // Add include or includeIf to reference the credentials config
    if (globalConfig) {
-      // For global config, use unconditional include.
+      // Global config file is temporary
      // No need to track for cleanup since the temp .gitconfig file (which contains
      // this include.path entry) gets deleted by removeGlobalConfig().
      await this.git.config('include.path', credentialsConfigPath, true)
    } else {
      // For local config, use includeIf.gitdir to match the .git directory.
      // Configure for both host and container paths to support Docker container actions.
-      const gitDir = path.join(this.git.getWorkingDirectory(), '.git')
+      let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
      console.log(`Git dir: ${gitDir}`)
      core.info(`Git dir: ${gitDir}`)
      // Use forward slashes for git config, even on Windows
      gitDir = gitDir.replace(/\\/g, '/')
      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)
      this.credentialsIncludeKeys.push(hostIncludeKey)
      // Configure for container scenario where paths are mapped to fixed locations
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
-      if (githubWorkspace) {
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
-        // Calculate the relative path of the working directory from GITHUB_WORKSPACE
+      
-        const workingDirectory = this.git.getWorkingDirectory()
+      // Calculate the relative path of the working directory from GITHUB_WORKSPACE
-        const relativePath = path.relative(githubWorkspace, workingDirectory)
+      const workingDirectory = this.git.getWorkingDirectory()
      let relativePath = path.relative(githubWorkspace, workingDirectory)
-        // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
+      // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
-        const containerGitDir = path.posix.join(
+      // Use forward slashes for git config
-          '/github/workspace',
+      relativePath = relativePath.replace(/\\/g, '/')
-          relativePath,
+      const containerGitDir = path.posix.join(
-          '.git'
+        '/github/workspace',
-        )
+        relativePath,
-        const containerCredentialsPath = path.posix.join(
+        '.git'
-          '/github/runner_temp',
+      )
-          path.basename(credentialsConfigPath)
+      const containerCredentialsPath = path.posix.join(
-        )
+        '/github/runner_temp',
        path.basename(credentialsConfigPath)
      )
-        const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
-        await this.git.config(containerIncludeKey, containerCredentialsPath)
+      await this.git.config(containerIncludeKey, containerCredentialsPath)
-        this.credentialsIncludeKeys.push(containerIncludeKey)
+      this.credentialsIncludeKeys.push(containerIncludeKey)
      }
    }
  }
Author	SHA1	Message	Date
eric sciple	b13eccf351	.	2025-10-14 19:07:14 +00:00
eric sciple	82257b56c2	.	2025-10-14 18:55:51 +00:00
eric sciple	d9b320ec70	.	2025-10-14 18:39:36 +00:00