Compare commits

..

3 Commits

Author SHA1 Message Date
eric sciple 71cf2267d8 v6-beta (#2298) 2025-11-03 13:40:10 -06:00
eric sciple 069c695914 Persist creds to a separate file (#2286) 2025-11-03 13:08:38 -06:00
Salman Chishti ff7abcd0c3 Update README to include Node.js 24 support details and requirements (#2248)
* Update README to include Node.js 24 support details and requirements

* Update
2025-08-13 13:57:25 +01:00
16 changed files with 754 additions and 993 deletions
+4 -5
View File
@@ -302,12 +302,15 @@ jobs:
# Clone this repo
- name: Checkout
uses: actions/checkout@v4.1.6
with:
path: actions-checkout
# Basic checkout using git
- name: Checkout basic
id: checkout
uses: ./
uses: ./actions-checkout
with:
path: cloned-using-local-action
ref: test-data/v2/basic
# Verify output
@@ -325,7 +328,3 @@ jobs:
echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
exit 1
fi
# needed to make checkout post cleanup succeed
- name: Fix Checkout
uses: actions/checkout@v4.1.6
+16 -13
View File
@@ -1,10 +1,21 @@
[![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
# Checkout V5
# Checkout v6-beta
Checkout v5 now supports Node.js 24
## What's new
# Checkout V4
- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
- This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
# Checkout v5
## What's new
- Updated to the node24 runtime
- This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
# Checkout v4
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
@@ -148,24 +159,16 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
# running from unless specified. Example URLs are https://github.com or
# https://my-ghes-server.example.com
github-server-url: ''
# Required to check out fork pull request code from a workflow triggered by
# `pull_request_target` or `workflow_run`. These workflows run with the base
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
# access; fetching and executing a fork's code in that trusted context commonly
# leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
# risks at https://gh.io/securely-using-pull_request_target.
# Default: false
allow-unsafe-pr-checkout: ''
```
<!-- end usage -->
# Scenarios
- [Checkout V5](#checkout-v5)
- [What's new](#whats-new)
- [Checkout V4](#checkout-v4)
- [Note](#note)
- [What's new](#whats-new)
- [What's new](#whats-new-1)
- [Usage](#usage)
- [Scenarios](#scenarios)
- [Fetch only the root files](#fetch-only-the-root-files)
+324 -263
View File
@@ -86,16 +86,29 @@ describe('git-auth-helper tests', () => {
// Act
await authHelper.configureAuth()
// Assert config
const configContent = (
// Assert config - check that .git/config contains includeIf entries
const localConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(
localConfigContent.indexOf('includeIf.gitdir:')
).toBeGreaterThanOrEqual(0)
// Assert credentials config file contains the actual credentials
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
expect(
configContent.indexOf(
credentialsContent.indexOf(
`http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
)
).toBeGreaterThanOrEqual(0)
@@ -120,7 +133,7 @@ describe('git-auth-helper tests', () => {
'inject https://github.com as github server url'
it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => {
await testAuthHeader(
configureAuth_AcceptsGitHubServerUrl,
configureAuth_AcceptsGitHubServerUrlSetToGHEC,
'https://github.com'
)
})
@@ -141,12 +154,17 @@ describe('git-auth-helper tests', () => {
// Act
await authHelper.configureAuth()
// Assert config
const configContent = (
await fs.promises.readFile(localGitConfigPath)
// Assert config - check credentials config file (not local .git/config)
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
expect(
configContent.indexOf(
credentialsContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION`
)
).toBeGreaterThanOrEqual(0)
@@ -251,13 +269,16 @@ describe('git-auth-helper tests', () => {
expectedSshCommand
)
// Asserty git config
// Assert git config
const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
.toString()
.split('\n')
.filter(x => x)
expect(gitConfigLines).toHaveLength(1)
expect(gitConfigLines[0]).toMatch(/^http\./)
// Should have includeIf entries pointing to credentials file
expect(gitConfigLines.length).toBeGreaterThan(0)
expect(
gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0)
).toBeTruthy()
})
const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
@@ -419,8 +440,20 @@ describe('git-auth-helper tests', () => {
expect(
configContent.indexOf('value-from-global-config')
).toBeGreaterThanOrEqual(0)
// Global config should have include.path pointing to credentials file
expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
// Check credentials in the separate config file
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBeGreaterThan(0)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
expect(
configContent.indexOf(
credentialsContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
)
).toBeGreaterThanOrEqual(0)
@@ -463,8 +496,20 @@ describe('git-auth-helper tests', () => {
const configContent = (
await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
).toString()
// Global config should have include.path pointing to credentials file
expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
// Check credentials in the separate config file
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBeGreaterThan(0)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
expect(
configContent.indexOf(
credentialsContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
)
).toBeGreaterThanOrEqual(0)
@@ -550,15 +595,15 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth()
// Assert
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
// Should configure insteadOf (2 calls for two values)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/
)
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
/url.*insteadOf.*git@github.com:/
)
expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
/url.*insteadOf.*org-123456@github.com:/
)
}
@@ -589,12 +634,12 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth()
// Assert
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
// Should configure sshCommand (1 call)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/
)
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/)
}
)
@@ -660,112 +705,81 @@ describe('git-auth-helper tests', () => {
await setup(removeAuth_removesToken)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
let gitConfigContent = (
// Verify includeIf entries exist in local config
let localConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
expect(
localConfigContent.indexOf('includeIf.gitdir:')
).toBeGreaterThanOrEqual(0)
// Act
await authHelper.removeAuth()
// Verify both host and container includeIf entries are present
const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
expect(
localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
).toBeGreaterThanOrEqual(0)
// Assert git config
gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
// Verify credentials file exists
let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
// Verify credentials file contains the auth token
let credentialsContent = (
await fs.promises.readFile(credentialsFilePath)
).toString()
expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
})
const removeAuth_removesV6StyleCredentials =
'removeAuth removes v6 style credentials'
it(removeAuth_removesV6StyleCredentials, async () => {
// Arrange
await setup(removeAuth_removesV6StyleCredentials)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
// Manually create v6-style credentials that would be left by v6
const credentialsFileName =
'git-credentials-12345678-1234-1234-1234-123456789abc.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf entries to local git config (simulating v6 configuration)
const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
await fs.promises.appendFile(
localGitConfigPath,
`[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
)
await fs.promises.appendFile(
localGitConfigPath,
`[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
)
// Verify v6 style config exists
let gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
expect(
gitConfigContent.indexOf(credentialsFilePath)
credentialsContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
)
).toBeGreaterThanOrEqual(0)
await fs.promises.stat(credentialsFilePath) // Verify file exists
// Mock the git methods to handle v6 cleanup
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
mockTryGetConfigKeys.mockResolvedValue([
`includeIf.gitdir:${hostGitDir}/.path`,
'includeIf.gitdir:/github/workspace/.git/.path'
])
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
mockTryGetConfigValues.mockImplementation(async (key: string) => {
if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
return [credentialsFilePath]
}
if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
return [`/github/runner_temp/${credentialsFileName}`]
}
return []
})
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
any,
any
>
mockTryConfigUnsetValue.mockImplementation(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
) => {
const targetPath = configPath || localGitConfigPath
let content = await fs.promises.readFile(targetPath, 'utf8')
// Remove the includeIf section
const lines = content
.split('\n')
.filter(line => !line.includes('includeIf') && !line.includes(value))
await fs.promises.writeFile(targetPath, lines.join('\n'))
return true
}
// Verify the includeIf entries point to the credentials file
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsFilePath)
)
expect(
localConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
expect(
localConfigContent.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
// Act
await authHelper.removeAuth()
// Assert includeIf entries removed from local git config
gitConfigContent = (
// Assert all includeIf entries removed from local git config
localConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
expect(
localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
).toBeLessThan(0)
expect(
localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
).toBeLessThan(0)
expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert credentials config file deleted
credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(0)
// Verify credentials file no longer exists on disk
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
@@ -776,113 +790,108 @@ describe('git-auth-helper tests', () => {
}
})
const removeAuth_removesV6StyleCredentialsFromSubmodules =
'removeAuth removes v6 style credentials from submodules'
it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
const removeAuth_removesTokenFromSubmodules =
'removeAuth removes token from submodules'
it(removeAuth_removesTokenFromSubmodules, async () => {
// Arrange
await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
await setup(removeAuth_removesTokenFromSubmodules)
// Create fake submodule config paths
const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
const submodule1ConfigPath = path.join(submodule1Dir, 'config')
const submodule2ConfigPath = path.join(submodule2Dir, 'config')
await fs.promises.mkdir(submodule1Dir, {recursive: true})
await fs.promises.mkdir(submodule2Dir, {recursive: true})
await fs.promises.writeFile(submodule1ConfigPath, '')
await fs.promises.writeFile(submodule2ConfigPath, '')
// Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
const mockGetSubmoduleConfigPaths =
git.getSubmoduleConfigPaths as jest.Mock<any, any>
mockGetSubmoduleConfigPaths.mockResolvedValue([
submodule1ConfigPath,
submodule2ConfigPath
])
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
await authHelper.configureSubmoduleAuth()
// Create v6-style credentials file
const credentialsFileName =
'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf entries to submodule config
const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
await fs.promises.appendFile(
submodule1ConfigPath,
`[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
// Verify credentials file exists
let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
// Verify submodule config has includeIf entry
let submoduleConfigContent = (
// Verify submodule 1 config has includeIf entries
let submodule1Content = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
0
)
const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
expect(
submoduleConfigContent.indexOf(credentialsFilePath)
submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
submodule1Content.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Mock getSubmoduleConfigPaths
const mockGetSubmoduleConfigPaths =
git.getSubmoduleConfigPaths as jest.Mock<any, any>
mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
// Verify submodule 2 config has includeIf entries
let submodule2Content = (
await fs.promises.readFile(submodule2ConfigPath)
).toString()
const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
expect(
submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
submodule2Content.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Mock tryGetConfigKeys for submodule
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
mockTryGetConfigKeys.mockImplementation(
async (pattern: string, globalConfig?: boolean, configPath?: string) => {
if (configPath === submodule1ConfigPath) {
return [`includeIf.gitdir:${submodule1GitDir}/.path`]
}
return []
}
// Verify both host and container paths are in each submodule config
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsFilePath)
)
expect(
submodule1Content.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
expect(
submodule2Content.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
// Mock tryGetConfigValues for submodule
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
mockTryGetConfigValues.mockImplementation(
async (key: string, globalConfig?: boolean, configPath?: string) => {
if (
configPath === submodule1ConfigPath &&
key === `includeIf.gitdir:${submodule1GitDir}/.path`
) {
return [credentialsFilePath]
}
return []
}
)
// Mock tryConfigUnsetValue for submodule
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
any,
any
>
mockTryConfigUnsetValue.mockImplementation(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
) => {
const targetPath = configPath || localGitConfigPath
let content = await fs.promises.readFile(targetPath, 'utf8')
const lines = content
.split('\n')
.filter(line => !line.includes('includeIf') && !line.includes(value))
await fs.promises.writeFile(targetPath, lines.join('\n'))
return true
}
)
// Act
// Act - ensure mock persists for removeAuth
mockGetSubmoduleConfigPaths.mockResolvedValue([
submodule1ConfigPath,
submodule2ConfigPath
])
await authHelper.removeAuth()
// Assert submodule includeIf entries removed
submoduleConfigContent = (
// Assert submodule 1 includeIf entries removed
submodule1Content = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert credentials file deleted
// Assert submodule 2 includeIf entries removed
submodule2Content = (
await fs.promises.readFile(submodule2ConfigPath)
).toString()
expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert credentials config file deleted
credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(0)
// Verify credentials file no longer exists on disk
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
@@ -893,65 +902,6 @@ describe('git-auth-helper tests', () => {
}
})
const removeAuth_skipsV6CleanupWhenEnvVarSet =
'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
// Arrange
await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
// Set the skip environment variable
process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
// Create v6-style credentials file in RUNNER_TEMP
const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const credentialsContent =
'[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf section to local git config (separate from http.* config)
const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
await fs.promises.appendFile(localGitConfigPath, includeIfSection)
// Verify v6 style config exists
let gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
await fs.promises.stat(credentialsFilePath) // Verify file exists
// Act
await authHelper.removeAuth()
// Assert v5 cleanup still happened (http.* removed)
gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(
gitConfigContent.indexOf('http.https://github.com/.extraheader')
).toBeLessThan(0)
// Assert v6 cleanup was skipped - includeIf should still be present
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
expect(
gitConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Assert credentials file still exists (wasn't deleted)
await fs.promises.stat(credentialsFilePath) // File should still exist
// Assert debug message was logged
expect(core.debug).toHaveBeenCalledWith(
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
)
// Cleanup
delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
})
const removeGlobalConfig_removesOverride =
'removeGlobalConfig removes override'
it(removeGlobalConfig_removesOverride, async () => {
@@ -978,6 +928,52 @@ describe('git-auth-helper tests', () => {
}
}
})
const testCredentialsConfigPath_matchesCredentialsConfigPaths =
'testCredentialsConfigPath matches credentials config paths'
it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
// Arrange
await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
// Get a real credentials config path
const credentialsConfigPath = await (
authHelper as any
).getCredentialsConfigPath()
// Act & Assert
expect(
(authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
).toBe(true)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
)
).toBe(true)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
)
).toBe(true)
// Test invalid paths
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/other-config.config'
)
).toBe(false)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-invalid.config'
)
).toBe(false)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-.config'
)
).toBe(false)
expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
})
})
async function setup(testName: string): Promise<void> {
@@ -992,6 +988,7 @@ async function setup(testName: string): Promise<void> {
await fs.promises.mkdir(tempHomedir, {recursive: true})
process.env['RUNNER_TEMP'] = runnerTemp
process.env['HOME'] = tempHomedir
process.env['GITHUB_WORKSPACE'] = workspace
// Create git config
globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
@@ -1010,10 +1007,20 @@ async function setup(testName: string): Promise<void> {
checkout: jest.fn(),
checkoutDetach: jest.fn(),
config: jest.fn(
async (key: string, value: string, globalConfig?: boolean) => {
const configPath = globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath
async (
key: string,
value: string,
globalConfig?: boolean,
add?: boolean,
configFile?: string
) => {
const configPath =
configFile ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
// Ensure directory exists
await fs.promises.mkdir(path.dirname(configPath), {recursive: true})
await fs.promises.appendFile(configPath, `\n${key} ${value}`)
}
),
@@ -1033,6 +1040,7 @@ async function setup(testName: string): Promise<void> {
env: {},
fetch: jest.fn(),
getDefaultBranch: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => []),
getWorkingDirectory: jest.fn(() => workspace),
init: jest.fn(),
isDetached: jest.fn(),
@@ -1071,20 +1079,72 @@ async function setup(testName: string): Promise<void> {
return true
}
),
tryConfigUnsetValue: jest.fn(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
): Promise<boolean> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
let content = await fs.promises.readFile(targetConfigPath)
let lines = content
.toString()
.split('\n')
.filter(x => x)
.filter(x => !(x.startsWith(key) && x.includes(value)))
await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
return true
}
),
tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => {
return []
}),
tryConfigUnsetValue: jest.fn(async () => {
return true
}),
tryGetConfigValues: jest.fn(async () => {
return []
}),
tryGetConfigKeys: jest.fn(async () => {
return []
}),
tryGetConfigValues: jest.fn(
async (
key: string,
globalConfig?: boolean,
configPath?: string
): Promise<string[]> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
const content = await fs.promises.readFile(targetConfigPath)
const lines = content
.toString()
.split('\n')
.filter(x => x && x.startsWith(key))
.map(x => x.substring(key.length).trim())
return lines
}
),
tryGetConfigKeys: jest.fn(
async (
pattern: string,
globalConfig?: boolean,
configPath?: string
): Promise<string[]> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
const content = await fs.promises.readFile(targetConfigPath)
const lines = content
.toString()
.split('\n')
.filter(x => x)
const keys = lines
.filter(x => new RegExp(pattern).test(x.split(' ')[0]))
.map(x => x.split(' ')[0])
return [...new Set(keys)] // Remove duplicates
}
),
tryReset: jest.fn(),
version: jest.fn()
}
@@ -1113,13 +1173,13 @@ async function setup(testName: string): Promise<void> {
sshUser: '',
workflowOrganizationId: 123456,
setSafeDirectory: true,
githubServerUrl: githubServerUrl,
allowUnsafePrCheckout: false
githubServerUrl: githubServerUrl
}
}
async function getActualSshKeyPath(): Promise<string> {
let actualTempFiles = (await fs.promises.readdir(runnerTemp))
.filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
.sort()
.map(x => path.join(runnerTemp, x))
if (actualTempFiles.length === 0) {
@@ -1133,6 +1193,7 @@ async function getActualSshKeyPath(): Promise<string> {
async function getActualSshKnownHostsPath(): Promise<string> {
let actualTempFiles = (await fs.promises.readdir(runnerTemp))
.filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
.sort()
.map(x => path.join(runnerTemp, x))
if (actualTempFiles.length === 0) {
+4 -12
View File
@@ -471,6 +471,7 @@ async function setup(testName: string): Promise<void> {
configExists: jest.fn(),
fetch: jest.fn(),
getDefaultBranch: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => []),
getWorkingDirectory: jest.fn(() => repositoryPath),
init: jest.fn(),
isDetached: jest.fn(),
@@ -493,24 +494,15 @@ async function setup(testName: string): Promise<void> {
return true
}),
tryConfigUnset: jest.fn(),
tryConfigUnsetValue: jest.fn(),
tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(async () => {
// Sanity check - this function shouldn't be called when the .git directory doesn't exist
await fs.promises.stat(path.join(repositoryPath, '.git'))
return repositoryUrl
}),
getSubmoduleConfigPaths: jest.fn(async () => {
return []
}),
tryConfigUnsetValue: jest.fn(async () => {
return true
}),
tryGetConfigValues: jest.fn(async () => {
return []
}),
tryGetConfigKeys: jest.fn(async () => {
return []
}),
tryGetConfigValues: jest.fn(),
tryGetConfigKeys: jest.fn(),
tryReset: jest.fn(async () => {
return true
}),
-1
View File
@@ -91,7 +91,6 @@ describe('input-helper tests', () => {
expect(settings.repositoryOwner).toBe('some-owner')
expect(settings.repositoryPath).toBe(gitHubWorkspace)
expect(settings.setSafeDirectory).toBe(true)
expect(settings.allowUnsafePrCheckout).toBe(false)
})
it('qualifies ref', async () => {
-267
View File
@@ -1,267 +0,0 @@
import * as github from '@actions/github'
import {assertSafePrCheckout} from '../lib/unsafe-pr-checkout-helper'
// Shallow clone original @actions/github context
const originalContext = {...github.context}
const originalEventName = github.context.eventName
const originalPayload = github.context.payload
const BASE_REPO_ID = 100
const FORK_REPO_ID = 200
const PR_HEAD_SHA = '1111111111111111111111111111111111111111'
const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
const FORK_QUALIFIED_REPO = 'another-repo/fork'
function setContext(eventName: string, payload: object): void {
;(github.context as {eventName: string}).eventName = eventName
;(github.context as {payload: object}).payload = payload
}
function forkPullRequestTargetPayload(): object {
return {
repository: {id: BASE_REPO_ID},
pull_request: {
head: {
sha: PR_HEAD_SHA,
repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
},
merge_commit_sha: PR_MERGE_SHA
}
}
}
function sameRepoPullRequestTargetPayload(): object {
return {
repository: {id: BASE_REPO_ID},
pull_request: {
head: {
sha: PR_HEAD_SHA,
repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
},
merge_commit_sha: PR_MERGE_SHA
}
}
}
function forkWorkflowRunPayload(): object {
return {
repository: {id: BASE_REPO_ID},
workflow_run: {
event: 'pull_request',
head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
}
}
}
describe('unsafe-pr-checkout-helper', () => {
beforeAll(() => {
jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
owner: 'some-owner',
repo: 'some-repo'
})
})
afterEach(() => {
;(github.context as {eventName: string}).eventName = originalEventName
;(github.context as {payload: object}).payload = originalPayload
})
afterAll(() => {
;(github.context as {eventName: string}).eventName =
originalContext.eventName
;(github.context as {payload: object}).payload = originalContext.payload
jest.restoreAllMocks()
})
it('allows pull_request events untouched', () => {
setContext('pull_request', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: 'attacker/fork',
ref: 'refs/pull/1/merge',
commit: '',
allowUnsafePrCheckout: false
})
).not.toThrow()
})
it('allows pull_request_target default checkout (base branch)', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: 'refs/heads/main',
commit: SAFE_BASE_SHA,
allowUnsafePrCheckout: false
})
).not.toThrow()
})
it('allows same-repo pull_request_target checkout of PR head', () => {
setContext('pull_request_target', sameRepoPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: PR_HEAD_SHA,
allowUnsafePrCheckout: false
})
).not.toThrow()
})
it('refuses pull_request_target fork PR head SHA checkout', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: PR_HEAD_SHA,
allowUnsafePrCheckout: false
})
).toThrow(/Refusing to check out fork pull request code/)
})
it('refuses pull_request_target fork PR merge_commit_sha checkout', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: PR_MERGE_SHA,
allowUnsafePrCheckout: false
})
).toThrow(/allow-unsafe-pr-checkout/)
})
it('refuses pull_request_target fork PR ref pattern (head)', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: 'refs/pull/42/head',
commit: '',
allowUnsafePrCheckout: false
})
).toThrow()
})
it('refuses pull_request_target fork PR ref pattern (merge)', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: 'refs/pull/42/merge',
commit: '',
allowUnsafePrCheckout: false
})
).toThrow()
})
it('refuses pull_request_target when repository points at the fork', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: FORK_QUALIFIED_REPO,
ref: 'refs/heads/main',
commit: '',
allowUnsafePrCheckout: false
})
).toThrow()
})
it('allows pull_request_target checkout of an unrelated third-party repo', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: 'some-other/unrelated',
ref: 'refs/heads/main',
commit: '',
allowUnsafePrCheckout: false
})
).not.toThrow()
})
it('refuses pull_request_target ignoring repository case differences', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
ref: '',
commit: '',
allowUnsafePrCheckout: false
})
).toThrow()
})
it('refuses pull_request_target ignoring commit SHA case differences', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: PR_HEAD_SHA.toUpperCase(),
allowUnsafePrCheckout: false
})
).toThrow()
})
it('allows pull_request_target fork PR checkout when opted in', () => {
setContext('pull_request_target', forkPullRequestTargetPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: 'refs/pull/42/merge',
commit: '',
allowUnsafePrCheckout: true
})
).not.toThrow()
})
it('refuses workflow_run fork PR head_commit.id checkout', () => {
setContext('workflow_run', forkWorkflowRunPayload())
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
allowUnsafePrCheckout: false
})
).toThrow()
})
it('refuses workflow_run with pull_request_target underlying event', () => {
const payload = forkWorkflowRunPayload() as {
workflow_run: {event: string}
}
payload.workflow_run.event = 'pull_request_target'
setContext('workflow_run', payload)
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
allowUnsafePrCheckout: false
})
).toThrow()
})
it('allows workflow_run same-repo PR (head_repository.id matches base)', () => {
const payload = forkWorkflowRunPayload() as {
workflow_run: {head_repository: {id: number}}
}
payload.workflow_run.head_repository.id = BASE_REPO_ID
setContext('workflow_run', payload)
expect(() =>
assertSafePrCheckout({
qualifiedRepository: BASE_QUALIFIED_REPO,
ref: '',
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
allowUnsafePrCheckout: false
})
).not.toThrow()
})
})
+1 -1
View File
@@ -17,7 +17,7 @@ fi
echo "Testing persisted credential"
pushd ./submodules-recursive/submodule-level-1/submodule-level-2
git config --local --name-only --get-regexp http.+extraheader && git fetch
git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential"
popd
+1 -1
View File
@@ -17,7 +17,7 @@ fi
echo "Testing persisted credential"
pushd ./submodules-true/submodule-level-1
git config --local --name-only --get-regexp http.+extraheader && git fetch
git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential"
popd
-9
View File
@@ -98,15 +98,6 @@ inputs:
github-server-url:
description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
required: false
allow-unsafe-pr-checkout:
description: >
Required to check out fork pull request code from a workflow triggered by
`pull_request_target` or `workflow_run`. These workflows run with the
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
runner access; fetching and executing a fork's code in that trusted
context commonly leads to "pwn request" vulnerabilities. Set to `true`
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
default: false
outputs:
ref:
description: 'The branch, tag or SHA that was checked out'
+177 -202
View File
@@ -162,6 +162,7 @@ class GitAuthHelper {
this.sshKeyPath = '';
this.sshKnownHostsPath = '';
this.temporaryHomePath = '';
this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
this.git = gitCommandManager;
this.settings = gitSourceSettings || {};
// Token auth header
@@ -229,15 +230,17 @@ class GitAuthHelper {
configureGlobalAuth() {
return __awaiter(this, void 0, void 0, function* () {
// 'configureTempGlobalConfig' noops if already set, just returns the path
const newGitConfigPath = yield this.configureTempGlobalConfig();
yield this.configureTempGlobalConfig();
try {
// Configure the token
yield this.configureToken(newGitConfigPath, true);
yield this.configureToken(true);
// Configure HTTPS instead of SSH
yield this.git.tryConfigUnset(this.insteadOfKey, true);
if (!this.settings.sshKey) {
for (const insteadOfValue of this.insteadOfValues) {
yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
true // add?
);
}
}
}
@@ -252,19 +255,34 @@ class GitAuthHelper {
configureSubmoduleAuth() {
return __awaiter(this, void 0, void 0, function* () {
// Remove possible previous HTTPS instead of SSH
yield this.removeGitConfig(this.insteadOfKey, true);
yield this.removeSubmoduleGitConfig(this.insteadOfKey);
if (this.settings.persistCredentials) {
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const output = yield this.git.submoduleForeach(
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
// Replace the placeholder
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
// Get the credentials config file path in RUNNER_TEMP
const credentialsConfigPath = this.getCredentialsConfigPath();
// Container credentials config path
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
// Get submodule config file paths.
const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const configPath of configPaths) {
core.debug(`Replacing token placeholder in '${configPath}'`);
yield this.replaceTokenPlaceholder(configPath);
// Submodule Git directory
let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
// Configure host includeIf
yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
false, // add?
configPath);
// Container submodule git directory
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
// Configure container includeIf
yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
false, // add?
configPath);
}
if (this.settings.sshKey) {
// Configure core.sshCommand
@@ -295,6 +313,10 @@ class GitAuthHelper {
}
});
}
/**
* Configures SSH authentication by writing the SSH key and known hosts,
* and setting up the GIT_SSH_COMMAND environment variable.
*/
configureSsh() {
return __awaiter(this, void 0, void 0, function* () {
if (!this.settings.sshKey) {
@@ -351,43 +373,88 @@ class GitAuthHelper {
}
});
}
configureToken(configPath, globalConfig) {
/**
* Configures token-based authentication by creating a credentials config file
* and setting up includeIf entries to reference it.
* @param globalConfig Whether to configure global config instead of local
*/
configureToken(globalConfig) {
return __awaiter(this, void 0, void 0, function* () {
// Validate args
assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations');
// Default config path
if (!configPath && !globalConfig) {
configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config');
}
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig);
// Replace the placeholder
yield this.replaceTokenPlaceholder(configPath || '');
});
}
replaceTokenPlaceholder(configPath) {
return __awaiter(this, void 0, void 0, function* () {
assert.ok(configPath, 'configPath is not defined');
let content = (yield fs.promises.readFile(configPath)).toString();
// Get the credentials config file path in RUNNER_TEMP
const credentialsConfigPath = this.getCredentialsConfigPath();
// Write placeholder to the separate credentials config file using git config.
// This approach avoids the credential being captured by process creation audit events,
// which are commonly logged. For more information, refer to
// https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
false, // add?
credentialsConfigPath);
// Replace the placeholder in the credentials config file
let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
if (placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
throw new Error(`Unable to replace auth placeholder in ${configPath}`);
throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`);
}
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
yield fs.promises.writeFile(configPath, content);
yield fs.promises.writeFile(credentialsConfigPath, content);
// Add include or includeIf to reference the credentials config
if (globalConfig) {
// Global config file is temporary
yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
);
}
else {
// Host git directory
let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
// Configure host includeIf
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
yield this.git.config(hostIncludeKey, credentialsConfigPath);
// Container git directory
const workingDirectory = this.git.getWorkingDirectory();
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
let relativePath = path.relative(githubWorkspace, workingDirectory);
relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
// Container credentials config path
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
yield this.git.config(containerIncludeKey, containerCredentialsPath);
}
});
}
/**
* Gets or creates the path to the credentials config file in RUNNER_TEMP.
* @returns The absolute path to the credentials config file
*/
getCredentialsConfigPath() {
if (this.credentialsConfigPath) {
return this.credentialsConfigPath;
}
const runnerTemp = process.env['RUNNER_TEMP'] || '';
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
this.credentialsConfigPath = path.join(runnerTemp, configFileName);
core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
return this.credentialsConfigPath;
}
/**
* Removes SSH authentication configuration by cleaning up SSH keys,
* known hosts files, and SSH command configurations.
*/
removeSsh() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
var _a, _b;
// SSH key
const keyPath = this.sshKeyPath || stateHelper.SshKeyPath;
if (keyPath) {
try {
core.info(`Removing SSH key '${keyPath}'`);
yield io.rmRF(keyPath);
}
catch (err) {
@@ -399,82 +466,91 @@ class GitAuthHelper {
const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath;
if (knownHostsPath) {
try {
core.info(`Removing SSH known hosts '${knownHostsPath}'`);
yield io.rmRF(knownHostsPath);
}
catch (_b) {
// Intentionally empty
catch (err) {
core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`);
core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`);
}
}
// SSH command
core.info('Removing SSH command configuration');
yield this.removeGitConfig(SSH_COMMAND_KEY);
yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
});
}
/**
* Removes token-based authentication by cleaning up HTTP headers,
* includeIf entries, and credentials config files.
*/
removeToken() {
return __awaiter(this, void 0, void 0, function* () {
// Remove HTTP extra header from local git config and submodule configs
var _a;
// Remove HTTP extra header
core.info('Removing HTTP extra header');
yield this.removeGitConfig(this.tokenConfigKey);
//
// Cleanup actions/checkout@v6 style credentials
//
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
return;
yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set();
// Remove includeIf entries that point to git-credentials-*.config files
core.info('Removing includeIf entries pointing to credentials config files');
const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
// Remove submodule includeIf entries that point to git-credentials-*.config files
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
}
try {
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set();
// Remove includeIf entries that point to git-credentials-*.config files
const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
// Remove submodule includeIf entries that point to git-credentials-*.config files
try {
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP'];
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
if (credentialsPath.startsWith(runnerTemp)) {
try {
core.info(`Removing credentials config '${credentialsPath}'`);
yield io.rmRF(credentialsPath);
}
catch (err) {
core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
core.warning(`Failed to remove credentials config '${credentialsPath}'`);
}
}
catch (err) {
core.debug(`Unable to get submodule config paths: ${err}`);
else {
core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`);
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP'];
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
try {
yield io.rmRF(credentialsPath);
}
catch (err) {
core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
}
}
}
}
catch (err) {
core.debug(`Failed to cleanup v6 style credentials: ${err}`);
}
});
}
removeGitConfig(configKey_1) {
return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) {
if (!submoduleOnly) {
if ((yield this.git.configExists(configKey)) &&
!(yield this.git.tryConfigUnset(configKey))) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`);
}
/**
* Removes a git config key from the local repository config.
* @param configKey The git config key to remove
*/
removeGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
if ((yield this.git.configExists(configKey)) &&
!(yield this.git.tryConfigUnset(configKey))) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`);
}
});
}
/**
* Removes a git config key from all submodule configs.
* @param configKey The git config key to remove
*/
removeSubmoduleGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
const pattern = regexpHelper.escape(configKey);
yield this.git.submoduleForeach(
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
});
}
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* This handles cleanup of credentials configured by newer versions of the action.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
@@ -502,13 +578,18 @@ class GitAuthHelper {
}
catch (err) {
// Ignore errors - this is cleanup code
core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
if (configPath) {
core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
}
else {
core.debug(`Error during includeIf cleanup: ${err}`);
}
}
return Array.from(credentialsPaths);
});
}
/**
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
* Tests if a path matches the git-credentials-*.config pattern.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
@@ -712,9 +793,15 @@ class GitCommandManager {
yield this.execGit(args);
});
}
config(configKey, configValue, globalConfig, add) {
config(configKey, configValue, globalConfig, add, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config', globalConfig ? '--global' : '--local'];
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
if (add) {
args.push('--add');
}
@@ -1859,7 +1946,6 @@ const core = __importStar(__nccwpck_require__(2186));
const fsHelper = __importStar(__nccwpck_require__(7219));
const github = __importStar(__nccwpck_require__(5438));
const path = __importStar(__nccwpck_require__(1017));
const unsafePrCheckoutHelper = __importStar(__nccwpck_require__(843));
const workflowContextHelper = __importStar(__nccwpck_require__(9568));
function getInputs() {
return __awaiter(this, void 0, void 0, function* () {
@@ -1981,17 +2067,6 @@ function getInputs() {
// Determine the GitHub URL that the repository is being hosted from
result.githubServerUrl = core.getInput('github-server-url');
core.debug(`GitHub Host URL = ${result.githubServerUrl}`);
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
result.allowUnsafePrCheckout =
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
'TRUE';
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
unsafePrCheckoutHelper.assertSafePrCheckout({
qualifiedRepository,
ref: result.ref,
commit: result.commit,
allowUnsafePrCheckout: result.allowUnsafePrCheckout
});
return result;
});
}
@@ -2132,7 +2207,6 @@ exports.getRefSpecForAllHistory = getRefSpecForAllHistory;
exports.getRefSpec = getRefSpec;
exports.testRef = testRef;
exports.checkCommitInfo = checkCommitInfo;
exports.fromPayload = fromPayload;
const core = __importStar(__nccwpck_require__(2186));
const github = __importStar(__nccwpck_require__(5438));
const url_helper_1 = __nccwpck_require__(9437);
@@ -2565,105 +2639,6 @@ if (!exports.IsPost) {
}
/***/ }),
/***/ 843:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.assertSafePrCheckout = assertSafePrCheckout;
const github = __importStar(__nccwpck_require__(5438));
const ref_helper_1 = __nccwpck_require__(8601);
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/;
function assertSafePrCheckout(input) {
if (input.allowUnsafePrCheckout) {
return;
}
const eventName = github.context.eventName;
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
return;
}
const baseRepoId = (0, ref_helper_1.fromPayload)('repository.id');
if (typeof baseRepoId !== 'number') {
return;
}
let prHeadRepoId;
let prHeadRepoFullName;
const prShas = [];
if (eventName === 'pull_request_target') {
prHeadRepoId = (0, ref_helper_1.fromPayload)('pull_request.head.repo.id');
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('pull_request.head.repo.full_name');
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.head.sha'));
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.merge_commit_sha'));
}
else {
const wrEvent = (0, ref_helper_1.fromPayload)('workflow_run.event');
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
return;
}
prHeadRepoId = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.id');
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.full_name');
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_commit.id'));
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
// default branch SHA (not the PR head)
if (wrEvent !== 'pull_request_target') {
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_sha'));
}
}
// (A) Fork PR?
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
return;
}
// (B) We cannot check for all fork PR refs so check to see
// if the resolved input points to the fork PR sha we have in the payload
const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
if (!repositoryMatchesPrHead &&
!refMatchesPullPattern &&
!commitMatchesPrHeadSha) {
return;
}
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
`on the actions/checkout step.`);
}
function pushIfSha(target, value) {
if (typeof value === 'string' && value.length > 0) {
target.push(value.toLowerCase());
}
}
/***/ }),
/***/ 9437:
+216 -107
View File
@@ -43,6 +43,7 @@ class GitAuthHelper {
private sshKeyPath = ''
private sshKnownHostsPath = ''
private temporaryHomePath = ''
private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
constructor(
gitCommandManager: IGitCommandManager,
@@ -126,16 +127,21 @@ class GitAuthHelper {
async configureGlobalAuth(): Promise<void> {
// 'configureTempGlobalConfig' noops if already set, just returns the path
const newGitConfigPath = await this.configureTempGlobalConfig()
await this.configureTempGlobalConfig()
try {
// Configure the token
await this.configureToken(newGitConfigPath, true)
await this.configureToken(true)
// Configure HTTPS instead of SSH
await this.git.tryConfigUnset(this.insteadOfKey, true)
if (!this.settings.sshKey) {
for (const insteadOfValue of this.insteadOfValues) {
await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
await this.git.config(
this.insteadOfKey,
insteadOfValue,
true, // globalConfig?
true // add?
)
}
}
} catch (err) {
@@ -150,24 +156,60 @@ class GitAuthHelper {
async configureSubmoduleAuth(): Promise<void> {
// Remove possible previous HTTPS instead of SSH
await this.removeGitConfig(this.insteadOfKey, true)
await this.removeSubmoduleGitConfig(this.insteadOfKey)
if (this.settings.persistCredentials) {
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const output = await this.git.submoduleForeach(
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
// Get the credentials config file path in RUNNER_TEMP
const credentialsConfigPath = this.getCredentialsConfigPath()
// Container credentials config path
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsConfigPath)
)
// Get submodule config file paths.
const configPaths = await this.git.getSubmoduleConfigPaths(
this.settings.nestedSubmodules
)
// Replace the placeholder
const configPaths: string[] =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
// For each submodule, configure includeIf entries pointing to the shared credentials file.
// Configure both host and container paths to support Docker container actions.
for (const configPath of configPaths) {
core.debug(`Replacing token placeholder in '${configPath}'`)
await this.replaceTokenPlaceholder(configPath)
// Submodule Git directory
let submoduleGitDir = path.dirname(configPath) // The config file is at .git/modules/submodule-name/config
submoduleGitDir = submoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Configure host includeIf
await this.git.config(
`includeIf.gitdir:${submoduleGitDir}.path`,
credentialsConfigPath,
false, // globalConfig?
false, // add?
configPath
)
// Container submodule git directory
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
let relativeSubmoduleGitDir = path.relative(
githubWorkspace,
submoduleGitDir
)
relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join(
'/github/workspace',
relativeSubmoduleGitDir
)
// Configure container includeIf
await this.git.config(
`includeIf.gitdir:${containerSubmoduleGitDir}.path`,
containerCredentialsPath,
false, // globalConfig?
false, // add?
configPath
)
}
if (this.settings.sshKey) {
@@ -201,6 +243,10 @@ class GitAuthHelper {
}
}
/**
* Configures SSH authentication by writing the SSH key and known hosts,
* and setting up the GIT_SSH_COMMAND environment variable.
*/
private async configureSsh(): Promise<void> {
if (!this.settings.sshKey) {
return
@@ -272,57 +318,116 @@ class GitAuthHelper {
}
}
private async configureToken(
configPath?: string,
globalConfig?: boolean
): Promise<void> {
// Validate args
assert.ok(
(configPath && globalConfig) || (!configPath && !globalConfig),
'Unexpected configureToken parameter combinations'
)
/**
* Configures token-based authentication by creating a credentials config file
* and setting up includeIf entries to reference it.
* @param globalConfig Whether to configure global config instead of local
*/
private async configureToken(globalConfig?: boolean): Promise<void> {
// Get the credentials config file path in RUNNER_TEMP
const credentialsConfigPath = this.getCredentialsConfigPath()
// Default config path
if (!configPath && !globalConfig) {
configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
}
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
// Write placeholder to the separate credentials config file using git config.
// This approach avoids the credential being captured by process creation audit events,
// which are commonly logged. For more information, refer to
// https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
await this.git.config(
this.tokenConfigKey,
this.tokenPlaceholderConfigValue,
globalConfig
false, // globalConfig?
false, // add?
credentialsConfigPath
)
// Replace the placeholder
await this.replaceTokenPlaceholder(configPath || '')
}
private async replaceTokenPlaceholder(configPath: string): Promise<void> {
assert.ok(configPath, 'configPath is not defined')
let content = (await fs.promises.readFile(configPath)).toString()
// Replace the placeholder in the credentials config file
let content = (await fs.promises.readFile(credentialsConfigPath)).toString()
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
if (
placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
) {
throw new Error(`Unable to replace auth placeholder in ${configPath}`)
throw new Error(
`Unable to replace auth placeholder in ${credentialsConfigPath}`
)
}
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
content = content.replace(
this.tokenPlaceholderConfigValue,
this.tokenConfigValue
)
await fs.promises.writeFile(configPath, content)
await fs.promises.writeFile(credentialsConfigPath, content)
// Add include or includeIf to reference the credentials config
if (globalConfig) {
// Global config file is temporary
await this.git.config(
'include.path',
credentialsConfigPath,
true // globalConfig?
)
} else {
// Host git directory
let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Configure host includeIf
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
await this.git.config(hostIncludeKey, credentialsConfigPath)
// Container git directory
const workingDirectory = this.git.getWorkingDirectory()
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
let relativePath = path.relative(githubWorkspace, workingDirectory)
relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
const containerGitDir = path.posix.join(
'/github/workspace',
relativePath,
'.git'
)
// Container credentials config path
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsConfigPath)
)
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
await this.git.config(containerIncludeKey, containerCredentialsPath)
}
}
/**
* Gets or creates the path to the credentials config file in RUNNER_TEMP.
* @returns The absolute path to the credentials config file
*/
private getCredentialsConfigPath(): string {
if (this.credentialsConfigPath) {
return this.credentialsConfigPath
}
const runnerTemp = process.env['RUNNER_TEMP'] || ''
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${uuid()}.config`
this.credentialsConfigPath = path.join(runnerTemp, configFileName)
core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
return this.credentialsConfigPath
}
/**
* Removes SSH authentication configuration by cleaning up SSH keys,
* known hosts files, and SSH command configurations.
*/
private async removeSsh(): Promise<void> {
// SSH key
const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
if (keyPath) {
try {
core.info(`Removing SSH key '${keyPath}'`)
await io.rmRF(keyPath)
} catch (err) {
core.debug(`${(err as any)?.message ?? err}`)
@@ -335,88 +440,91 @@ class GitAuthHelper {
this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
if (knownHostsPath) {
try {
core.info(`Removing SSH known hosts '${knownHostsPath}'`)
await io.rmRF(knownHostsPath)
} catch {
// Intentionally empty
} catch (err) {
core.debug(`${(err as any)?.message ?? err}`)
core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`)
}
}
// SSH command
core.info('Removing SSH command configuration')
await this.removeGitConfig(SSH_COMMAND_KEY)
await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
}
/**
* Removes token-based authentication by cleaning up HTTP headers,
* includeIf entries, and credentials config files.
*/
private async removeToken(): Promise<void> {
// Remove HTTP extra header from local git config and submodule configs
// Remove HTTP extra header
core.info('Removing HTTP extra header')
await this.removeGitConfig(this.tokenConfigKey)
await this.removeSubmoduleGitConfig(this.tokenConfigKey)
//
// Cleanup actions/checkout@v6 style credentials
//
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
core.debug(
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
)
return
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set<string>()
// Remove includeIf entries that point to git-credentials-*.config files
core.info('Removing includeIf entries pointing to credentials config files')
const mainCredentialsPaths = await this.removeIncludeIfCredentials()
mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
// Remove submodule includeIf entries that point to git-credentials-*.config files
const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths =
await this.removeIncludeIfCredentials(configPath)
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
}
try {
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set<string>()
// Remove includeIf entries that point to git-credentials-*.config files
const mainCredentialsPaths = await this.removeIncludeIfCredentials()
mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
// Remove submodule includeIf entries that point to git-credentials-*.config files
try {
const submoduleConfigPaths =
await this.git.getSubmoduleConfigPaths(true)
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths =
await this.removeIncludeIfCredentials(configPath)
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP']
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
if (credentialsPath.startsWith(runnerTemp)) {
try {
core.info(`Removing credentials config '${credentialsPath}'`)
await io.rmRF(credentialsPath)
} catch (err) {
core.debug(`${(err as any)?.message ?? err}`)
core.warning(
`Failed to remove credentials config '${credentialsPath}'`
)
}
} catch (err) {
core.debug(`Unable to get submodule config paths: ${err}`)
} else {
core.debug(
`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
)
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP']
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
try {
await io.rmRF(credentialsPath)
} catch (err) {
core.debug(
`Failed to remove credentials config '${credentialsPath}': ${err}`
)
}
}
}
} catch (err) {
core.debug(`Failed to cleanup v6 style credentials: ${err}`)
}
}
private async removeGitConfig(
configKey: string,
submoduleOnly: boolean = false
): Promise<void> {
if (!submoduleOnly) {
if (
(await this.git.configExists(configKey)) &&
!(await this.git.tryConfigUnset(configKey))
) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`)
}
/**
* Removes a git config key from the local repository config.
* @param configKey The git config key to remove
*/
private async removeGitConfig(configKey: string): Promise<void> {
if (
(await this.git.configExists(configKey)) &&
!(await this.git.tryConfigUnset(configKey))
) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`)
}
}
/**
* Removes a git config key from all submodule configs.
* @param configKey The git config key to remove
*/
private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
const pattern = regexpHelper.escape(configKey)
await this.git.submoduleForeach(
// wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
true
)
@@ -424,7 +532,6 @@ class GitAuthHelper {
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* This handles cleanup of credentials configured by newer versions of the action.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
@@ -460,16 +567,18 @@ class GitAuthHelper {
}
} catch (err) {
// Ignore errors - this is cleanup code
core.debug(
`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
)
if (configPath) {
core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`)
} else {
core.debug(`Error during includeIf cleanup: ${err}`)
}
}
return Array.from(credentialsPaths)
}
/**
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
* Tests if a path matches the git-credentials-*.config pattern.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
+10 -3
View File
@@ -28,7 +28,8 @@ export interface IGitCommandManager {
configKey: string,
configValue: string,
globalConfig?: boolean,
add?: boolean
add?: boolean,
configFile?: string
): Promise<void>
configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
fetch(
@@ -240,9 +241,15 @@ class GitCommandManager {
configKey: string,
configValue: string,
globalConfig?: boolean,
add?: boolean
add?: boolean,
configFile?: string
): Promise<void> {
const args: string[] = ['config', globalConfig ? '--global' : '--local']
const args: string[] = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
if (add) {
args.push('--add')
}
-6
View File
@@ -118,10 +118,4 @@ export interface IGitSourceSettings {
* User override on the GitHub Server/Host URL that hosts the repository to be cloned
*/
githubServerUrl: string | undefined
/**
* Opt-in to allow checking out fork pull request code from a workflow
* triggered by pull_request_target or workflow_run.
*/
allowUnsafePrCheckout: boolean
}
-14
View File
@@ -2,7 +2,6 @@ import * as core from '@actions/core'
import * as fsHelper from './fs-helper'
import * as github from '@actions/github'
import * as path from 'path'
import * as unsafePrCheckoutHelper from './unsafe-pr-checkout-helper'
import * as workflowContextHelper from './workflow-context-helper'
import {IGitSourceSettings} from './git-source-settings'
@@ -162,18 +161,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
result.githubServerUrl = core.getInput('github-server-url')
core.debug(`GitHub Host URL = ${result.githubServerUrl}`)
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
result.allowUnsafePrCheckout =
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
'TRUE'
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
unsafePrCheckoutHelper.assertSafePrCheckout({
qualifiedRepository,
ref: result.ref,
commit: result.commit,
allowUnsafePrCheckout: result.allowUnsafePrCheckout
})
return result
}
+1 -1
View File
@@ -268,7 +268,7 @@ export async function checkCommitInfo(
}
}
export function fromPayload(path: string): any {
function fromPayload(path: string): any {
return select(github.context.payload, path)
}
-88
View File
@@ -1,88 +0,0 @@
import * as github from '@actions/github'
import {fromPayload} from './ref-helper'
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/
export interface IUnsafePrCheckoutInput {
qualifiedRepository: string
ref: string
commit: string | undefined
allowUnsafePrCheckout: boolean
}
export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
if (input.allowUnsafePrCheckout) {
return
}
const eventName = github.context.eventName
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
return
}
const baseRepoId = fromPayload('repository.id')
if (typeof baseRepoId !== 'number') {
return
}
let prHeadRepoId: unknown
let prHeadRepoFullName: unknown
const prShas: string[] = []
if (eventName === 'pull_request_target') {
prHeadRepoId = fromPayload('pull_request.head.repo.id')
prHeadRepoFullName = fromPayload('pull_request.head.repo.full_name')
pushIfSha(prShas, fromPayload('pull_request.head.sha'))
pushIfSha(prShas, fromPayload('pull_request.merge_commit_sha'))
} else {
const wrEvent = fromPayload('workflow_run.event')
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
return
}
prHeadRepoId = fromPayload('workflow_run.head_repository.id')
prHeadRepoFullName = fromPayload('workflow_run.head_repository.full_name')
pushIfSha(prShas, fromPayload('workflow_run.head_commit.id'))
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
// default branch SHA (not the PR head)
if (wrEvent !== 'pull_request_target') {
pushIfSha(prShas, fromPayload('workflow_run.head_sha'))
}
}
// (A) Fork PR?
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
return
}
// (B) We cannot check for all fork PR refs so check to see
// if the resolved input points to the fork PR sha we have in the payload
const repositoryMatchesPrHead =
typeof prHeadRepoFullName === 'string' &&
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase()
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref)
const commitMatchesPrHeadSha =
!!input.commit && prShas.includes(input.commit.toLowerCase())
if (
!repositoryMatchesPrHead &&
!refMatchesPullPattern &&
!commitMatchesPrHeadSha
) {
return
}
throw new Error(
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
`on the actions/checkout step.`
)
}
function pushIfSha(target: string[], value: unknown): void {
if (typeof value === 'string' && value.length > 0) {
target.push(value.toLowerCase())
}
}