diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3121c41..9515999 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v2 # Basic checkout - - name: Basic checkout + - name: Checkout basic uses: ./ with: ref: test-data/v2/basic @@ -48,7 +48,7 @@ jobs: - name: Modify work tree shell: bash run: __test__/modify-work-tree.sh - - name: Clean checkout + - name: Checkout clean uses: ./ with: ref: test-data/v2/basic @@ -58,12 +58,12 @@ jobs: run: __test__/verify-clean.sh # Side by side - - name: Side by side checkout 1 + - name: Checkout side by side 1 uses: ./ with: ref: test-data/v2/side-by-side-1 path: side-by-side-1 - - name: Side by side checkout 2 + - name: Checkout side by side 2 uses: ./ with: ref: test-data/v2/side-by-side-2 @@ -73,7 +73,7 @@ jobs: run: __test__/verify-side-by-side.sh # LFS - - name: LFS checkout + - name: Checkout LFS uses: ./ with: repository: actions/checkout # hardcoded, otherwise doesn't work from a fork @@ -85,29 +85,29 @@ jobs: run: __test__/verify-lfs.sh # Submodules false - - name: Submodules false checkout + - name: Checkout submodules false uses: ./ with: - ref: test-data/v2/submodule + ref: test-data/v2/submodule-ssh-url path: submodules-false - name: Verify submodules false run: __test__/verify-submodules-false.sh # Submodules one level - - name: Submodules true checkout + - name: Checkout submodules true uses: ./ with: - ref: test-data/v2/submodule + ref: test-data/v2/submodule-ssh-url path: submodules-true submodules: true - name: Verify submodules true run: __test__/verify-submodules-true.sh # Submodules recursive - - name: Submodules recursive checkout + - name: Checkout submodules recursive uses: ./ with: - ref: test-data/v2/submodule + ref: test-data/v2/submodule-ssh-url path: submodules-recursive submodules: recursive - name: Verify submodules recursive @@ -127,7 +127,7 @@ jobs: - name: Override git version (Windows) if: runner.os == 'windows' run: __test__\\override-git-version.cmd - - name: Basic checkout using REST API + - name: Checkout basic using REST API uses: ./ with: ref: test-data/v2/basic @@ -153,7 +153,7 @@ jobs: uses: actions/checkout@v2 # Basic checkout using git - - name: Basic checkout + - name: Checkout basic uses: ./ with: ref: test-data/v2/basic @@ -185,7 +185,7 @@ jobs: uses: actions/checkout@v2 # Basic checkout using git - - name: Basic checkout + - name: Checkout basic uses: ./ with: ref: test-data/v2/basic @@ -198,7 +198,7 @@ jobs: # Basic checkout using REST API - name: Override git version run: __test__/override-git-version.sh - - name: Basic checkout using REST API + - name: Checkout basic using REST API uses: ./ with: ref: test-data/v2/basic diff --git a/dist/index.js b/dist/index.js index 3a29067..3082946 100644 --- a/dist/index.js +++ b/dist/index.js @@ -5095,6 +5095,8 @@ exports.createAuthHelper = createAuthHelper; class GitAuthHelper { constructor(gitCommandManager, gitSourceSettings) { this.tokenConfigKey = `http.https://${HOSTNAME}/.extraheader`; + this.insteadOfKey = `url.https://${HOSTNAME}/.insteadOf`; + this.insteadOfValue = `git@${HOSTNAME}:`; this.temporaryHomePath = ''; this.git = gitCommandManager; this.settings = gitSourceSettings || {}; @@ -5140,11 +5142,15 @@ class GitAuthHelper { else { yield fs.promises.writeFile(newGitConfigPath, ''); } - // Configure the token try { + // Override HOME core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`); this.git.setEnvironmentVariable('HOME', this.temporaryHomePath); + // Configure the token yield this.configureToken(newGitConfigPath, true); + // Configure HTTPS instead of SSH + yield this.git.tryConfigUnset(this.insteadOfKey, true); + yield this.git.config(this.insteadOfKey, this.insteadOfValue, true); } catch (err) { // Unset in case somehow written to the real global config @@ -5160,7 +5166,12 @@ class GitAuthHelper { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - const output = yield this.git.submoduleForeach(`git config "${this.tokenConfigKey}" "${this.tokenPlaceholderConfigValue}" && git config --local --show-origin --name-only --get-regexp remote.origin.url`, this.settings.nestedSubmodules); + const commands = [ + `git config --local "${this.tokenConfigKey}" "${this.tokenPlaceholderConfigValue}"`, + `git config --local "${this.insteadOfKey}" "${this.insteadOfValue}"`, + `git config --local --show-origin --name-only --get-regexp remote.origin.url` + ]; + const output = yield this.git.submoduleForeach(commands.join(' && '), this.settings.nestedSubmodules); // Replace the placeholder const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []; for (const configPath of configPaths) { diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index dd76fe9..3f36ff8 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -34,6 +34,8 @@ class GitAuthHelper { private readonly settings: IGitSourceSettings private readonly tokenConfigKey: string = `http.https://${HOSTNAME}/.extraheader` private readonly tokenPlaceholderConfigValue: string + private readonly insteadOfKey: string = `url.https://${HOSTNAME}/.insteadOf` + private readonly insteadOfValue: string = `git@${HOSTNAME}:` private temporaryHomePath = '' private tokenConfigValue: string @@ -92,13 +94,19 @@ class GitAuthHelper { await fs.promises.writeFile(newGitConfigPath, '') } - // Configure the token try { + // Override HOME core.info( `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes` ) this.git.setEnvironmentVariable('HOME', this.temporaryHomePath) + + // Configure the token await this.configureToken(newGitConfigPath, true) + + // Configure HTTPS instead of SSH + await this.git.tryConfigUnset(this.insteadOfKey, true) + await this.git.config(this.insteadOfKey, this.insteadOfValue, true) } catch (err) { // Unset in case somehow written to the real global config core.info( @@ -114,8 +122,13 @@ class GitAuthHelper { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + const commands = [ + `git config --local "${this.tokenConfigKey}" "${this.tokenPlaceholderConfigValue}"`, + `git config --local "${this.insteadOfKey}" "${this.insteadOfValue}"`, + `git config --local --show-origin --name-only --get-regexp remote.origin.url` + ] const output = await this.git.submoduleForeach( - `git config "${this.tokenConfigKey}" "${this.tokenPlaceholderConfigValue}" && git config --local --show-origin --name-only --get-regexp remote.origin.url`, + commands.join(' && '), this.settings.nestedSubmodules )