From 49243000746c1e9f4a00a03306559bcfb76df28b Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Wed, 21 Jan 2026 16:58:41 +0000 Subject: [PATCH 1/5] feat: adopt checkout@v6 auth pattern using credentials files Replace the workaround that hid/restored checkout@v6 credential files with a proper implementation that aligns with actions/checkout@v6's new authentication approach. Changes: - Store credentials in separate config file in RUNNER_TEMP with UUID - Use git's includeIf.gitdir mechanism to conditionally include credentials - Support both host and Docker container paths for credential resolution - Add worktree path support for git worktrees - Maintain backwards compatibility with checkout@v4/v5 old-style auth GitCommandManager: - Add configFile parameter to config() method - Add tryConfigUnsetValue() for key-value specific unset - Add tryGetConfigValues() for multi-value config keys - Add tryGetConfigKeys() for regex pattern matching config keys GitConfigHelper: - Remove hacky hide/unhide credential file approach - Add getCredentialsConfigPath() for UUID-based credential file paths - Add configureIncludeIf() for setting up includeIf entries - Add removeIncludeIfCredentials() for cleanup - Retain setExtraheaderConfig() for restoring old-style persisted auth --- __test__/git-config-helper.int.test.ts | 75 ++++++- dist/index.js | 281 +++++++++++++++++++------ src/git-command-manager.ts | 71 ++++++- src/git-config-helper.ts | 270 +++++++++++++++++------- 4 files changed, 546 insertions(+), 151 deletions(-) diff --git a/__test__/git-config-helper.int.test.ts b/__test__/git-config-helper.int.test.ts index dbb2513..1f6a8d1 100644 --- a/__test__/git-config-helper.int.test.ts +++ b/__test__/git-config-helper.int.test.ts @@ -1,5 +1,7 @@ import {GitCommandManager} from '../lib/git-command-manager' import {GitConfigHelper} from '../lib/git-config-helper' +import * as fs from 'fs' +import * as path from 'path' const REPO_PATH = '/git/local/repos/test-base' @@ -7,29 +9,92 @@ const extraheaderConfigKey = 'http.https://127.0.0.1/.extraheader' describe('git-config-helper integration tests', () => { let git: GitCommandManager + let originalRunnerTemp: string | undefined beforeAll(async () => { git = await GitCommandManager.create(REPO_PATH) }) + beforeEach(async () => { + // Save original RUNNER_TEMP + originalRunnerTemp = process.env['RUNNER_TEMP'] + // Create a temp directory for tests + const tempDir = await fs.promises.mkdtemp('/tmp/cpr-test-') + process.env['RUNNER_TEMP'] = tempDir + process.env['GITHUB_WORKSPACE'] = REPO_PATH + }) + + afterEach(async () => { + // Clean up RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP'] + if (runnerTemp && runnerTemp.startsWith('/tmp/cpr-test-')) { + await fs.promises.rm(runnerTemp, {recursive: true, force: true}) + } + // Restore original RUNNER_TEMP + if (originalRunnerTemp !== undefined) { + process.env['RUNNER_TEMP'] = originalRunnerTemp + } else { + delete process.env['RUNNER_TEMP'] + } + }) + it('tests save and restore with no persisted auth', async () => { const gitConfigHelper = await GitConfigHelper.create(git) await gitConfigHelper.close() }) - it('tests configure and removal of auth', async () => { + it('tests configure and removal of auth using credentials file', async () => { + const runnerTemp = process.env['RUNNER_TEMP']! const gitConfigHelper = await GitConfigHelper.create(git) await gitConfigHelper.configureToken('github-token') - expect(await git.configExists(extraheaderConfigKey)).toBeTruthy() - expect(await git.getConfigValue(extraheaderConfigKey)).toEqual( + + // Verify credentials file was created in RUNNER_TEMP + const files = await fs.promises.readdir(runnerTemp) + const credentialsFiles = files.filter( + f => f.startsWith('git-credentials-') && f.endsWith('.config') + ) + expect(credentialsFiles.length).toBe(1) + + // Verify credentials file contains the auth token + const credentialsPath = path.join(runnerTemp, credentialsFiles[0]) + const credentialsContent = await fs.promises.readFile( + credentialsPath, + 'utf8' + ) + expect(credentialsContent).toContain( 'AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46Z2l0aHViLXRva2Vu' ) + // Verify includeIf entries were added to local config + const includeIfKeys = await git.tryGetConfigKeys('^includeIf\\.gitdir:') + expect(includeIfKeys.length).toBeGreaterThan(0) + await gitConfigHelper.close() - expect(await git.configExists(extraheaderConfigKey)).toBeFalsy() + + // Verify credentials file was removed + const filesAfter = await fs.promises.readdir(runnerTemp) + const credentialsFilesAfter = filesAfter.filter( + f => f.startsWith('git-credentials-') && f.endsWith('.config') + ) + expect(credentialsFilesAfter.length).toBe(0) + + // Verify includeIf entries were removed + const includeIfKeysAfter = await git.tryGetConfigKeys( + '^includeIf\\.gitdir:' + ) + const credentialIncludes = [] + for (const key of includeIfKeysAfter) { + const values = await git.tryGetConfigValues(key) + for (const value of values) { + if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) { + credentialIncludes.push(value) + } + } + } + expect(credentialIncludes.length).toBe(0) }) - it('tests save and restore of persisted auth', async () => { + it('tests save and restore of persisted auth (old-style)', async () => { const extraheaderConfigValue = 'AUTHORIZATION: basic ***persisted-auth***' await git.config(extraheaderConfigKey, extraheaderConfigValue) diff --git a/dist/index.js b/dist/index.js index 5610005..f1684e5 100644 --- a/dist/index.js +++ b/dist/index.js @@ -730,9 +730,15 @@ class GitCommandManager { return yield this.exec(args, { allowAllExitCodes: allowAllExitCodes }); }); } - config(configKey, configValue, globalConfig, add) { + config(configKey, configValue, globalConfig, add, configFile) { return __awaiter(this, void 0, void 0, function* () { - const args = ['config', globalConfig ? '--global' : '--local']; + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } if (add) { args.push('--add'); } @@ -964,6 +970,60 @@ class GitCommandManager { return output.exitCode === 0; }); } + tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--unset', configKey, configValue); + const output = yield this.exec(args, { allowAllExitCodes: true }); + return output.exitCode === 0; + }); + } + tryGetConfigValues(configKey, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--get-all', configKey); + const output = yield this.exec(args, { allowAllExitCodes: true }); + if (output.exitCode !== 0) { + return []; + } + return output.stdout + .trim() + .split('\n') + .filter(value => value.trim()); + }); + } + tryGetConfigKeys(pattern, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--name-only', '--get-regexp', pattern); + const output = yield this.exec(args, { allowAllExitCodes: true }); + if (output.exitCode !== 0) { + return []; + } + return output.stdout + .trim() + .split('\n') + .filter(key => key.trim()); + }); + } tryGetRemoteUrl() { return __awaiter(this, void 0, void 0, function* () { const output = yield this.exec(['config', '--local', '--get', 'remote.origin.url'], { allowAllExitCodes: true }); @@ -1100,9 +1160,9 @@ const fs = __importStar(__nccwpck_require__(9896)); const path = __importStar(__nccwpck_require__(6928)); const url_1 = __nccwpck_require__(7016); const utils = __importStar(__nccwpck_require__(9277)); +const uuid_1 = __nccwpck_require__(2048); class GitConfigHelper { constructor(git) { - this.gitConfigPath = ''; this.safeDirectoryConfigKey = 'safe.directory'; this.safeDirectoryAdded = false; this.remoteUrl = ''; @@ -1110,7 +1170,8 @@ class GitConfigHelper { this.extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***'; this.extraheaderConfigValueRegex = '^AUTHORIZATION:'; this.persistedExtraheaderConfigValue = ''; - this.backedUpCredentialFiles = []; + // Path to the credentials config file in RUNNER_TEMP (new v6-style auth) + this.credentialsConfigPath = ''; this.git = git; this.workingDirectory = this.git.getWorkingDirectory(); } @@ -1190,16 +1251,15 @@ class GitConfigHelper { return __awaiter(this, void 0, void 0, function* () { const serverUrl = new url_1.URL(`https://${this.getGitRemote().hostname}`); this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader`; - // Backup checkout@v6 credential files if they exist - yield this.hideCredentialFiles(); - // Save and unset persisted extraheader credential in git config if it exists + // Save and unset persisted extraheader credential in git config if it exists (old-style auth) + // Note: checkout@v6 uses credentials files with includeIf, so we don't need to + // manipulate those - they work independently via git's include mechanism this.persistedExtraheaderConfigValue = yield this.getAndUnset(); }); } restorePersistedAuth() { return __awaiter(this, void 0, void 0, function* () { - // Restore checkout@v6 credential files if they were backed up - yield this.unhideCredentialFiles(); + // Restore old-style extraheader config if it was persisted if (this.persistedExtraheaderConfigValue) { try { yield this.setExtraheaderConfig(this.persistedExtraheaderConfigValue); @@ -1213,69 +1273,165 @@ class GitConfigHelper { } configureToken(token) { return __awaiter(this, void 0, void 0, function* () { - // Encode and configure the basic credential for HTTPS access + // Encode the basic credential for HTTPS access const basicCredential = Buffer.from(`x-access-token:${token}`, 'utf8').toString('base64'); core.setSecret(basicCredential); const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}`; - yield this.setExtraheaderConfig(extraheaderConfigValue); + // Get or create the credentials config file path + const credentialsConfigPath = this.getCredentialsConfigPath(); + // Write placeholder to the separate credentials config file using git config. + // This approach avoids the credential being captured by process creation audit events, + // which are commonly logged. For more information, refer to + // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + yield this.git.config(this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue, false, // globalConfig + false, // add + credentialsConfigPath); + // Replace the placeholder in the credentials config file + let content = (yield fs.promises.readFile(credentialsConfigPath)).toString(); + const placeholderIndex = content.indexOf(this.extraheaderConfigPlaceholderValue); + if (placeholderIndex < 0 || + placeholderIndex != + content.lastIndexOf(this.extraheaderConfigPlaceholderValue)) { + throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`); + } + content = content.replace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); + yield fs.promises.writeFile(credentialsConfigPath, content); + // Configure includeIf entries to reference the credentials config file + yield this.configureIncludeIf(credentialsConfigPath); }); } removeAuth() { return __awaiter(this, void 0, void 0, function* () { + // Remove old-style extraheader config if it exists yield this.getAndUnset(); + // Remove includeIf entries that point to git-credentials-*.config files + // and clean up the credentials config files + yield this.removeIncludeIfCredentials(); }); } + /** + * Gets or creates the path to the credentials config file in RUNNER_TEMP. + * @returns The absolute path to the credentials config file + */ + getCredentialsConfigPath() { + if (this.credentialsConfigPath) { + return this.credentialsConfigPath; + } + const runnerTemp = process.env['RUNNER_TEMP'] || ''; + if (!runnerTemp) { + throw new Error('RUNNER_TEMP is not defined'); + } + // Create a unique filename for this action instance + const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`; + this.credentialsConfigPath = path.join(runnerTemp, configFileName); + core.debug(`Credentials config path: ${this.credentialsConfigPath}`); + return this.credentialsConfigPath; + } + /** + * Configures includeIf entries in the local git config to reference the credentials file. + * Sets up entries for both host and container paths to support Docker container actions. + */ + configureIncludeIf(credentialsConfigPath) { + return __awaiter(this, void 0, void 0, function* () { + // Host git directory + const gitDir = yield this.git.getGitDirectory(); + let hostGitDir = path.join(this.workingDirectory, gitDir); + hostGitDir = hostGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows + // Configure host includeIf + const hostIncludeKey = `includeIf.gitdir:${hostGitDir}.path`; + yield this.git.config(hostIncludeKey, credentialsConfigPath); + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${hostGitDir}/worktrees/*.path`; + yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath); + // Container paths for Docker container actions + const githubWorkspace = process.env['GITHUB_WORKSPACE']; + if (githubWorkspace) { + let relativePath = path.relative(githubWorkspace, this.workingDirectory); + relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows + const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git'); + // Container credentials config path + const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); + // Configure container includeIf + const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; + yield this.git.config(containerIncludeKey, containerCredentialsPath); + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`; + yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath); + } + }); + } + /** + * Removes includeIf entries that point to git-credentials-*.config files + * and deletes the credentials config files. + */ + removeIncludeIfCredentials() { + return __awaiter(this, void 0, void 0, function* () { + const credentialsPaths = new Set(); + try { + // Get all includeIf.gitdir keys from local config + const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:'); + for (const key of keys) { + // Get all values for this key + const values = yield this.git.tryGetConfigValues(key); + for (const value of values) { + // Check if value matches git-credentials-.config pattern + if (this.isCredentialsConfigPath(value)) { + credentialsPaths.add(value); + yield this.git.tryConfigUnsetValue(key, value); + core.debug(`Removed includeIf entry: ${key} = ${value}`); + } + } + } + } + catch (e) { + // Ignore errors during cleanup + core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`); + } + // Delete credentials config files that are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP']; + if (runnerTemp) { + for (const credentialsPath of credentialsPaths) { + // Only remove files under RUNNER_TEMP for safety + if (credentialsPath.startsWith(runnerTemp)) { + try { + yield fs.promises.unlink(credentialsPath); + core.info(`Removed credentials config file: ${credentialsPath}`); + } + catch (e) { + core.debug(`Could not remove credentials file ${credentialsPath}: ${utils.getErrorMessage(e)}`); + } + } + } + } + }); + } + /** + * Tests if a path matches the git-credentials-*.config pattern. + */ + isCredentialsConfigPath(filePath) { + return /git-credentials-[0-9a-f-]+\.config$/i.test(filePath); + } + /** + * Sets extraheader config directly in .git/config (old-style auth). + * Used only for restoring persisted credentials from checkout@v4/v5. + */ setExtraheaderConfig(extraheaderConfigValue) { return __awaiter(this, void 0, void 0, function* () { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 yield this.git.config(this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue); - // Replace the placeholder - yield this.gitConfigStringReplace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); - }); - } - hideCredentialFiles() { - return __awaiter(this, void 0, void 0, function* () { - // Temporarily hide checkout@v6 credential files to avoid duplicate auth headers - const runnerTemp = process.env['RUNNER_TEMP']; - if (!runnerTemp) { - return; + // Replace the placeholder in the local git config + const gitDir = yield this.git.getGitDirectory(); + const gitConfigPath = path.join(this.workingDirectory, gitDir, 'config'); + let content = (yield fs.promises.readFile(gitConfigPath)).toString(); + const index = content.indexOf(this.extraheaderConfigPlaceholderValue); + if (index < 0 || + index != content.lastIndexOf(this.extraheaderConfigPlaceholderValue)) { + throw new Error(`Unable to replace '${this.extraheaderConfigPlaceholderValue}' in ${gitConfigPath}`); } - try { - const files = yield fs.promises.readdir(runnerTemp); - for (const file of files) { - if (file.startsWith('git-credentials-') && file.endsWith('.config')) { - const sourcePath = path.join(runnerTemp, file); - const backupPath = `${sourcePath}.bak`; - yield fs.promises.rename(sourcePath, backupPath); - this.backedUpCredentialFiles.push(backupPath); - core.info(`Temporarily hiding checkout credential file: ${file} (will be restored after)`); - } - } - } - catch (e) { - // If directory doesn't exist or we can't read it, just continue - core.debug(`Could not backup credential files: ${utils.getErrorMessage(e)}`); - } - }); - } - unhideCredentialFiles() { - return __awaiter(this, void 0, void 0, function* () { - // Restore checkout@v6 credential files that were backed up - for (const backupPath of this.backedUpCredentialFiles) { - try { - const originalPath = backupPath.replace(/\.bak$/, ''); - yield fs.promises.rename(backupPath, originalPath); - const fileName = path.basename(originalPath); - core.info(`Restored checkout credential file: ${fileName}`); - } - catch (e) { - core.warning(`Failed to restore credential file ${backupPath}: ${utils.getErrorMessage(e)}`); - } - } - this.backedUpCredentialFiles = []; + content = content.replace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); + yield fs.promises.writeFile(gitConfigPath, content); }); } getAndUnset() { @@ -1294,21 +1450,6 @@ class GitConfigHelper { return configValue; }); } - gitConfigStringReplace(find, replace) { - return __awaiter(this, void 0, void 0, function* () { - if (this.gitConfigPath.length === 0) { - const gitDir = yield this.git.getGitDirectory(); - this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config'); - } - let content = (yield fs.promises.readFile(this.gitConfigPath)).toString(); - const index = content.indexOf(find); - if (index < 0 || index != content.lastIndexOf(find)) { - throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`); - } - content = content.replace(find, replace); - yield fs.promises.writeFile(this.gitConfigPath, content); - }); - } } exports.GitConfigHelper = GitConfigHelper; diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index 6270f19..44d0177 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -96,9 +96,15 @@ export class GitCommandManager { configKey: string, configValue: string, globalConfig?: boolean, - add?: boolean + add?: boolean, + configFile?: string ): Promise { - const args: string[] = ['config', globalConfig ? '--global' : '--local'] + const args: string[] = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } if (add) { args.push('--add') } @@ -350,6 +356,67 @@ export class GitCommandManager { return output.exitCode === 0 } + async tryConfigUnsetValue( + configKey: string, + configValue: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--unset', configKey, configValue) + const output = await this.exec(args, {allowAllExitCodes: true}) + return output.exitCode === 0 + } + + async tryGetConfigValues( + configKey: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--get-all', configKey) + const output = await this.exec(args, {allowAllExitCodes: true}) + if (output.exitCode !== 0) { + return [] + } + return output.stdout + .trim() + .split('\n') + .filter(value => value.trim()) + } + + async tryGetConfigKeys( + pattern: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--name-only', '--get-regexp', pattern) + const output = await this.exec(args, {allowAllExitCodes: true}) + if (output.exitCode !== 0) { + return [] + } + return output.stdout + .trim() + .split('\n') + .filter(key => key.trim()) + } + async tryGetRemoteUrl(): Promise { const output = await this.exec( ['config', '--local', '--get', 'remote.origin.url'], diff --git a/src/git-config-helper.ts b/src/git-config-helper.ts index e929934..c780644 100644 --- a/src/git-config-helper.ts +++ b/src/git-config-helper.ts @@ -4,6 +4,7 @@ import {GitCommandManager} from './git-command-manager' import * as path from 'path' import {URL} from 'url' import * as utils from './utils' +import {v4 as uuid} from 'uuid' interface GitRemote { hostname: string @@ -13,7 +14,6 @@ interface GitRemote { export class GitConfigHelper { private git: GitCommandManager - private gitConfigPath = '' private workingDirectory: string private safeDirectoryConfigKey = 'safe.directory' private safeDirectoryAdded = false @@ -22,7 +22,8 @@ export class GitConfigHelper { private extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***' private extraheaderConfigValueRegex = '^AUTHORIZATION:' private persistedExtraheaderConfigValue = '' - private backedUpCredentialFiles: string[] = [] + // Path to the credentials config file in RUNNER_TEMP (new v6-style auth) + private credentialsConfigPath = '' private constructor(git: GitCommandManager) { this.git = git @@ -122,15 +123,14 @@ export class GitConfigHelper { async savePersistedAuth(): Promise { const serverUrl = new URL(`https://${this.getGitRemote().hostname}`) this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader` - // Backup checkout@v6 credential files if they exist - await this.hideCredentialFiles() - // Save and unset persisted extraheader credential in git config if it exists + // Save and unset persisted extraheader credential in git config if it exists (old-style auth) + // Note: checkout@v6 uses credentials files with includeIf, so we don't need to + // manipulate those - they work independently via git's include mechanism this.persistedExtraheaderConfigValue = await this.getAndUnset() } async restorePersistedAuth(): Promise { - // Restore checkout@v6 credential files if they were backed up - await this.unhideCredentialFiles() + // Restore old-style extraheader config if it was persisted if (this.persistedExtraheaderConfigValue) { try { await this.setExtraheaderConfig(this.persistedExtraheaderConfigValue) @@ -142,81 +142,220 @@ export class GitConfigHelper { } async configureToken(token: string): Promise { - // Encode and configure the basic credential for HTTPS access + // Encode the basic credential for HTTPS access const basicCredential = Buffer.from( `x-access-token:${token}`, 'utf8' ).toString('base64') core.setSecret(basicCredential) const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}` - await this.setExtraheaderConfig(extraheaderConfigValue) + + // Get or create the credentials config file path + const credentialsConfigPath = this.getCredentialsConfigPath() + + // Write placeholder to the separate credentials config file using git config. + // This approach avoids the credential being captured by process creation audit events, + // which are commonly logged. For more information, refer to + // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + await this.git.config( + this.extraheaderConfigKey, + this.extraheaderConfigPlaceholderValue, + false, // globalConfig + false, // add + credentialsConfigPath + ) + + // Replace the placeholder in the credentials config file + let content = (await fs.promises.readFile(credentialsConfigPath)).toString() + const placeholderIndex = content.indexOf( + this.extraheaderConfigPlaceholderValue + ) + if ( + placeholderIndex < 0 || + placeholderIndex != + content.lastIndexOf(this.extraheaderConfigPlaceholderValue) + ) { + throw new Error( + `Unable to replace auth placeholder in ${credentialsConfigPath}` + ) + } + content = content.replace( + this.extraheaderConfigPlaceholderValue, + extraheaderConfigValue + ) + await fs.promises.writeFile(credentialsConfigPath, content) + + // Configure includeIf entries to reference the credentials config file + await this.configureIncludeIf(credentialsConfigPath) } async removeAuth(): Promise { + // Remove old-style extraheader config if it exists await this.getAndUnset() + + // Remove includeIf entries that point to git-credentials-*.config files + // and clean up the credentials config files + await this.removeIncludeIfCredentials() } + /** + * Gets or creates the path to the credentials config file in RUNNER_TEMP. + * @returns The absolute path to the credentials config file + */ + private getCredentialsConfigPath(): string { + if (this.credentialsConfigPath) { + return this.credentialsConfigPath + } + + const runnerTemp = process.env['RUNNER_TEMP'] || '' + if (!runnerTemp) { + throw new Error('RUNNER_TEMP is not defined') + } + + // Create a unique filename for this action instance + const configFileName = `git-credentials-${uuid()}.config` + this.credentialsConfigPath = path.join(runnerTemp, configFileName) + + core.debug(`Credentials config path: ${this.credentialsConfigPath}`) + return this.credentialsConfigPath + } + + /** + * Configures includeIf entries in the local git config to reference the credentials file. + * Sets up entries for both host and container paths to support Docker container actions. + */ + private async configureIncludeIf( + credentialsConfigPath: string + ): Promise { + // Host git directory + const gitDir = await this.git.getGitDirectory() + let hostGitDir = path.join(this.workingDirectory, gitDir) + hostGitDir = hostGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows + + // Configure host includeIf + const hostIncludeKey = `includeIf.gitdir:${hostGitDir}.path` + await this.git.config(hostIncludeKey, credentialsConfigPath) + + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${hostGitDir}/worktrees/*.path` + await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath) + + // Container paths for Docker container actions + const githubWorkspace = process.env['GITHUB_WORKSPACE'] + if (githubWorkspace) { + let relativePath = path.relative(githubWorkspace, this.workingDirectory) + relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows + const containerGitDir = path.posix.join( + '/github/workspace', + relativePath, + '.git' + ) + + // Container credentials config path + const containerCredentialsPath = path.posix.join( + '/github/runner_temp', + path.basename(credentialsConfigPath) + ) + + // Configure container includeIf + const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` + await this.git.config(containerIncludeKey, containerCredentialsPath) + + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path` + await this.git.config( + containerWorktreeIncludeKey, + containerCredentialsPath + ) + } + } + + /** + * Removes includeIf entries that point to git-credentials-*.config files + * and deletes the credentials config files. + */ + private async removeIncludeIfCredentials(): Promise { + const credentialsPaths = new Set() + + try { + // Get all includeIf.gitdir keys from local config + const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:') + + for (const key of keys) { + // Get all values for this key + const values = await this.git.tryGetConfigValues(key) + for (const value of values) { + // Check if value matches git-credentials-.config pattern + if (this.isCredentialsConfigPath(value)) { + credentialsPaths.add(value) + await this.git.tryConfigUnsetValue(key, value) + core.debug(`Removed includeIf entry: ${key} = ${value}`) + } + } + } + } catch (e) { + // Ignore errors during cleanup + core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`) + } + + // Delete credentials config files that are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP'] + if (runnerTemp) { + for (const credentialsPath of credentialsPaths) { + // Only remove files under RUNNER_TEMP for safety + if (credentialsPath.startsWith(runnerTemp)) { + try { + await fs.promises.unlink(credentialsPath) + core.info(`Removed credentials config file: ${credentialsPath}`) + } catch (e) { + core.debug( + `Could not remove credentials file ${credentialsPath}: ${utils.getErrorMessage(e)}` + ) + } + } + } + } + } + + /** + * Tests if a path matches the git-credentials-*.config pattern. + */ + private isCredentialsConfigPath(filePath: string): boolean { + return /git-credentials-[0-9a-f-]+\.config$/i.test(filePath) + } + + /** + * Sets extraheader config directly in .git/config (old-style auth). + * Used only for restoring persisted credentials from checkout@v4/v5. + */ private async setExtraheaderConfig( extraheaderConfigValue: string ): Promise { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 await this.git.config( this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue ) - // Replace the placeholder - await this.gitConfigStringReplace( + // Replace the placeholder in the local git config + const gitDir = await this.git.getGitDirectory() + const gitConfigPath = path.join(this.workingDirectory, gitDir, 'config') + let content = (await fs.promises.readFile(gitConfigPath)).toString() + const index = content.indexOf(this.extraheaderConfigPlaceholderValue) + if ( + index < 0 || + index != content.lastIndexOf(this.extraheaderConfigPlaceholderValue) + ) { + throw new Error( + `Unable to replace '${this.extraheaderConfigPlaceholderValue}' in ${gitConfigPath}` + ) + } + content = content.replace( this.extraheaderConfigPlaceholderValue, extraheaderConfigValue ) - } - - private async hideCredentialFiles(): Promise { - // Temporarily hide checkout@v6 credential files to avoid duplicate auth headers - const runnerTemp = process.env['RUNNER_TEMP'] - if (!runnerTemp) { - return - } - - try { - const files = await fs.promises.readdir(runnerTemp) - for (const file of files) { - if (file.startsWith('git-credentials-') && file.endsWith('.config')) { - const sourcePath = path.join(runnerTemp, file) - const backupPath = `${sourcePath}.bak` - await fs.promises.rename(sourcePath, backupPath) - this.backedUpCredentialFiles.push(backupPath) - core.info( - `Temporarily hiding checkout credential file: ${file} (will be restored after)` - ) - } - } - } catch (e) { - // If directory doesn't exist or we can't read it, just continue - core.debug( - `Could not backup credential files: ${utils.getErrorMessage(e)}` - ) - } - } - - private async unhideCredentialFiles(): Promise { - // Restore checkout@v6 credential files that were backed up - for (const backupPath of this.backedUpCredentialFiles) { - try { - const originalPath = backupPath.replace(/\.bak$/, '') - await fs.promises.rename(backupPath, originalPath) - const fileName = path.basename(originalPath) - core.info(`Restored checkout credential file: ${fileName}`) - } catch (e) { - core.warning( - `Failed to restore credential file ${backupPath}: ${utils.getErrorMessage(e)}` - ) - } - } - this.backedUpCredentialFiles = [] + await fs.promises.writeFile(gitConfigPath, content) } private async getAndUnset(): Promise { @@ -247,21 +386,4 @@ export class GitConfigHelper { } return configValue } - - private async gitConfigStringReplace( - find: string, - replace: string - ): Promise { - if (this.gitConfigPath.length === 0) { - const gitDir = await this.git.getGitDirectory() - this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config') - } - let content = (await fs.promises.readFile(this.gitConfigPath)).toString() - const index = content.indexOf(find) - if (index < 0 || index != content.lastIndexOf(find)) { - throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`) - } - content = content.replace(find, replace) - await fs.promises.writeFile(this.gitConfigPath, content) - } } From 2df30281e153c8ff4f2f6cbbd496d88b2ca51787 Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:33:33 +0000 Subject: [PATCH 2/5] fix: add type annotation to fix TS2345 error in integration test The credentialIncludes array was missing a type annotation, causing TypeScript to infer it as never[] and reject string pushes. --- __test__/git-config-helper.int.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/__test__/git-config-helper.int.test.ts b/__test__/git-config-helper.int.test.ts index 1f6a8d1..8a53c19 100644 --- a/__test__/git-config-helper.int.test.ts +++ b/__test__/git-config-helper.int.test.ts @@ -82,7 +82,7 @@ describe('git-config-helper integration tests', () => { const includeIfKeysAfter = await git.tryGetConfigKeys( '^includeIf\\.gitdir:' ) - const credentialIncludes = [] + const credentialIncludes: string[] = [] for (const key of includeIfKeysAfter) { const values = await git.tryGetConfigValues(key) for (const value of values) { From 64240115db5d324fed9b6f63650e6af66074843a Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:59:11 +0000 Subject: [PATCH 3/5] fix: use --fixed-value flag when unsetting git config values The tryConfigUnsetValue method was passing file paths directly to `git config --unset`, which treats the value argument as an extended regular expression. File paths contain `.` characters that would match any character instead of literal periods, potentially causing incorrect matches. Adding the --fixed-value flag ensures the value is treated as a literal string, fixing credential config cleanup in the v6-style authentication. --- dist/index.js | 4 +++- src/git-command-manager.ts | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index f1684e5..6dc7025 100644 --- a/dist/index.js +++ b/dist/index.js @@ -979,7 +979,9 @@ class GitCommandManager { else { args.push(globalConfig ? '--global' : '--local'); } - args.push('--unset', configKey, configValue); + // Use --fixed-value to treat configValue as a literal string, not a regex pattern. + // This is important for file paths which contain regex special characters like '.' + args.push('--fixed-value', '--unset', configKey, configValue); const output = yield this.exec(args, { allowAllExitCodes: true }); return output.exitCode === 0; }); diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index 44d0177..b0ed1ae 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -368,7 +368,7 @@ export class GitCommandManager { } else { args.push(globalConfig ? '--global' : '--local') } - args.push('--unset', configKey, configValue) + args.push('--fixed-value', '--unset', configKey, configValue) const output = await this.exec(args, {allowAllExitCodes: true}) return output.exitCode === 0 } From ca2f66fc96eb384f95f3334e65e26d794cf0f1cd Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Fri, 23 Jan 2026 09:43:33 +0000 Subject: [PATCH 4/5] fix: only remove credentials created by this action instance Previously, removeIncludeIfCredentials() deleted all includeIf.gitdir entries matching git-credentials-*.config, regardless of which action created them. This broke subsequent workflow steps that relied on credentials persisted by other actions (e.g., actions/checkout@v6). Now the cleanup only removes the specific credentials file and config entries created by this action instance, leaving other actions' credentials intact. --- __test__/git-config-helper.int.test.ts | 22 +++++++++--- dist/index.js | 44 ++++++++++-------------- src/git-config-helper.ts | 47 +++++++++++--------------- 3 files changed, 54 insertions(+), 59 deletions(-) diff --git a/__test__/git-config-helper.int.test.ts b/__test__/git-config-helper.int.test.ts index 8a53c19..85996cc 100644 --- a/__test__/git-config-helper.int.test.ts +++ b/__test__/git-config-helper.int.test.ts @@ -69,6 +69,18 @@ describe('git-config-helper integration tests', () => { const includeIfKeys = await git.tryGetConfigKeys('^includeIf\\.gitdir:') expect(includeIfKeys.length).toBeGreaterThan(0) + // Count credential includes pointing to this action's credentials file + let credentialIncludesForThisAction = 0 + for (const key of includeIfKeys) { + const values = await git.tryGetConfigValues(key) + for (const value of values) { + if (value === credentialsPath) { + credentialIncludesForThisAction++ + } + } + } + expect(credentialIncludesForThisAction).toBeGreaterThan(0) + await gitConfigHelper.close() // Verify credentials file was removed @@ -78,20 +90,20 @@ describe('git-config-helper integration tests', () => { ) expect(credentialsFilesAfter.length).toBe(0) - // Verify includeIf entries were removed + // Verify includeIf entries pointing to our specific credentials file were removed const includeIfKeysAfter = await git.tryGetConfigKeys( '^includeIf\\.gitdir:' ) - const credentialIncludes: string[] = [] + let credentialIncludesForThisActionAfter = 0 for (const key of includeIfKeysAfter) { const values = await git.tryGetConfigValues(key) for (const value of values) { - if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) { - credentialIncludes.push(value) + if (value === credentialsPath) { + credentialIncludesForThisActionAfter++ } } } - expect(credentialIncludes.length).toBe(0) + expect(credentialIncludesForThisActionAfter).toBe(0) }) it('tests save and restore of persisted auth (old-style)', async () => { diff --git a/dist/index.js b/dist/index.js index 6dc7025..ecdd195 100644 --- a/dist/index.js +++ b/dist/index.js @@ -979,8 +979,6 @@ class GitCommandManager { else { args.push(globalConfig ? '--global' : '--local'); } - // Use --fixed-value to treat configValue as a literal string, not a regex pattern. - // This is important for file paths which contain regex special characters like '.' args.push('--fixed-value', '--unset', configKey, configValue); const output = yield this.exec(args, { allowAllExitCodes: true }); return output.exitCode === 0; @@ -1363,12 +1361,16 @@ class GitConfigHelper { }); } /** - * Removes includeIf entries that point to git-credentials-*.config files - * and deletes the credentials config files. + * Removes the includeIf entry and credentials config file created by this action instance. + * Only cleans up the specific credentials file tracked in this.credentialsConfigPath, + * leaving credentials created by other actions (e.g., actions/checkout) intact. */ removeIncludeIfCredentials() { return __awaiter(this, void 0, void 0, function* () { - const credentialsPaths = new Set(); + // Only clean up if this action instance created a credentials config file + if (!this.credentialsConfigPath) { + return; + } try { // Get all includeIf.gitdir keys from local config const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:'); @@ -1376,9 +1378,8 @@ class GitConfigHelper { // Get all values for this key const values = yield this.git.tryGetConfigValues(key); for (const value of values) { - // Check if value matches git-credentials-.config pattern - if (this.isCredentialsConfigPath(value)) { - credentialsPaths.add(value); + // Only remove entries pointing to our specific credentials file + if (value === this.credentialsConfigPath) { yield this.git.tryConfigUnsetValue(key, value); core.debug(`Removed includeIf entry: ${key} = ${value}`); } @@ -1389,30 +1390,19 @@ class GitConfigHelper { // Ignore errors during cleanup core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`); } - // Delete credentials config files that are under RUNNER_TEMP + // Delete only our credentials config file const runnerTemp = process.env['RUNNER_TEMP']; - if (runnerTemp) { - for (const credentialsPath of credentialsPaths) { - // Only remove files under RUNNER_TEMP for safety - if (credentialsPath.startsWith(runnerTemp)) { - try { - yield fs.promises.unlink(credentialsPath); - core.info(`Removed credentials config file: ${credentialsPath}`); - } - catch (e) { - core.debug(`Could not remove credentials file ${credentialsPath}: ${utils.getErrorMessage(e)}`); - } - } + if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) { + try { + yield fs.promises.unlink(this.credentialsConfigPath); + core.info(`Removed credentials config file: ${this.credentialsConfigPath}`); + } + catch (e) { + core.debug(`Could not remove credentials file ${this.credentialsConfigPath}: ${utils.getErrorMessage(e)}`); } } }); } - /** - * Tests if a path matches the git-credentials-*.config pattern. - */ - isCredentialsConfigPath(filePath) { - return /git-credentials-[0-9a-f-]+\.config$/i.test(filePath); - } /** * Sets extraheader config directly in .git/config (old-style auth). * Used only for restoring persisted credentials from checkout@v4/v5. diff --git a/src/git-config-helper.ts b/src/git-config-helper.ts index c780644..4af25a0 100644 --- a/src/git-config-helper.ts +++ b/src/git-config-helper.ts @@ -271,11 +271,15 @@ export class GitConfigHelper { } /** - * Removes includeIf entries that point to git-credentials-*.config files - * and deletes the credentials config files. + * Removes the includeIf entry and credentials config file created by this action instance. + * Only cleans up the specific credentials file tracked in this.credentialsConfigPath, + * leaving credentials created by other actions (e.g., actions/checkout) intact. */ private async removeIncludeIfCredentials(): Promise { - const credentialsPaths = new Set() + // Only clean up if this action instance created a credentials config file + if (!this.credentialsConfigPath) { + return + } try { // Get all includeIf.gitdir keys from local config @@ -285,9 +289,8 @@ export class GitConfigHelper { // Get all values for this key const values = await this.git.tryGetConfigValues(key) for (const value of values) { - // Check if value matches git-credentials-.config pattern - if (this.isCredentialsConfigPath(value)) { - credentialsPaths.add(value) + // Only remove entries pointing to our specific credentials file + if (value === this.credentialsConfigPath) { await this.git.tryConfigUnsetValue(key, value) core.debug(`Removed includeIf entry: ${key} = ${value}`) } @@ -298,32 +301,22 @@ export class GitConfigHelper { core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`) } - // Delete credentials config files that are under RUNNER_TEMP + // Delete only our credentials config file const runnerTemp = process.env['RUNNER_TEMP'] - if (runnerTemp) { - for (const credentialsPath of credentialsPaths) { - // Only remove files under RUNNER_TEMP for safety - if (credentialsPath.startsWith(runnerTemp)) { - try { - await fs.promises.unlink(credentialsPath) - core.info(`Removed credentials config file: ${credentialsPath}`) - } catch (e) { - core.debug( - `Could not remove credentials file ${credentialsPath}: ${utils.getErrorMessage(e)}` - ) - } - } + if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) { + try { + await fs.promises.unlink(this.credentialsConfigPath) + core.info( + `Removed credentials config file: ${this.credentialsConfigPath}` + ) + } catch (e) { + core.debug( + `Could not remove credentials file ${this.credentialsConfigPath}: ${utils.getErrorMessage(e)}` + ) } } } - /** - * Tests if a path matches the git-credentials-*.config pattern. - */ - private isCredentialsConfigPath(filePath: string): boolean { - return /git-credentials-[0-9a-f-]+\.config$/i.test(filePath) - } - /** * Sets extraheader config directly in .git/config (old-style auth). * Used only for restoring persisted credentials from checkout@v4/v5. From d9ef76f1acf12c702bd1cf5c9e2c307781088c48 Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Fri, 23 Jan 2026 10:06:08 +0000 Subject: [PATCH 5/5] fix(security): prevent path traversal in credentials file deletion Use path.resolve() to normalize paths before comparison in removeIncludeIfCredentials(). The previous startsWith() check was vulnerable to path traversal attacks where a path like "/tmp/runner/../../../etc/passwd" would pass the check but resolve outside RUNNER_TEMP. Also append path.sep to prevent false positives (e.g., /tmp/runner2 matching /tmp/runner). --- dist/index.js | 5 ++++- src/git-config-helper.ts | 7 ++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index ecdd195..c0140ab 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1392,7 +1392,10 @@ class GitConfigHelper { } // Delete only our credentials config file const runnerTemp = process.env['RUNNER_TEMP']; - if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) { + const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath); + const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : ''; + if (resolvedRunnerTemp && + resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep)) { try { yield fs.promises.unlink(this.credentialsConfigPath); core.info(`Removed credentials config file: ${this.credentialsConfigPath}`); diff --git a/src/git-config-helper.ts b/src/git-config-helper.ts index 4af25a0..bee89c1 100644 --- a/src/git-config-helper.ts +++ b/src/git-config-helper.ts @@ -303,7 +303,12 @@ export class GitConfigHelper { // Delete only our credentials config file const runnerTemp = process.env['RUNNER_TEMP'] - if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) { + const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath) + const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : '' + if ( + resolvedRunnerTemp && + resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep) + ) { try { await fs.promises.unlink(this.credentialsConfigPath) core.info(