diff --git a/__test__/git-config-helper.int.test.ts b/__test__/git-config-helper.int.test.ts index 85996cc..dbb2513 100644 --- a/__test__/git-config-helper.int.test.ts +++ b/__test__/git-config-helper.int.test.ts @@ -1,7 +1,5 @@ import {GitCommandManager} from '../lib/git-command-manager' import {GitConfigHelper} from '../lib/git-config-helper' -import * as fs from 'fs' -import * as path from 'path' const REPO_PATH = '/git/local/repos/test-base' @@ -9,104 +7,29 @@ const extraheaderConfigKey = 'http.https://127.0.0.1/.extraheader' describe('git-config-helper integration tests', () => { let git: GitCommandManager - let originalRunnerTemp: string | undefined beforeAll(async () => { git = await GitCommandManager.create(REPO_PATH) }) - beforeEach(async () => { - // Save original RUNNER_TEMP - originalRunnerTemp = process.env['RUNNER_TEMP'] - // Create a temp directory for tests - const tempDir = await fs.promises.mkdtemp('/tmp/cpr-test-') - process.env['RUNNER_TEMP'] = tempDir - process.env['GITHUB_WORKSPACE'] = REPO_PATH - }) - - afterEach(async () => { - // Clean up RUNNER_TEMP - const runnerTemp = process.env['RUNNER_TEMP'] - if (runnerTemp && runnerTemp.startsWith('/tmp/cpr-test-')) { - await fs.promises.rm(runnerTemp, {recursive: true, force: true}) - } - // Restore original RUNNER_TEMP - if (originalRunnerTemp !== undefined) { - process.env['RUNNER_TEMP'] = originalRunnerTemp - } else { - delete process.env['RUNNER_TEMP'] - } - }) - it('tests save and restore with no persisted auth', async () => { const gitConfigHelper = await GitConfigHelper.create(git) await gitConfigHelper.close() }) - it('tests configure and removal of auth using credentials file', async () => { - const runnerTemp = process.env['RUNNER_TEMP']! + it('tests configure and removal of auth', async () => { const gitConfigHelper = await GitConfigHelper.create(git) await gitConfigHelper.configureToken('github-token') - - // Verify credentials file was created in RUNNER_TEMP - const files = await fs.promises.readdir(runnerTemp) - const credentialsFiles = files.filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(1) - - // Verify credentials file contains the auth token - const credentialsPath = path.join(runnerTemp, credentialsFiles[0]) - const credentialsContent = await fs.promises.readFile( - credentialsPath, - 'utf8' - ) - expect(credentialsContent).toContain( + expect(await git.configExists(extraheaderConfigKey)).toBeTruthy() + expect(await git.getConfigValue(extraheaderConfigKey)).toEqual( 'AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46Z2l0aHViLXRva2Vu' ) - // Verify includeIf entries were added to local config - const includeIfKeys = await git.tryGetConfigKeys('^includeIf\\.gitdir:') - expect(includeIfKeys.length).toBeGreaterThan(0) - - // Count credential includes pointing to this action's credentials file - let credentialIncludesForThisAction = 0 - for (const key of includeIfKeys) { - const values = await git.tryGetConfigValues(key) - for (const value of values) { - if (value === credentialsPath) { - credentialIncludesForThisAction++ - } - } - } - expect(credentialIncludesForThisAction).toBeGreaterThan(0) - await gitConfigHelper.close() - - // Verify credentials file was removed - const filesAfter = await fs.promises.readdir(runnerTemp) - const credentialsFilesAfter = filesAfter.filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFilesAfter.length).toBe(0) - - // Verify includeIf entries pointing to our specific credentials file were removed - const includeIfKeysAfter = await git.tryGetConfigKeys( - '^includeIf\\.gitdir:' - ) - let credentialIncludesForThisActionAfter = 0 - for (const key of includeIfKeysAfter) { - const values = await git.tryGetConfigValues(key) - for (const value of values) { - if (value === credentialsPath) { - credentialIncludesForThisActionAfter++ - } - } - } - expect(credentialIncludesForThisActionAfter).toBe(0) + expect(await git.configExists(extraheaderConfigKey)).toBeFalsy() }) - it('tests save and restore of persisted auth (old-style)', async () => { + it('tests save and restore of persisted auth', async () => { const extraheaderConfigValue = 'AUTHORIZATION: basic ***persisted-auth***' await git.config(extraheaderConfigKey, extraheaderConfigValue) diff --git a/dist/index.js b/dist/index.js index c0140ab..5610005 100644 --- a/dist/index.js +++ b/dist/index.js @@ -730,15 +730,9 @@ class GitCommandManager { return yield this.exec(args, { allowAllExitCodes: allowAllExitCodes }); }); } - config(configKey, configValue, globalConfig, add, configFile) { + config(configKey, configValue, globalConfig, add) { return __awaiter(this, void 0, void 0, function* () { - const args = ['config']; - if (configFile) { - args.push('--file', configFile); - } - else { - args.push(globalConfig ? '--global' : '--local'); - } + const args = ['config', globalConfig ? '--global' : '--local']; if (add) { args.push('--add'); } @@ -970,60 +964,6 @@ class GitCommandManager { return output.exitCode === 0; }); } - tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) { - return __awaiter(this, void 0, void 0, function* () { - const args = ['config']; - if (configFile) { - args.push('--file', configFile); - } - else { - args.push(globalConfig ? '--global' : '--local'); - } - args.push('--fixed-value', '--unset', configKey, configValue); - const output = yield this.exec(args, { allowAllExitCodes: true }); - return output.exitCode === 0; - }); - } - tryGetConfigValues(configKey, globalConfig, configFile) { - return __awaiter(this, void 0, void 0, function* () { - const args = ['config']; - if (configFile) { - args.push('--file', configFile); - } - else { - args.push(globalConfig ? '--global' : '--local'); - } - args.push('--get-all', configKey); - const output = yield this.exec(args, { allowAllExitCodes: true }); - if (output.exitCode !== 0) { - return []; - } - return output.stdout - .trim() - .split('\n') - .filter(value => value.trim()); - }); - } - tryGetConfigKeys(pattern, globalConfig, configFile) { - return __awaiter(this, void 0, void 0, function* () { - const args = ['config']; - if (configFile) { - args.push('--file', configFile); - } - else { - args.push(globalConfig ? '--global' : '--local'); - } - args.push('--name-only', '--get-regexp', pattern); - const output = yield this.exec(args, { allowAllExitCodes: true }); - if (output.exitCode !== 0) { - return []; - } - return output.stdout - .trim() - .split('\n') - .filter(key => key.trim()); - }); - } tryGetRemoteUrl() { return __awaiter(this, void 0, void 0, function* () { const output = yield this.exec(['config', '--local', '--get', 'remote.origin.url'], { allowAllExitCodes: true }); @@ -1160,9 +1100,9 @@ const fs = __importStar(__nccwpck_require__(9896)); const path = __importStar(__nccwpck_require__(6928)); const url_1 = __nccwpck_require__(7016); const utils = __importStar(__nccwpck_require__(9277)); -const uuid_1 = __nccwpck_require__(2048); class GitConfigHelper { constructor(git) { + this.gitConfigPath = ''; this.safeDirectoryConfigKey = 'safe.directory'; this.safeDirectoryAdded = false; this.remoteUrl = ''; @@ -1170,8 +1110,7 @@ class GitConfigHelper { this.extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***'; this.extraheaderConfigValueRegex = '^AUTHORIZATION:'; this.persistedExtraheaderConfigValue = ''; - // Path to the credentials config file in RUNNER_TEMP (new v6-style auth) - this.credentialsConfigPath = ''; + this.backedUpCredentialFiles = []; this.git = git; this.workingDirectory = this.git.getWorkingDirectory(); } @@ -1251,15 +1190,16 @@ class GitConfigHelper { return __awaiter(this, void 0, void 0, function* () { const serverUrl = new url_1.URL(`https://${this.getGitRemote().hostname}`); this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader`; - // Save and unset persisted extraheader credential in git config if it exists (old-style auth) - // Note: checkout@v6 uses credentials files with includeIf, so we don't need to - // manipulate those - they work independently via git's include mechanism + // Backup checkout@v6 credential files if they exist + yield this.hideCredentialFiles(); + // Save and unset persisted extraheader credential in git config if it exists this.persistedExtraheaderConfigValue = yield this.getAndUnset(); }); } restorePersistedAuth() { return __awaiter(this, void 0, void 0, function* () { - // Restore old-style extraheader config if it was persisted + // Restore checkout@v6 credential files if they were backed up + yield this.unhideCredentialFiles(); if (this.persistedExtraheaderConfigValue) { try { yield this.setExtraheaderConfig(this.persistedExtraheaderConfigValue); @@ -1273,160 +1213,69 @@ class GitConfigHelper { } configureToken(token) { return __awaiter(this, void 0, void 0, function* () { - // Encode the basic credential for HTTPS access + // Encode and configure the basic credential for HTTPS access const basicCredential = Buffer.from(`x-access-token:${token}`, 'utf8').toString('base64'); core.setSecret(basicCredential); const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}`; - // Get or create the credentials config file path - const credentialsConfigPath = this.getCredentialsConfigPath(); - // Write placeholder to the separate credentials config file using git config. - // This approach avoids the credential being captured by process creation audit events, - // which are commonly logged. For more information, refer to - // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - yield this.git.config(this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue, false, // globalConfig - false, // add - credentialsConfigPath); - // Replace the placeholder in the credentials config file - let content = (yield fs.promises.readFile(credentialsConfigPath)).toString(); - const placeholderIndex = content.indexOf(this.extraheaderConfigPlaceholderValue); - if (placeholderIndex < 0 || - placeholderIndex != - content.lastIndexOf(this.extraheaderConfigPlaceholderValue)) { - throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`); - } - content = content.replace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); - yield fs.promises.writeFile(credentialsConfigPath, content); - // Configure includeIf entries to reference the credentials config file - yield this.configureIncludeIf(credentialsConfigPath); + yield this.setExtraheaderConfig(extraheaderConfigValue); }); } removeAuth() { return __awaiter(this, void 0, void 0, function* () { - // Remove old-style extraheader config if it exists yield this.getAndUnset(); - // Remove includeIf entries that point to git-credentials-*.config files - // and clean up the credentials config files - yield this.removeIncludeIfCredentials(); }); } - /** - * Gets or creates the path to the credentials config file in RUNNER_TEMP. - * @returns The absolute path to the credentials config file - */ - getCredentialsConfigPath() { - if (this.credentialsConfigPath) { - return this.credentialsConfigPath; - } - const runnerTemp = process.env['RUNNER_TEMP'] || ''; - if (!runnerTemp) { - throw new Error('RUNNER_TEMP is not defined'); - } - // Create a unique filename for this action instance - const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`; - this.credentialsConfigPath = path.join(runnerTemp, configFileName); - core.debug(`Credentials config path: ${this.credentialsConfigPath}`); - return this.credentialsConfigPath; - } - /** - * Configures includeIf entries in the local git config to reference the credentials file. - * Sets up entries for both host and container paths to support Docker container actions. - */ - configureIncludeIf(credentialsConfigPath) { - return __awaiter(this, void 0, void 0, function* () { - // Host git directory - const gitDir = yield this.git.getGitDirectory(); - let hostGitDir = path.join(this.workingDirectory, gitDir); - hostGitDir = hostGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows - // Configure host includeIf - const hostIncludeKey = `includeIf.gitdir:${hostGitDir}.path`; - yield this.git.config(hostIncludeKey, credentialsConfigPath); - // Configure host includeIf for worktrees - const hostWorktreeIncludeKey = `includeIf.gitdir:${hostGitDir}/worktrees/*.path`; - yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath); - // Container paths for Docker container actions - const githubWorkspace = process.env['GITHUB_WORKSPACE']; - if (githubWorkspace) { - let relativePath = path.relative(githubWorkspace, this.workingDirectory); - relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows - const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git'); - // Container credentials config path - const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); - // Configure container includeIf - const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; - yield this.git.config(containerIncludeKey, containerCredentialsPath); - // Configure container includeIf for worktrees - const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`; - yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath); - } - }); - } - /** - * Removes the includeIf entry and credentials config file created by this action instance. - * Only cleans up the specific credentials file tracked in this.credentialsConfigPath, - * leaving credentials created by other actions (e.g., actions/checkout) intact. - */ - removeIncludeIfCredentials() { - return __awaiter(this, void 0, void 0, function* () { - // Only clean up if this action instance created a credentials config file - if (!this.credentialsConfigPath) { - return; - } - try { - // Get all includeIf.gitdir keys from local config - const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:'); - for (const key of keys) { - // Get all values for this key - const values = yield this.git.tryGetConfigValues(key); - for (const value of values) { - // Only remove entries pointing to our specific credentials file - if (value === this.credentialsConfigPath) { - yield this.git.tryConfigUnsetValue(key, value); - core.debug(`Removed includeIf entry: ${key} = ${value}`); - } - } - } - } - catch (e) { - // Ignore errors during cleanup - core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`); - } - // Delete only our credentials config file - const runnerTemp = process.env['RUNNER_TEMP']; - const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath); - const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : ''; - if (resolvedRunnerTemp && - resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep)) { - try { - yield fs.promises.unlink(this.credentialsConfigPath); - core.info(`Removed credentials config file: ${this.credentialsConfigPath}`); - } - catch (e) { - core.debug(`Could not remove credentials file ${this.credentialsConfigPath}: ${utils.getErrorMessage(e)}`); - } - } - }); - } - /** - * Sets extraheader config directly in .git/config (old-style auth). - * Used only for restoring persisted credentials from checkout@v4/v5. - */ setExtraheaderConfig(extraheaderConfigValue) { return __awaiter(this, void 0, void 0, function* () { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 yield this.git.config(this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue); - // Replace the placeholder in the local git config - const gitDir = yield this.git.getGitDirectory(); - const gitConfigPath = path.join(this.workingDirectory, gitDir, 'config'); - let content = (yield fs.promises.readFile(gitConfigPath)).toString(); - const index = content.indexOf(this.extraheaderConfigPlaceholderValue); - if (index < 0 || - index != content.lastIndexOf(this.extraheaderConfigPlaceholderValue)) { - throw new Error(`Unable to replace '${this.extraheaderConfigPlaceholderValue}' in ${gitConfigPath}`); + // Replace the placeholder + yield this.gitConfigStringReplace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); + }); + } + hideCredentialFiles() { + return __awaiter(this, void 0, void 0, function* () { + // Temporarily hide checkout@v6 credential files to avoid duplicate auth headers + const runnerTemp = process.env['RUNNER_TEMP']; + if (!runnerTemp) { + return; } - content = content.replace(this.extraheaderConfigPlaceholderValue, extraheaderConfigValue); - yield fs.promises.writeFile(gitConfigPath, content); + try { + const files = yield fs.promises.readdir(runnerTemp); + for (const file of files) { + if (file.startsWith('git-credentials-') && file.endsWith('.config')) { + const sourcePath = path.join(runnerTemp, file); + const backupPath = `${sourcePath}.bak`; + yield fs.promises.rename(sourcePath, backupPath); + this.backedUpCredentialFiles.push(backupPath); + core.info(`Temporarily hiding checkout credential file: ${file} (will be restored after)`); + } + } + } + catch (e) { + // If directory doesn't exist or we can't read it, just continue + core.debug(`Could not backup credential files: ${utils.getErrorMessage(e)}`); + } + }); + } + unhideCredentialFiles() { + return __awaiter(this, void 0, void 0, function* () { + // Restore checkout@v6 credential files that were backed up + for (const backupPath of this.backedUpCredentialFiles) { + try { + const originalPath = backupPath.replace(/\.bak$/, ''); + yield fs.promises.rename(backupPath, originalPath); + const fileName = path.basename(originalPath); + core.info(`Restored checkout credential file: ${fileName}`); + } + catch (e) { + core.warning(`Failed to restore credential file ${backupPath}: ${utils.getErrorMessage(e)}`); + } + } + this.backedUpCredentialFiles = []; }); } getAndUnset() { @@ -1445,6 +1294,21 @@ class GitConfigHelper { return configValue; }); } + gitConfigStringReplace(find, replace) { + return __awaiter(this, void 0, void 0, function* () { + if (this.gitConfigPath.length === 0) { + const gitDir = yield this.git.getGitDirectory(); + this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config'); + } + let content = (yield fs.promises.readFile(this.gitConfigPath)).toString(); + const index = content.indexOf(find); + if (index < 0 || index != content.lastIndexOf(find)) { + throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`); + } + content = content.replace(find, replace); + yield fs.promises.writeFile(this.gitConfigPath, content); + }); + } } exports.GitConfigHelper = GitConfigHelper; diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index b0ed1ae..6270f19 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -96,15 +96,9 @@ export class GitCommandManager { configKey: string, configValue: string, globalConfig?: boolean, - add?: boolean, - configFile?: string + add?: boolean ): Promise { - const args: string[] = ['config'] - if (configFile) { - args.push('--file', configFile) - } else { - args.push(globalConfig ? '--global' : '--local') - } + const args: string[] = ['config', globalConfig ? '--global' : '--local'] if (add) { args.push('--add') } @@ -356,67 +350,6 @@ export class GitCommandManager { return output.exitCode === 0 } - async tryConfigUnsetValue( - configKey: string, - configValue: string, - globalConfig?: boolean, - configFile?: string - ): Promise { - const args = ['config'] - if (configFile) { - args.push('--file', configFile) - } else { - args.push(globalConfig ? '--global' : '--local') - } - args.push('--fixed-value', '--unset', configKey, configValue) - const output = await this.exec(args, {allowAllExitCodes: true}) - return output.exitCode === 0 - } - - async tryGetConfigValues( - configKey: string, - globalConfig?: boolean, - configFile?: string - ): Promise { - const args = ['config'] - if (configFile) { - args.push('--file', configFile) - } else { - args.push(globalConfig ? '--global' : '--local') - } - args.push('--get-all', configKey) - const output = await this.exec(args, {allowAllExitCodes: true}) - if (output.exitCode !== 0) { - return [] - } - return output.stdout - .trim() - .split('\n') - .filter(value => value.trim()) - } - - async tryGetConfigKeys( - pattern: string, - globalConfig?: boolean, - configFile?: string - ): Promise { - const args = ['config'] - if (configFile) { - args.push('--file', configFile) - } else { - args.push(globalConfig ? '--global' : '--local') - } - args.push('--name-only', '--get-regexp', pattern) - const output = await this.exec(args, {allowAllExitCodes: true}) - if (output.exitCode !== 0) { - return [] - } - return output.stdout - .trim() - .split('\n') - .filter(key => key.trim()) - } - async tryGetRemoteUrl(): Promise { const output = await this.exec( ['config', '--local', '--get', 'remote.origin.url'], diff --git a/src/git-config-helper.ts b/src/git-config-helper.ts index bee89c1..e929934 100644 --- a/src/git-config-helper.ts +++ b/src/git-config-helper.ts @@ -4,7 +4,6 @@ import {GitCommandManager} from './git-command-manager' import * as path from 'path' import {URL} from 'url' import * as utils from './utils' -import {v4 as uuid} from 'uuid' interface GitRemote { hostname: string @@ -14,6 +13,7 @@ interface GitRemote { export class GitConfigHelper { private git: GitCommandManager + private gitConfigPath = '' private workingDirectory: string private safeDirectoryConfigKey = 'safe.directory' private safeDirectoryAdded = false @@ -22,8 +22,7 @@ export class GitConfigHelper { private extraheaderConfigPlaceholderValue = 'AUTHORIZATION: basic ***' private extraheaderConfigValueRegex = '^AUTHORIZATION:' private persistedExtraheaderConfigValue = '' - // Path to the credentials config file in RUNNER_TEMP (new v6-style auth) - private credentialsConfigPath = '' + private backedUpCredentialFiles: string[] = [] private constructor(git: GitCommandManager) { this.git = git @@ -123,14 +122,15 @@ export class GitConfigHelper { async savePersistedAuth(): Promise { const serverUrl = new URL(`https://${this.getGitRemote().hostname}`) this.extraheaderConfigKey = `http.${serverUrl.origin}/.extraheader` - // Save and unset persisted extraheader credential in git config if it exists (old-style auth) - // Note: checkout@v6 uses credentials files with includeIf, so we don't need to - // manipulate those - they work independently via git's include mechanism + // Backup checkout@v6 credential files if they exist + await this.hideCredentialFiles() + // Save and unset persisted extraheader credential in git config if it exists this.persistedExtraheaderConfigValue = await this.getAndUnset() } async restorePersistedAuth(): Promise { - // Restore old-style extraheader config if it was persisted + // Restore checkout@v6 credential files if they were backed up + await this.unhideCredentialFiles() if (this.persistedExtraheaderConfigValue) { try { await this.setExtraheaderConfig(this.persistedExtraheaderConfigValue) @@ -142,218 +142,81 @@ export class GitConfigHelper { } async configureToken(token: string): Promise { - // Encode the basic credential for HTTPS access + // Encode and configure the basic credential for HTTPS access const basicCredential = Buffer.from( `x-access-token:${token}`, 'utf8' ).toString('base64') core.setSecret(basicCredential) const extraheaderConfigValue = `AUTHORIZATION: basic ${basicCredential}` - - // Get or create the credentials config file path - const credentialsConfigPath = this.getCredentialsConfigPath() - - // Write placeholder to the separate credentials config file using git config. - // This approach avoids the credential being captured by process creation audit events, - // which are commonly logged. For more information, refer to - // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - await this.git.config( - this.extraheaderConfigKey, - this.extraheaderConfigPlaceholderValue, - false, // globalConfig - false, // add - credentialsConfigPath - ) - - // Replace the placeholder in the credentials config file - let content = (await fs.promises.readFile(credentialsConfigPath)).toString() - const placeholderIndex = content.indexOf( - this.extraheaderConfigPlaceholderValue - ) - if ( - placeholderIndex < 0 || - placeholderIndex != - content.lastIndexOf(this.extraheaderConfigPlaceholderValue) - ) { - throw new Error( - `Unable to replace auth placeholder in ${credentialsConfigPath}` - ) - } - content = content.replace( - this.extraheaderConfigPlaceholderValue, - extraheaderConfigValue - ) - await fs.promises.writeFile(credentialsConfigPath, content) - - // Configure includeIf entries to reference the credentials config file - await this.configureIncludeIf(credentialsConfigPath) + await this.setExtraheaderConfig(extraheaderConfigValue) } async removeAuth(): Promise { - // Remove old-style extraheader config if it exists await this.getAndUnset() - - // Remove includeIf entries that point to git-credentials-*.config files - // and clean up the credentials config files - await this.removeIncludeIfCredentials() } - /** - * Gets or creates the path to the credentials config file in RUNNER_TEMP. - * @returns The absolute path to the credentials config file - */ - private getCredentialsConfigPath(): string { - if (this.credentialsConfigPath) { - return this.credentialsConfigPath - } - - const runnerTemp = process.env['RUNNER_TEMP'] || '' - if (!runnerTemp) { - throw new Error('RUNNER_TEMP is not defined') - } - - // Create a unique filename for this action instance - const configFileName = `git-credentials-${uuid()}.config` - this.credentialsConfigPath = path.join(runnerTemp, configFileName) - - core.debug(`Credentials config path: ${this.credentialsConfigPath}`) - return this.credentialsConfigPath - } - - /** - * Configures includeIf entries in the local git config to reference the credentials file. - * Sets up entries for both host and container paths to support Docker container actions. - */ - private async configureIncludeIf( - credentialsConfigPath: string - ): Promise { - // Host git directory - const gitDir = await this.git.getGitDirectory() - let hostGitDir = path.join(this.workingDirectory, gitDir) - hostGitDir = hostGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows - - // Configure host includeIf - const hostIncludeKey = `includeIf.gitdir:${hostGitDir}.path` - await this.git.config(hostIncludeKey, credentialsConfigPath) - - // Configure host includeIf for worktrees - const hostWorktreeIncludeKey = `includeIf.gitdir:${hostGitDir}/worktrees/*.path` - await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath) - - // Container paths for Docker container actions - const githubWorkspace = process.env['GITHUB_WORKSPACE'] - if (githubWorkspace) { - let relativePath = path.relative(githubWorkspace, this.workingDirectory) - relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows - const containerGitDir = path.posix.join( - '/github/workspace', - relativePath, - '.git' - ) - - // Container credentials config path - const containerCredentialsPath = path.posix.join( - '/github/runner_temp', - path.basename(credentialsConfigPath) - ) - - // Configure container includeIf - const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` - await this.git.config(containerIncludeKey, containerCredentialsPath) - - // Configure container includeIf for worktrees - const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path` - await this.git.config( - containerWorktreeIncludeKey, - containerCredentialsPath - ) - } - } - - /** - * Removes the includeIf entry and credentials config file created by this action instance. - * Only cleans up the specific credentials file tracked in this.credentialsConfigPath, - * leaving credentials created by other actions (e.g., actions/checkout) intact. - */ - private async removeIncludeIfCredentials(): Promise { - // Only clean up if this action instance created a credentials config file - if (!this.credentialsConfigPath) { - return - } - - try { - // Get all includeIf.gitdir keys from local config - const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:') - - for (const key of keys) { - // Get all values for this key - const values = await this.git.tryGetConfigValues(key) - for (const value of values) { - // Only remove entries pointing to our specific credentials file - if (value === this.credentialsConfigPath) { - await this.git.tryConfigUnsetValue(key, value) - core.debug(`Removed includeIf entry: ${key} = ${value}`) - } - } - } - } catch (e) { - // Ignore errors during cleanup - core.debug(`Error during includeIf cleanup: ${utils.getErrorMessage(e)}`) - } - - // Delete only our credentials config file - const runnerTemp = process.env['RUNNER_TEMP'] - const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath) - const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : '' - if ( - resolvedRunnerTemp && - resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep) - ) { - try { - await fs.promises.unlink(this.credentialsConfigPath) - core.info( - `Removed credentials config file: ${this.credentialsConfigPath}` - ) - } catch (e) { - core.debug( - `Could not remove credentials file ${this.credentialsConfigPath}: ${utils.getErrorMessage(e)}` - ) - } - } - } - - /** - * Sets extraheader config directly in .git/config (old-style auth). - * Used only for restoring persisted credentials from checkout@v4/v5. - */ private async setExtraheaderConfig( extraheaderConfigValue: string ): Promise { // Configure a placeholder value. This approach avoids the credential being captured // by process creation audit events, which are commonly logged. For more information, // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + // See https://github.com/actions/checkout/blob/main/src/git-auth-helper.ts#L267-L274 await this.git.config( this.extraheaderConfigKey, this.extraheaderConfigPlaceholderValue ) - // Replace the placeholder in the local git config - const gitDir = await this.git.getGitDirectory() - const gitConfigPath = path.join(this.workingDirectory, gitDir, 'config') - let content = (await fs.promises.readFile(gitConfigPath)).toString() - const index = content.indexOf(this.extraheaderConfigPlaceholderValue) - if ( - index < 0 || - index != content.lastIndexOf(this.extraheaderConfigPlaceholderValue) - ) { - throw new Error( - `Unable to replace '${this.extraheaderConfigPlaceholderValue}' in ${gitConfigPath}` - ) - } - content = content.replace( + // Replace the placeholder + await this.gitConfigStringReplace( this.extraheaderConfigPlaceholderValue, extraheaderConfigValue ) - await fs.promises.writeFile(gitConfigPath, content) + } + + private async hideCredentialFiles(): Promise { + // Temporarily hide checkout@v6 credential files to avoid duplicate auth headers + const runnerTemp = process.env['RUNNER_TEMP'] + if (!runnerTemp) { + return + } + + try { + const files = await fs.promises.readdir(runnerTemp) + for (const file of files) { + if (file.startsWith('git-credentials-') && file.endsWith('.config')) { + const sourcePath = path.join(runnerTemp, file) + const backupPath = `${sourcePath}.bak` + await fs.promises.rename(sourcePath, backupPath) + this.backedUpCredentialFiles.push(backupPath) + core.info( + `Temporarily hiding checkout credential file: ${file} (will be restored after)` + ) + } + } + } catch (e) { + // If directory doesn't exist or we can't read it, just continue + core.debug( + `Could not backup credential files: ${utils.getErrorMessage(e)}` + ) + } + } + + private async unhideCredentialFiles(): Promise { + // Restore checkout@v6 credential files that were backed up + for (const backupPath of this.backedUpCredentialFiles) { + try { + const originalPath = backupPath.replace(/\.bak$/, '') + await fs.promises.rename(backupPath, originalPath) + const fileName = path.basename(originalPath) + core.info(`Restored checkout credential file: ${fileName}`) + } catch (e) { + core.warning( + `Failed to restore credential file ${backupPath}: ${utils.getErrorMessage(e)}` + ) + } + } + this.backedUpCredentialFiles = [] } private async getAndUnset(): Promise { @@ -384,4 +247,21 @@ export class GitConfigHelper { } return configValue } + + private async gitConfigStringReplace( + find: string, + replace: string + ): Promise { + if (this.gitConfigPath.length === 0) { + const gitDir = await this.git.getGitDirectory() + this.gitConfigPath = path.join(this.workingDirectory, gitDir, 'config') + } + let content = (await fs.promises.readFile(this.gitConfigPath)).toString() + const index = content.indexOf(find) + if (index < 0 || index != content.lastIndexOf(find)) { + throw new Error(`Unable to replace '${find}' in ${this.gitConfigPath}`) + } + content = content.replace(find, replace) + await fs.promises.writeFile(this.gitConfigPath, content) + } }