peter-evans/create-pull-request
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 6

fix: only remove credentials created by this action instance

Browse source 
Previously, removeIncludeIfCredentials() deleted all includeIf.gitdir
entries matching git-credentials-*.config, regardless of which action
created them. This broke subsequent workflow steps that relied on
credentials persisted by other actions (e.g., actions/checkout@v6).

Now the cleanup only removes the specific credentials file and config
entries created by this action instance, leaving other actions'
credentials intact.
This commit is contained in:
Peter Evans 2026-01-23 09:43:33 +00:00
parent 64240115db
commit ca2f66fc96
3 changed files with 54 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

44
dist/index.js vendored
View file

@ -979,8 +979,6 @@ class GitCommandManager {
else {
args.push(globalConfig ? '--global' : '--local');
}
// Use --fixed-value to treat configValue as a literal string, not a regex pattern.
// This is important for file paths which contain regex special characters like '.'
args.push('--fixed-value', '--unset', configKey, configValue);
const output = yield this.exec(args, { allowAllExitCodes: true });
return output.exitCode === 0;
@ -1363,12 +1361,16 @@ class GitConfigHelper {
});
}
/**
* Removes includeIf entries that point to git-credentials-*.config files
* and deletes the credentials config files.
* Removes the includeIf entry and credentials config file created by this action instance.
* Only cleans up the specific credentials file tracked in this.credentialsConfigPath,
* leaving credentials created by other actions (e.g., actions/checkout) intact.
*/
removeIncludeIfCredentials() {
return __awaiter(this, void 0, void 0, function* () {
const credentialsPaths = new Set();
// Only clean up if this action instance created a credentials config file
if (!this.credentialsConfigPath) {
return;
}
try {
// Get all includeIf.gitdir keys from local config
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:');
@ -1376,9 +1378,8 @@ class GitConfigHelper {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key);
for (const value of values) {
// Check if value matches git-credentials-<uuid>.config pattern
if (this.isCredentialsConfigPath(value)) {
credentialsPaths.add(value);
// Only remove entries pointing to our specific credentials file
if (value === this.credentialsConfigPath) {
yield this.git.tryConfigUnsetValue(key, value);
core.debug(`Removed includeIf entry: ${key} = ${value}`);
}
@ -1389,30 +1390,19 @@ class GitConfigHelper {
// Ignore errors during cleanup
core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`);
}
// Delete credentials config files that are under RUNNER_TEMP
// Delete only our credentials config file
const runnerTemp = process.env['RUNNER_TEMP'];
if (runnerTemp) {
for (const credentialsPath of credentialsPaths) {
// Only remove files under RUNNER_TEMP for safety
if (credentialsPath.startsWith(runnerTemp)) {
try {
yield fs.promises.unlink(credentialsPath);
core.info(`Removed credentials config file: ${credentialsPath}`);
}
catch (e) {
core.debug(`Could not remove credentials file ${credentialsPath}: ${utils.getErrorMessage(e)}`);
}
}
if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) {
try {
yield fs.promises.unlink(this.credentialsConfigPath);
core.info(`Removed credentials config file: ${this.credentialsConfigPath}`);
}
catch (e) {
core.debug(`Could not remove credentials file ${this.credentialsConfigPath}: ${utils.getErrorMessage(e)}`);
}
}
});
}
/**
* Tests if a path matches the git-credentials-*.config pattern.
*/
isCredentialsConfigPath(filePath) {
return /git-credentials-[0-9a-f-]+\.config$/i.test(filePath);
}
/**
* Sets extraheader config directly in .git/config (old-style auth).
* Used only for restoring persisted credentials from checkout@v4/v5.