diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts index 7633704..a15a7f5 100644 --- a/__test__/git-auth-helper.test.ts +++ b/__test__/git-auth-helper.test.ts @@ -796,6 +796,18 @@ async function setup(testName: string): Promise { ), tryDisableAutomaticGarbageCollection: jest.fn(), tryGetFetchUrl: jest.fn(), + getSubmoduleConfigPaths: jest.fn(async () => { + return [] + }), + tryConfigUnsetValue: jest.fn(async () => { + return true + }), + tryGetConfigValues: jest.fn(async () => { + return [] + }), + tryGetConfigKeys: jest.fn(async () => { + return [] + }), tryReset: jest.fn(), version: jest.fn() } diff --git a/__test__/git-directory-helper.test.ts b/__test__/git-directory-helper.test.ts index 22e9ae6..1627b84 100644 --- a/__test__/git-directory-helper.test.ts +++ b/__test__/git-directory-helper.test.ts @@ -499,6 +499,18 @@ async function setup(testName: string): Promise { await fs.promises.stat(path.join(repositoryPath, '.git')) return repositoryUrl }), + getSubmoduleConfigPaths: jest.fn(async () => { + return [] + }), + tryConfigUnsetValue: jest.fn(async () => { + return true + }), + tryGetConfigValues: jest.fn(async () => { + return [] + }), + tryGetConfigKeys: jest.fn(async () => { + return [] + }), tryReset: jest.fn(async () => { return true }), diff --git a/dist/index.js b/dist/index.js index f3ae6f3..0e545db 100644 --- a/dist/index.js +++ b/dist/index.js @@ -411,8 +411,40 @@ class GitAuthHelper { } removeToken() { return __awaiter(this, void 0, void 0, function* () { - // HTTP extra header + // Remove HTTP extra header from local git config and submodule configs yield this.removeGitConfig(this.tokenConfigKey); + // + // Cleanup actions/checkout@v6 style credentials + // + // Collect credentials config paths that need to be removed + const credentialsPaths = new Set(); + // Remove includeIf entries that point to git-credentials-*.config files + const mainCredentialsPaths = yield this.removeIncludeIfCredentials(); + mainCredentialsPaths.forEach(path => credentialsPaths.add(path)); + // Remove submodule includeIf entries that point to git-credentials-*.config files + try { + const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true); + for (const configPath of submoduleConfigPaths) { + const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath); + submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)); + } + } + catch (err) { + core.debug(`Unable to get submodule config paths: ${err}`); + } + // Remove credentials config files + for (const credentialsPath of credentialsPaths) { + // Only remove credentials config files if they are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP']; + if (runnerTemp && credentialsPath.startsWith(runnerTemp)) { + try { + yield io.rmRF(credentialsPath); + } + catch (err) { + core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`); + } + } + } }); } removeGitConfig(configKey_1) { @@ -430,6 +462,49 @@ class GitAuthHelper { `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true); }); } + /** + * Removes includeIf entries that point to git-credentials-*.config files. + * This handles cleanup of credentials configured by newer versions of the action. + * @param configPath Optional path to a specific git config file to operate on + * @returns Array of unique credentials config file paths that were found and removed + */ + removeIncludeIfCredentials(configPath) { + return __awaiter(this, void 0, void 0, function* () { + const credentialsPaths = new Set(); + try { + // Get all includeIf.gitdir keys + const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig? + configPath); + for (const key of keys) { + // Get all values for this key + const values = yield this.git.tryGetConfigValues(key, false, // globalConfig? + configPath); + if (values.length > 0) { + // Remove only values that match git-credentials-.config pattern + for (const value of values) { + if (this.testCredentialsConfigPath(value)) { + credentialsPaths.add(value); + yield this.git.tryConfigUnsetValue(key, value, false, configPath); + } + } + } + } + } + catch (err) { + // Ignore errors - this is cleanup code + core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`); + } + return Array.from(credentialsPaths); + }); + } + /** + * Tests if a path matches the git-credentials-*.config pattern used by newer versions. + * @param path The path to test + * @returns True if the path matches the credentials config pattern + */ + testCredentialsConfigPath(path) { + return /git-credentials-[0-9a-f-]+\.config$/i.test(path); + } } @@ -706,6 +781,16 @@ class GitCommandManager { throw new Error('Unexpected output when retrieving default branch'); }); } + getSubmoduleConfigPaths(recursive) { + return __awaiter(this, void 0, void 0, function* () { + // Get submodule config file paths. + // Use `--show-origin` to get the config file path for each submodule. + const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive); + // Extract config file paths from the output (lines starting with "file:"). + const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []; + return configPaths; + }); + } getWorkingDirectory() { return this.workingDirectory; } @@ -836,6 +921,20 @@ class GitCommandManager { return output.exitCode === 0; }); } + tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--unset', configKey, configValue); + const output = yield this.execGit(args, true); + return output.exitCode === 0; + }); + } tryDisableAutomaticGarbageCollection() { return __awaiter(this, void 0, void 0, function* () { const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true); @@ -855,6 +954,46 @@ class GitCommandManager { return stdout; }); } + tryGetConfigValues(configKey, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--get-all', configKey); + const output = yield this.execGit(args, true); + if (output.exitCode !== 0) { + return []; + } + return output.stdout + .trim() + .split('\n') + .filter(value => value.trim()); + }); + } + tryGetConfigKeys(pattern, globalConfig, configFile) { + return __awaiter(this, void 0, void 0, function* () { + const args = ['config']; + if (configFile) { + args.push('--file', configFile); + } + else { + args.push(globalConfig ? '--global' : '--local'); + } + args.push('--name-only', '--get-regexp', pattern); + const output = yield this.execGit(args, true); + if (output.exitCode !== 0) { + return []; + } + return output.stdout + .trim() + .split('\n') + .filter(key => key.trim()); + }); + } tryReset() { return __awaiter(this, void 0, void 0, function* () { const output = yield this.execGit(['reset', '--hard', 'HEAD'], true); diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index 126e8e5..272c823 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -346,8 +346,46 @@ class GitAuthHelper { } private async removeToken(): Promise { - // HTTP extra header + // Remove HTTP extra header from local git config and submodule configs await this.removeGitConfig(this.tokenConfigKey) + + // + // Cleanup actions/checkout@v6 style credentials + // + + // Collect credentials config paths that need to be removed + const credentialsPaths = new Set() + + // Remove includeIf entries that point to git-credentials-*.config files + const mainCredentialsPaths = await this.removeIncludeIfCredentials() + mainCredentialsPaths.forEach(path => credentialsPaths.add(path)) + + // Remove submodule includeIf entries that point to git-credentials-*.config files + try { + const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true) + for (const configPath of submoduleConfigPaths) { + const submoduleCredentialsPaths = + await this.removeIncludeIfCredentials(configPath) + submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)) + } + } catch (err) { + core.debug(`Unable to get submodule config paths: ${err}`) + } + + // Remove credentials config files + for (const credentialsPath of credentialsPaths) { + // Only remove credentials config files if they are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP'] + if (runnerTemp && credentialsPath.startsWith(runnerTemp)) { + try { + await io.rmRF(credentialsPath) + } catch (err) { + core.debug( + `Failed to remove credentials config '${credentialsPath}': ${err}` + ) + } + } + } } private async removeGitConfig( @@ -371,4 +409,59 @@ class GitAuthHelper { true ) } + + /** + * Removes includeIf entries that point to git-credentials-*.config files. + * This handles cleanup of credentials configured by newer versions of the action. + * @param configPath Optional path to a specific git config file to operate on + * @returns Array of unique credentials config file paths that were found and removed + */ + private async removeIncludeIfCredentials( + configPath?: string + ): Promise { + const credentialsPaths = new Set() + + try { + // Get all includeIf.gitdir keys + const keys = await this.git.tryGetConfigKeys( + '^includeIf\\.gitdir:', + false, // globalConfig? + configPath + ) + + for (const key of keys) { + // Get all values for this key + const values = await this.git.tryGetConfigValues( + key, + false, // globalConfig? + configPath + ) + if (values.length > 0) { + // Remove only values that match git-credentials-.config pattern + for (const value of values) { + if (this.testCredentialsConfigPath(value)) { + credentialsPaths.add(value) + await this.git.tryConfigUnsetValue(key, value, false, configPath) + } + } + } + } + } catch (err) { + // Ignore errors - this is cleanup code + core.debug( + `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}` + ) + } + + return Array.from(credentialsPaths) + } + + /** + * Tests if a path matches the git-credentials-*.config pattern used by newer versions. + * @param path The path to test + * @returns True if the path matches the credentials config pattern + */ + private testCredentialsConfigPath(path: string): boolean { + return /git-credentials-[0-9a-f-]+\.config$/i.test(path) + } } diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index 8e42a38..9c789ac 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -41,6 +41,7 @@ export interface IGitCommandManager { } ): Promise getDefaultBranch(repositoryUrl: string): Promise + getSubmoduleConfigPaths(recursive: boolean): Promise getWorkingDirectory(): string init(): Promise isDetached(): Promise @@ -59,8 +60,24 @@ export interface IGitCommandManager { tagExists(pattern: string): Promise tryClean(): Promise tryConfigUnset(configKey: string, globalConfig?: boolean): Promise + tryConfigUnsetValue( + configKey: string, + configValue: string, + globalConfig?: boolean, + configFile?: string + ): Promise tryDisableAutomaticGarbageCollection(): Promise tryGetFetchUrl(): Promise + tryGetConfigValues( + configKey: string, + globalConfig?: boolean, + configFile?: string + ): Promise + tryGetConfigKeys( + pattern: string, + globalConfig?: boolean, + configFile?: string + ): Promise tryReset(): Promise version(): Promise } @@ -323,6 +340,21 @@ class GitCommandManager { throw new Error('Unexpected output when retrieving default branch') } + async getSubmoduleConfigPaths(recursive: boolean): Promise { + // Get submodule config file paths. + // Use `--show-origin` to get the config file path for each submodule. + const output = await this.submoduleForeach( + `git config --local --show-origin --name-only --get-regexp remote.origin.url`, + recursive + ) + + // Extract config file paths from the output (lines starting with "file:"). + const configPaths = + output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [] + + return configPaths + } + getWorkingDirectory(): string { return this.workingDirectory } @@ -455,6 +487,24 @@ class GitCommandManager { return output.exitCode === 0 } + async tryConfigUnsetValue( + configKey: string, + configValue: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--unset', configKey, configValue) + + const output = await this.execGit(args, true) + return output.exitCode === 0 + } + async tryDisableAutomaticGarbageCollection(): Promise { const output = await this.execGit( ['config', '--local', 'gc.auto', '0'], @@ -481,6 +531,56 @@ class GitCommandManager { return stdout } + async tryGetConfigValues( + configKey: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--get-all', configKey) + + const output = await this.execGit(args, true) + + if (output.exitCode !== 0) { + return [] + } + + return output.stdout + .trim() + .split('\n') + .filter(value => value.trim()) + } + + async tryGetConfigKeys( + pattern: string, + globalConfig?: boolean, + configFile?: string + ): Promise { + const args = ['config'] + if (configFile) { + args.push('--file', configFile) + } else { + args.push(globalConfig ? '--global' : '--local') + } + args.push('--name-only', '--get-regexp', pattern) + + const output = await this.execGit(args, true) + + if (output.exitCode !== 0) { + return [] + } + + return output.stdout + .trim() + .split('\n') + .filter(key => key.trim()) + } + async tryReset(): Promise { const output = await this.execGit(['reset', '--hard', 'HEAD'], true) return output.exitCode === 0