actions/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2025-10-31 07:30:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add container path support for submodules and improve code readability

Browse Source
This commit is contained in:
eric sciple
2025-10-14 22:10:23 +00:00
parent 74fe54f098
commit 8e4be9ae12
2 changed files with 91 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
src/git-auth-helper.ts
View File

@@ -171,23 +171,66 @@ class GitAuthHelper {
await this.removeGitConfig(this.insteadOfKey, true)
if (this.settings.persistCredentials) {
// TODO: UPDATE THIS
// Use the same credentials config file created for the main repo
const credentialsConfigPath = await this.getCredentialsConfigPath()
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const output = await this.git.submoduleForeach(
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsConfigPath)
)
// Calculate container git directory base path
const workingDirectory = this.git.getWorkingDirectory()
let relativePath = path.relative(githubWorkspace, workingDirectory)
relativePath = relativePath.replace(/\\/g, '/')
const containerWorkspaceBase = path.posix.join(
'/github/workspace',
relativePath
)
// Get submodule paths.
// `git rev-parse --show-toplevel` returns the absolute path of each submodule's working tree.
const submodulePaths = await this.git.submoduleForeach(
`git rev-parse --show-toplevel`,
this.settings.nestedSubmodules
)
// Replace the placeholder
const configPaths: string[] =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
for (const configPath of configPaths) {
core.debug(`Replacing token placeholder in '${configPath}'`)
await this.replaceTokenPlaceholder(configPath)
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const submodulePath of submodulePaths.split('\n').filter(x => x)) {
// Configure host path includeIf.
// Use forward slashes for git config, even on Windows.
let submoduleGitDir = path.join(submodulePath, '.git')
submoduleGitDir = submoduleGitDir.replace(/\\/g, '/')
await this.git.config(
`includeIf.gitdir:${submoduleGitDir}.path`,
credentialsConfigPath,
false,
false,
path.join(submodulePath, '.git', 'config')
)
// Configure container path includeIf.
// Use forward slashes for git config, even on Windows.
let submoduleRelativePath = path.relative(
workingDirectory,
submodulePath
)
submoduleRelativePath = submoduleRelativePath.replace(/\\/g, '/')
const containerSubmoduleGitDir = path.posix.join(
containerWorkspaceBase,
submoduleRelativePath,
'.git'
)
await this.git.config(
`includeIf.gitdir:${containerSubmoduleGitDir}.path`,
containerCredentialsPath,
false,
false,
path.join(submodulePath, '.git', 'config')
)
}
if (this.settings.sshKey) {
@@ -407,6 +450,12 @@ class GitAuthHelper {
}
this.credentialsIncludeKeys = []
// Remove includeIf entries from submodules
await this.git.submoduleForeach(
`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`,
true
)
// Remove credentials config file
if (this.credentialsConfigPath) {
try {