actions/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2025-10-29 13:50:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
eric sciple
2025-10-17 00:02:33 +00:00
parent 3292e202f3
commit f8060825ea
5 changed files with 320 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

213
dist/index.js vendored
View File

@@ -163,7 +163,6 @@ class GitAuthHelper {
this.sshKnownHostsPath = '';
this.temporaryHomePath = '';
this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
this.credentialsIncludeKeys = []; // Track includeIf config keys for cleanup
this.git = gitCommandManager;
this.settings = gitSourceSettings || {};
// Token auth header
@@ -189,20 +188,6 @@ class GitAuthHelper {
yield this.configureToken();
});
}
getCredentialsConfigPath() {
return __awaiter(this, void 0, void 0, function* () {
if (this.credentialsConfigPath) {
return this.credentialsConfigPath;
}
const runnerTemp = process.env['RUNNER_TEMP'] || '';
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
this.credentialsConfigPath = path.join(runnerTemp, configFileName);
core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
return this.credentialsConfigPath;
});
}
configureTempGlobalConfig() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
@@ -282,10 +267,7 @@ class GitAuthHelper {
relativePath = relativePath.replace(/\\/g, '/');
const containerRepoPath = path.posix.join('/github/workspace', relativePath);
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = yield this.git.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, this.settings.nestedSubmodules);
// Extract config file paths from the output (lines starting with "file:").
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const configPath of configPaths) {
@@ -329,6 +311,10 @@ class GitAuthHelper {
}
});
}
/**
* Configures SSH authentication by writing the SSH key and known hosts,
* and setting up the GIT_SSH_COMMAND environment variable.
*/
configureSsh() {
return __awaiter(this, void 0, void 0, function* () {
if (!this.settings.sshKey) {
@@ -385,6 +371,11 @@ class GitAuthHelper {
}
});
}
/**
* Configures token-based authentication by creating a credentials config file
* and setting up includeIf entries to reference it.
* @param globalConfig Whether to configure global config instead of local
*/
configureToken(globalConfig) {
return __awaiter(this, void 0, void 0, function* () {
// Get the credentials config file path in RUNNER_TEMP
@@ -395,7 +386,15 @@ class GitAuthHelper {
// https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, false, credentialsConfigPath);
// Replace the placeholder in the credentials config file
yield this.replaceTokenPlaceholder(credentialsConfigPath);
let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
if (placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`);
}
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
yield fs.promises.writeFile(credentialsConfigPath, content);
// Add include or includeIf to reference the credentials config
if (globalConfig) {
// Global config file is temporary
@@ -408,7 +407,6 @@ class GitAuthHelper {
// Configure host includeIf
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
yield this.git.config(hostIncludeKey, credentialsConfigPath);
this.credentialsIncludeKeys.push(hostIncludeKey);
// Container git directory
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
@@ -421,24 +419,31 @@ class GitAuthHelper {
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
yield this.git.config(containerIncludeKey, containerCredentialsPath);
this.credentialsIncludeKeys.push(containerIncludeKey);
}
});
}
replaceTokenPlaceholder(configPath) {
/**
* Gets or creates the path to the credentials config file in RUNNER_TEMP.
* @returns The absolute path to the credentials config file
*/
getCredentialsConfigPath() {
return __awaiter(this, void 0, void 0, function* () {
assert.ok(configPath, 'configPath is not defined');
let content = (yield fs.promises.readFile(configPath)).toString();
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
if (placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
throw new Error(`Unable to replace auth placeholder in ${configPath}`);
if (this.credentialsConfigPath) {
return this.credentialsConfigPath;
}
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
yield fs.promises.writeFile(configPath, content);
const runnerTemp = process.env['RUNNER_TEMP'] || '';
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
this.credentialsConfigPath = path.join(runnerTemp, configFileName);
core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
return this.credentialsConfigPath;
});
}
/**
* Removes SSH authentication configuration by cleaning up SSH keys,
* known hosts files, and SSH command configurations.
*/
removeSsh() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
@@ -468,6 +473,10 @@ class GitAuthHelper {
yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
});
}
/**
* Removes token-based authentication by cleaning up HTTP headers,
* includeIf entries, and credentials config files.
*/
removeToken() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
@@ -475,30 +484,12 @@ class GitAuthHelper {
yield this.removeGitConfig(this.tokenConfigKey);
yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
// Remove includeIf entries that point to git-credentials-*.config files
// This is more aggressive than tracking keys, but necessary since cleanup
// runs in a post-step where this.credentialsIncludeKeys is empty
try {
// Get all includeIf.gitdir keys
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:');
for (const key of keys) {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key);
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
yield this.git.tryConfigUnsetValue(key, value);
}
}
}
}
yield this.removeIncludeIfCredentials();
// Remove submodule includeIf entries that point to git-credentials-*.config files
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
for (const configPath of submoduleConfigPaths) {
yield this.removeIncludeIfCredentials(configPath);
}
catch (err) {
// Ignore errors - this is cleanup code
core.debug(`Error during includeIf cleanup: ${err}`);
}
// Remove submodule includeIf
yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeif\\.' && git config --local --remove-section includeif || :"`, true);
// Remove credentials config file
if (this.credentialsConfigPath) {
try {
@@ -511,6 +502,10 @@ class GitAuthHelper {
}
});
}
/**
* Removes a git config key from the local repository config.
* @param configKey The git config key to remove
*/
removeGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
if ((yield this.git.configExists(configKey)) &&
@@ -520,6 +515,10 @@ class GitAuthHelper {
}
});
}
/**
* Removes a git config key from all submodule configs.
* @param configKey The git config key to remove
*/
removeSubmoduleGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
const pattern = regexpHelper.escape(configKey);
@@ -528,6 +527,47 @@ class GitAuthHelper {
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
});
}
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* @param configPath Optional path to a specific git config file to operate on
*/
removeIncludeIfCredentials(configPath) {
return __awaiter(this, void 0, void 0, function* () {
try {
// Get all includeIf.gitdir keys
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, configPath);
for (const key of keys) {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key, false, configPath);
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (this.testCredentialsConfigPath(value)) {
yield this.git.tryConfigUnsetValue(key, value, false, configPath);
}
}
}
}
}
catch (err) {
// Ignore errors - this is cleanup code
if (configPath) {
core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
}
else {
core.debug(`Error during includeIf cleanup: ${err}`);
}
}
});
}
/**
* Tests if a path matches the git-credentials-*.config pattern.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
testCredentialsConfigPath(path) {
return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
}
}
@@ -810,6 +850,16 @@ class GitCommandManager {
throw new Error('Unexpected output when retrieving default branch');
});
}
getSubmoduleConfigPaths(recursive) {
return __awaiter(this, void 0, void 0, function* () {
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
// Extract config file paths from the output (lines starting with "file:").
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
return configPaths;
});
}
getWorkingDirectory() {
return this.workingDirectory;
}
@@ -940,15 +990,17 @@ class GitCommandManager {
return output.exitCode === 0;
});
}
tryConfigUnsetValue(configKey, configValue, globalConfig) {
tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--unset',
configKey,
configValue
], true);
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--unset', configKey, configValue);
const output = yield this.execGit(args, true);
return output.exitCode === 0;
});
}
@@ -971,29 +1023,34 @@ class GitCommandManager {
return stdout;
});
}
tryGetConfigValues(configKey, globalConfig) {
tryGetConfigValues(configKey, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--get-all',
configKey
], true);
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--get-all', configKey);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout.trim().split('\n').filter(value => value.trim());
});
}
tryGetConfigKeys(pattern, globalConfig) {
tryGetConfigKeys(pattern, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--name-only',
'--get-regexp',
pattern
], true);
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--name-only', '--get-regexp', pattern);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}