feat: adopt checkout@v6 auth pattern using credentials files

Replace the workaround that hid/restored checkout@v6 credential files with a proper implementation that aligns with actions/checkout@v6's new authentication approach. Changes: - Store credentials in separate config file in RUNNER_TEMP with UUID - Use git's includeIf.gitdir mechanism to conditionally include credentials - Support both host and Docker container paths for credential resolution - Add worktree path support for git worktrees - Maintain backwards compatibility with checkout@v4/v5 old-style auth GitCommandManager: - Add configFile parameter to config() method - Add tryConfigUnsetValue() for key-value specific unset - Add tryGetConfigValues() for multi-value config keys - Add tryGetConfigKeys() for regex pattern matching config keys GitConfigHelper: - Remove hacky hide/unhide credential file approach - Add getCredentialsConfigPath() for UUID-based credential file paths - Add configureIncludeIf() for setting up includeIf entries - Add removeIncludeIfCredentials() for cleanup - Retain setExtraheaderConfig() for restoring old-style persisted auth
2026-01-21 16:58:41 +00:00 · 2026-01-21 16:58:41 +00:00 · 4924300074
commit 4924300074
parent c0f553fe54
4 changed files with 546 additions and 151 deletions
--- a/test/git-config-helper.int.test.ts
+++ b/test/git-config-helper.int.test.ts
@ -1,5 +1,7 @@
 import {GitCommandManager} from '../lib/git-command-manager'
 import {GitConfigHelper} from '../lib/git-config-helper'
+import * as fs from 'fs'
+import * as path from 'path'

 const REPO_PATH = '/git/local/repos/test-base'

@ -7,29 +9,92 @@ const extraheaderConfigKey = 'http.https://127.0.0.1/.extraheader'

 describe('git-config-helper integration tests', () => {
  let git: GitCommandManager
+  let originalRunnerTemp: string | undefined

  beforeAll(async () => {
    git = await GitCommandManager.create(REPO_PATH)
  })

+  beforeEach(async () => {
+    // Save original RUNNER_TEMP
+    originalRunnerTemp = process.env['RUNNER_TEMP']
+    // Create a temp directory for tests
+    const tempDir = await fs.promises.mkdtemp('/tmp/cpr-test-')
+    process.env['RUNNER_TEMP'] = tempDir
+    process.env['GITHUB_WORKSPACE'] = REPO_PATH
+  })
+
+  afterEach(async () => {
+    // Clean up RUNNER_TEMP
+    const runnerTemp = process.env['RUNNER_TEMP']
+    if (runnerTemp && runnerTemp.startsWith('/tmp/cpr-test-')) {
+      await fs.promises.rm(runnerTemp, {recursive: true, force: true})
+    }
+    // Restore original RUNNER_TEMP
+    if (originalRunnerTemp !== undefined) {
+      process.env['RUNNER_TEMP'] = originalRunnerTemp
+    } else {
+      delete process.env['RUNNER_TEMP']
+    }
+  })
+
  it('tests save and restore with no persisted auth', async () => {
    const gitConfigHelper = await GitConfigHelper.create(git)
    await gitConfigHelper.close()
  })

-  it('tests configure and removal of auth', async () => {
+  it('tests configure and removal of auth using credentials file', async () => {
+    const runnerTemp = process.env['RUNNER_TEMP']!
    const gitConfigHelper = await GitConfigHelper.create(git)
    await gitConfigHelper.configureToken('github-token')
-    expect(await git.configExists(extraheaderConfigKey)).toBeTruthy()
-    expect(await git.getConfigValue(extraheaderConfigKey)).toEqual(
+
+    // Verify credentials file was created in RUNNER_TEMP
+    const files = await fs.promises.readdir(runnerTemp)
+    const credentialsFiles = files.filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(1)
+
+    // Verify credentials file contains the auth token
+    const credentialsPath = path.join(runnerTemp, credentialsFiles[0])
+    const credentialsContent = await fs.promises.readFile(
+      credentialsPath,
+      'utf8'
+    )
+    expect(credentialsContent).toContain(
      'AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46Z2l0aHViLXRva2Vu'
    )

+    // Verify includeIf entries were added to local config
+    const includeIfKeys = await git.tryGetConfigKeys('^includeIf\\.gitdir:')
+    expect(includeIfKeys.length).toBeGreaterThan(0)
+
    await gitConfigHelper.close()
-    expect(await git.configExists(extraheaderConfigKey)).toBeFalsy()
+
+    // Verify credentials file was removed
+    const filesAfter = await fs.promises.readdir(runnerTemp)
+    const credentialsFilesAfter = filesAfter.filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFilesAfter.length).toBe(0)
+
+    // Verify includeIf entries were removed
+    const includeIfKeysAfter = await git.tryGetConfigKeys(
+      '^includeIf\\.gitdir:'
+    )
+    const credentialIncludes = []
+    for (const key of includeIfKeysAfter) {
+      const values = await git.tryGetConfigValues(key)
+      for (const value of values) {
+        if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
+          credentialIncludes.push(value)
+        }
+      }
+    }
+    expect(credentialIncludes.length).toBe(0)
  })

-  it('tests save and restore of persisted auth', async () => {
+  it('tests save and restore of persisted auth (old-style)', async () => {
    const extraheaderConfigValue = 'AUTHORIZATION: basic ***persisted-auth***'
    await git.config(extraheaderConfigKey, extraheaderConfigValue)