Compare commits
	
		
			3 Commits
		
	
	
		
			9a3a9ade82
			...
			users/eric
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 95471c29b6 | ||
|   | 2a15e11d5a | ||
|   | 518a867127 | 
							
								
								
									
										10
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								README.md
									
									
									
									
									
								
							| @@ -49,19 +49,19 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous | ||||
|     # with the local git config, which enables your scripts to run authenticated git | ||||
|     # commands. The post-job step removes the PAT. | ||||
|     # | ||||
|     # We recommend creating a service account with the least permissions necessary. | ||||
|     # Also when generating a new PAT, select the least scopes necessary. | ||||
|     # We recommend using a service account with the least permissions necessary. Also | ||||
|     # when generating a new PAT, select the least scopes necessary. | ||||
|     # | ||||
|     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) | ||||
|     # | ||||
|     # Default: ${{ github.token }} | ||||
|     token: '' | ||||
|  | ||||
|     # SSH key used to fetch the repository. SSH key is configured with the local git | ||||
|     # config, which enables your scripts to run authenticated git commands. The | ||||
|     # SSH key used to fetch the repository. The SSH key is configured with the local | ||||
|     # git config, which enables your scripts to run authenticated git commands. The | ||||
|     # post-job step removes the SSH key. | ||||
|     # | ||||
|     # We recommend creating a service account with the least permissions necessary. | ||||
|     # We recommend using a service account with the least permissions necessary. | ||||
|     # | ||||
|     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) | ||||
|     ssh-key: '' | ||||
|   | ||||
| @@ -320,6 +320,8 @@ describe('git-auth-helper tests', () => { | ||||
|     ).toString() | ||||
|     expect(actualSshKeyContent).toBe(settings.sshKey + '\n') | ||||
|     if (!isWindows) { | ||||
|       // Assert read/write for user, not group or others. | ||||
|       // Otherwise SSH client will error. | ||||
|       expect((await fs.promises.stat(actualSshKeyPath)).mode & 0o777).toBe( | ||||
|         0o600 | ||||
|       ) | ||||
| @@ -437,14 +439,74 @@ describe('git-auth-helper tests', () => { | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet = | ||||
|     'configureSubmoduleAuth configures token when persist credentials true and SSH key not set' | ||||
|   const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet = | ||||
|     'configureSubmoduleAuth configures submodules when persist credentials false and SSH key not set' | ||||
|   it( | ||||
|     configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet, | ||||
|     configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet, | ||||
|     async () => { | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet | ||||
|         configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet | ||||
|       ) | ||||
|       settings.persistCredentials = false | ||||
|       settings.sshKey = '' | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
|       const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any> | ||||
|       mockSubmoduleForeach.mockClear() // reset calls | ||||
|  | ||||
|       // Act | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toBeCalledTimes(1) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet = | ||||
|     'configureSubmoduleAuth configures submodules when persist credentials false and SSH key set' | ||||
|   it( | ||||
|     configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet, | ||||
|     async () => { | ||||
|       if (!sshPath) { | ||||
|         process.stdout.write( | ||||
|           `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet}". Executable 'ssh' not found in the PATH.\n` | ||||
|         ) | ||||
|         return | ||||
|       } | ||||
|  | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet | ||||
|       ) | ||||
|       settings.persistCredentials = false | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
|       const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any> | ||||
|       mockSubmoduleForeach.mockClear() // reset calls | ||||
|  | ||||
|       // Act | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toHaveBeenCalledTimes(1) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet = | ||||
|     'configureSubmoduleAuth configures submodules when persist credentials true and SSH key not set' | ||||
|   it( | ||||
|     configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet, | ||||
|     async () => { | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet | ||||
|       ) | ||||
|       settings.sshKey = '' | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
| @@ -465,21 +527,21 @@ describe('git-auth-helper tests', () => { | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet = | ||||
|     'configureSubmoduleAuth configures token when persist credentials true and SSH key set' | ||||
|   const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet = | ||||
|     'configureSubmoduleAuth configures submodules when persist credentials true and SSH key set' | ||||
|   it( | ||||
|     configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet, | ||||
|     configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet, | ||||
|     async () => { | ||||
|       if (!sshPath) { | ||||
|         process.stdout.write( | ||||
|           `Skipped test "${configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n` | ||||
|           `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n` | ||||
|         ) | ||||
|         return | ||||
|       } | ||||
|  | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet | ||||
|         configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet | ||||
|       ) | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
| @@ -490,96 +552,12 @@ describe('git-auth-helper tests', () => { | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2) | ||||
|       expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse = | ||||
|     'configureSubmoduleAuth does not configure token when persist credentials false' | ||||
|   it( | ||||
|     configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse, | ||||
|     async () => { | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse | ||||
|       ) | ||||
|       settings.persistCredentials = false | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
|       const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any> | ||||
|       mockSubmoduleForeach.mockClear() // reset calls | ||||
|  | ||||
|       // Act | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toBeCalledTimes(1) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet = | ||||
|     'configureSubmoduleAuth does not configure URL insteadOf when persist credentials true and SSH key set' | ||||
|   it( | ||||
|     configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet, | ||||
|     async () => { | ||||
|       if (!sshPath) { | ||||
|         process.stdout.write( | ||||
|           `Skipped test "${configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n` | ||||
|         ) | ||||
|         return | ||||
|       } | ||||
|  | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet | ||||
|       ) | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
|       const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any> | ||||
|       mockSubmoduleForeach.mockClear() // reset calls | ||||
|  | ||||
|       // Act | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   const configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse = | ||||
|     'configureSubmoduleAuth removes URL insteadOf when persist credentials false' | ||||
|   it( | ||||
|     configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse, | ||||
|     async () => { | ||||
|       // Arrange | ||||
|       await setup( | ||||
|         configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse | ||||
|       ) | ||||
|       settings.persistCredentials = false | ||||
|       const authHelper = gitAuthHelper.createAuthHelper(git, settings) | ||||
|       await authHelper.configureAuth() | ||||
|       const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any> | ||||
|       mockSubmoduleForeach.mockClear() // reset calls | ||||
|  | ||||
|       // Act | ||||
|       await authHelper.configureSubmoduleAuth() | ||||
|  | ||||
|       // Assert | ||||
|       expect(mockSubmoduleForeach).toBeCalledTimes(1) | ||||
|       expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch( | ||||
|         /unset-all.*insteadOf/ | ||||
|       ) | ||||
|       expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/) | ||||
|     } | ||||
|   ) | ||||
|  | ||||
|   | ||||
| @@ -16,7 +16,7 @@ inputs: | ||||
|       commands. The post-job step removes the PAT. | ||||
|  | ||||
|  | ||||
|       We recommend creating a service account with the least permissions necessary. | ||||
|       We recommend using a service account with the least permissions necessary. | ||||
|       Also when generating a new PAT, select the least scopes necessary. | ||||
|  | ||||
|  | ||||
| @@ -24,12 +24,12 @@ inputs: | ||||
|     default: ${{ github.token }} | ||||
|   ssh-key: | ||||
|     description: > | ||||
|       SSH key used to fetch the repository. SSH key is configured with the local | ||||
|       SSH key used to fetch the repository. The SSH key is configured with the local | ||||
|       git config, which enables your scripts to run authenticated git commands. | ||||
|       The post-job step removes the SSH key. | ||||
|  | ||||
|  | ||||
|       We recommend creating a service account with the least permissions necessary. | ||||
|       We recommend using a service account with the least permissions necessary. | ||||
|  | ||||
|  | ||||
|       [Learn more about creating and using | ||||
|   | ||||
							
								
								
									
										27
									
								
								dist/index.js
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										27
									
								
								dist/index.js
									
									
									
									
										vendored
									
									
								
							| @@ -5122,6 +5122,7 @@ class GitAuthHelper { | ||||
|         this.tokenConfigKey = `http.https://${HOSTNAME}/.extraheader`; | ||||
|         this.insteadOfKey = `url.https://${HOSTNAME}/.insteadOf`; | ||||
|         this.insteadOfValue = `git@${HOSTNAME}:`; | ||||
|         this.sshCommand = ''; | ||||
|         this.sshKeyPath = ''; | ||||
|         this.sshKnownHostsPath = ''; | ||||
|         this.temporaryHomePath = ''; | ||||
| @@ -5205,8 +5206,12 @@ class GitAuthHelper { | ||||
|                     core.debug(`Replacing token placeholder in '${configPath}'`); | ||||
|                     this.replaceTokenPlaceholder(configPath); | ||||
|                 } | ||||
|                 // Configure HTTPS instead of SSH | ||||
|                 if (!this.settings.sshKey) { | ||||
|                 if (this.settings.sshKey) { | ||||
|                     // Configure core.sshCommand | ||||
|                     yield this.git.submoduleForeach(`git config --local '${SSH_COMMAND_KEY}' '${this.sshCommand}'`, this.settings.nestedSubmodules); | ||||
|                 } | ||||
|                 else { | ||||
|                     // Configure HTTPS instead of SSH | ||||
|                     yield this.git.submoduleForeach(`git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`, this.settings.nestedSubmodules); | ||||
|                 } | ||||
|             } | ||||
| @@ -5268,16 +5273,16 @@ class GitAuthHelper { | ||||
|             yield fs.promises.writeFile(this.sshKnownHostsPath, knownHosts); | ||||
|             // Configure GIT_SSH_COMMAND | ||||
|             const sshPath = yield io.which('ssh', true); | ||||
|             let sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(this.sshKeyPath)}"`; | ||||
|             this.sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(this.sshKeyPath)}"`; | ||||
|             if (this.settings.sshStrict) { | ||||
|                 sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no'; | ||||
|                 this.sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no'; | ||||
|             } | ||||
|             sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(this.sshKnownHostsPath)}"`; | ||||
|             core.info(`Temporarily overriding GIT_SSH_COMMAND=${sshCommand}`); | ||||
|             this.git.setEnvironmentVariable('GIT_SSH_COMMAND', sshCommand); | ||||
|             this.sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(this.sshKnownHostsPath)}"`; | ||||
|             core.info(`Temporarily overriding GIT_SSH_COMMAND=${this.sshCommand}`); | ||||
|             this.git.setEnvironmentVariable('GIT_SSH_COMMAND', this.sshCommand); | ||||
|             // Configure core.sshCommand | ||||
|             if (this.settings.persistCredentials) { | ||||
|                 yield this.git.config(SSH_COMMAND_KEY, sshCommand); | ||||
|                 yield this.git.config(SSH_COMMAND_KEY, this.sshCommand); | ||||
|             } | ||||
|         }); | ||||
|     } | ||||
| @@ -5820,6 +5825,12 @@ function getSource(settings) { | ||||
|             // Downloading using REST API | ||||
|             core.info(`The repository will be downloaded using the GitHub REST API`); | ||||
|             core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`); | ||||
|             if (settings.submodules) { | ||||
|                 throw new Error(`Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`); | ||||
|             } | ||||
|             else if (settings.sshKey) { | ||||
|                 throw new Error(`Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`); | ||||
|             } | ||||
|             yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath); | ||||
|             return; | ||||
|         } | ||||
|   | ||||
| @@ -37,6 +37,7 @@ class GitAuthHelper { | ||||
|   private readonly tokenPlaceholderConfigValue: string | ||||
|   private readonly insteadOfKey: string = `url.https://${HOSTNAME}/.insteadOf` | ||||
|   private readonly insteadOfValue: string = `git@${HOSTNAME}:` | ||||
|   private sshCommand = '' | ||||
|   private sshKeyPath = '' | ||||
|   private sshKnownHostsPath = '' | ||||
|   private temporaryHomePath = '' | ||||
| @@ -144,8 +145,14 @@ class GitAuthHelper { | ||||
|         this.replaceTokenPlaceholder(configPath) | ||||
|       } | ||||
|  | ||||
|       // Configure HTTPS instead of SSH | ||||
|       if (!this.settings.sshKey) { | ||||
|       if (this.settings.sshKey) { | ||||
|         // Configure core.sshCommand | ||||
|         await this.git.submoduleForeach( | ||||
|           `git config --local '${SSH_COMMAND_KEY}' '${this.sshCommand}'`, | ||||
|           this.settings.nestedSubmodules | ||||
|         ) | ||||
|       } else { | ||||
|         // Configure HTTPS instead of SSH | ||||
|         await this.git.submoduleForeach( | ||||
|           `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`, | ||||
|           this.settings.nestedSubmodules | ||||
| @@ -218,21 +225,21 @@ class GitAuthHelper { | ||||
|  | ||||
|     // Configure GIT_SSH_COMMAND | ||||
|     const sshPath = await io.which('ssh', true) | ||||
|     let sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename( | ||||
|     this.sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename( | ||||
|       this.sshKeyPath | ||||
|     )}"` | ||||
|     if (this.settings.sshStrict) { | ||||
|       sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no' | ||||
|       this.sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no' | ||||
|     } | ||||
|     sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename( | ||||
|     this.sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename( | ||||
|       this.sshKnownHostsPath | ||||
|     )}"` | ||||
|     core.info(`Temporarily overriding GIT_SSH_COMMAND=${sshCommand}`) | ||||
|     this.git.setEnvironmentVariable('GIT_SSH_COMMAND', sshCommand) | ||||
|     core.info(`Temporarily overriding GIT_SSH_COMMAND=${this.sshCommand}`) | ||||
|     this.git.setEnvironmentVariable('GIT_SSH_COMMAND', this.sshCommand) | ||||
|  | ||||
|     // Configure core.sshCommand | ||||
|     if (this.settings.persistCredentials) { | ||||
|       await this.git.config(SSH_COMMAND_KEY, sshCommand) | ||||
|       await this.git.config(SSH_COMMAND_KEY, this.sshCommand) | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   | ||||
| @@ -57,6 +57,16 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> { | ||||
|     core.info( | ||||
|       `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH` | ||||
|     ) | ||||
|     if (settings.submodules) { | ||||
|       throw new Error( | ||||
|         `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.` | ||||
|       ) | ||||
|     } else if (settings.sshKey) { | ||||
|       throw new Error( | ||||
|         `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.` | ||||
|       ) | ||||
|     } | ||||
|  | ||||
|     await githubApiHelper.downloadRepository( | ||||
|       settings.authToken, | ||||
|       settings.repositoryOwner, | ||||
|   | ||||
		Reference in New Issue
	
	Block a user