add input persist-credentials (#107)

This commit is contained in:
eric sciple 2019-12-12 13:49:26 -05:00 committed by GitHub
parent a572f640b0
commit c170eefc26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 149 additions and 128 deletions

@ -18,6 +18,7 @@ jobs:
- run: npm run lint - run: npm run lint
- run: npm run pack - run: npm run pack
- run: npm run gendocs - run: npm run gendocs
- run: npm test
- name: Verify no unstaged changes - name: Verify no unstaged changes
run: __test__/verify-no-unstaged-changes.sh run: __test__/verify-no-unstaged-changes.sh
@ -84,15 +85,12 @@ jobs:
test-job-container: test-job-container:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: pstauffer/curl:latest container: alpine:latest
steps: steps:
# Clone this repo # Clone this repo
# todo: after v2-beta contains the latest changes, switch this to "uses: actions/checkout@v2-beta". Also switch to "alpine:latest" # todo: after v2-beta contains the latest changes, switch this to "uses: actions/checkout@v2-beta"
- name: Checkout - name: Checkout
run: | uses: actions/checkout@a572f640b07e96fc5837b3adfa0e5a2ddd8dae21
curl --location --user token:${{ github.token }} --output checkout.tar.gz https://api.github.com/repos/actions/checkout/tarball/${{ github.sha }}
tar -xzf checkout.tar.gz
mv */* ./
# Basic checkout # Basic checkout
- name: Basic checkout - name: Basic checkout

@ -15,16 +15,16 @@ Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows)
- Improved fetch performance - Improved fetch performance
- The default behavior now fetches only the commit being checked-out - The default behavior now fetches only the commit being checked-out
- Script authenticated git commands - Script authenticated git commands
- Persists `with.token` in the local git config - Persists the input `token` in the local git config
- Enables your scripts to run authenticated git commands - Enables your scripts to run authenticated git commands
- Post-job cleanup removes the token - Post-job cleanup removes the token
- Coming soon: Opt out by setting `with.persist-credentials` to `false` - Opt out by setting the input `persist-credentials: false`
- Creates a local branch - Creates a local branch
- No longer detached HEAD when checking out a branch - No longer detached HEAD when checking out a branch
- A local branch is created with the corresponding upstream branch set - A local branch is created with the corresponding upstream branch set
- Improved layout - Improved layout
- `with.path` is always relative to `github.workspace` - The input `path` is always relative to $GITHUB_WORKSPACE
- Aligns better with container actions, where `github.workspace` gets mapped in - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
- Fallback to REST API download - Fallback to REST API download
- When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
- Removed input `submodules` - Removed input `submodules`
@ -41,15 +41,21 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
# Default: ${{ github.repository }} # Default: ${{ github.repository }}
repository: '' repository: ''
# The branch, tag or SHA to checkout. When checking out the repository that # The branch, tag or SHA to checkout. When checking out the repository that
# triggered a workflow, this defaults to the reference or SHA for that event. # triggered a workflow, this defaults to the reference or SHA for that event.
# Otherwise, defaults to `master`. # Otherwise, defaults to `master`.
ref: '' ref: ''
# Access token for clone repository # Auth token used to fetch the repository. The token is stored in the local git
# config, which enables your scripts to run authenticated git commands. The
# post-job step removes the token from the git config.
# Default: ${{ github.token }} # Default: ${{ github.token }}
token: '' token: ''
# Whether to persist the token in the git config
# Default: true
persist-credentials: ''
# Relative path under $GITHUB_WORKSPACE to place the repository # Relative path under $GITHUB_WORKSPACE to place the repository
path: '' path: ''

@ -63,7 +63,7 @@ describe('input-helper tests', () => {
it('sets defaults', () => { it('sets defaults', () => {
const settings: ISourceSettings = inputHelper.getInputs() const settings: ISourceSettings = inputHelper.getInputs()
expect(settings).toBeTruthy() expect(settings).toBeTruthy()
expect(settings.accessToken).toBeFalsy() expect(settings.authToken).toBeFalsy()
expect(settings.clean).toBe(true) expect(settings.clean).toBe(true)
expect(settings.commit).toBeTruthy() expect(settings.commit).toBeTruthy()
expect(settings.commit).toBe('1234567890123456789012345678901234567890') expect(settings.commit).toBe('1234567890123456789012345678901234567890')

@ -6,12 +6,18 @@ inputs:
default: ${{ github.repository }} default: ${{ github.repository }}
ref: ref:
description: > description: >
The branch, tag or SHA to checkout. When checking out the repository The branch, tag or SHA to checkout. When checking out the repository that
that triggered a workflow, this defaults to the reference or SHA for triggered a workflow, this defaults to the reference or SHA for that
that event. Otherwise, defaults to `master`. event. Otherwise, defaults to `master`.
token: token:
description: 'Access token for clone repository' description: >
Auth token used to fetch the repository. The token is stored in the local
git config, which enables your scripts to run authenticated git commands.
The post-job step removes the token from the git config.
default: ${{ github.token }} default: ${{ github.token }}
persist-credentials:
description: 'Whether to persist the token in the git config'
default: true
path: path:
description: 'Relative path under $GITHUB_WORKSPACE to place the repository' description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
clean: clean:

97
dist/index.js vendored

@ -4838,7 +4838,7 @@ class GitCommandManager {
} }
config(configKey, configValue) { config(configKey, configValue) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
yield this.execGit(['config', configKey, configValue]); yield this.execGit(['config', '--local', configKey, configValue]);
}); });
} }
configExists(configKey) { configExists(configKey) {
@ -4846,7 +4846,7 @@ class GitCommandManager {
const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => { const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
return `\\${x}`; return `\\${x}`;
}); });
const output = yield this.execGit(['config', '--name-only', '--get-regexp', pattern], true); const output = yield this.execGit(['config', '--local', '--name-only', '--get-regexp', pattern], true);
return output.exitCode === 0; return output.exitCode === 0;
}); });
} }
@ -4932,19 +4932,19 @@ class GitCommandManager {
} }
tryConfigUnset(configKey) { tryConfigUnset(configKey) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', '--unset-all', configKey], true); const output = yield this.execGit(['config', '--local', '--unset-all', configKey], true);
return output.exitCode === 0; return output.exitCode === 0;
}); });
} }
tryDisableAutomaticGarbageCollection() { tryDisableAutomaticGarbageCollection() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', 'gc.auto', '0'], true); const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
return output.exitCode === 0; return output.exitCode === 0;
}); });
} }
tryGetFetchUrl() { tryGetFetchUrl() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', '--get', 'remote.origin.url'], true); const output = yield this.execGit(['config', '--local', '--get', 'remote.origin.url'], true);
if (output.exitCode !== 0) { if (output.exitCode !== 0) {
return ''; return '';
} }
@ -5121,7 +5121,7 @@ function getSource(settings) {
// Downloading using REST API // Downloading using REST API
core.info(`The repository will be downloaded using the GitHub REST API`); core.info(`The repository will be downloaded using the GitHub REST API`);
core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`); core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
yield githubApiHelper.downloadRepository(settings.accessToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath); yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
} }
else { else {
// Save state for POST action // Save state for POST action
@ -5137,30 +5137,34 @@ function getSource(settings) {
} }
// Remove possible previous extraheader // Remove possible previous extraheader
yield removeGitConfig(git, authConfigKey); yield removeGitConfig(git, authConfigKey);
// Add extraheader (auth) try {
const base64Credentials = Buffer.from(`x-access-token:${settings.accessToken}`, 'utf8').toString('base64'); // Config auth token
core.setSecret(base64Credentials); yield configureAuthToken(git, settings.authToken);
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`; // LFS install
yield git.config(authConfigKey, authConfigValue); if (settings.lfs) {
// LFS install yield git.lfsInstall();
if (settings.lfs) { }
yield git.lfsInstall(); // Fetch
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
yield git.fetch(settings.fetchDepth, refSpec);
// Checkout info
const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
}
// Checkout
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
// Dump some info about the checked out commit
yield git.log1();
} }
// Fetch finally {
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit); if (!settings.persistCredentials) {
yield git.fetch(settings.fetchDepth, refSpec); yield removeGitConfig(git, authConfigKey);
// Checkout info }
const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
} }
// Checkout
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
// Dump some info about the checked out commit
yield git.log1();
} }
}); });
} }
@ -5265,23 +5269,21 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
} }
}); });
} }
function configureAuthToken(git, authToken) {
return __awaiter(this, void 0, void 0, function* () {
// Add extraheader (auth)
const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
core.setSecret(base64Credentials);
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
yield git.config(authConfigKey, authConfigValue);
});
}
function removeGitConfig(git, configKey) { function removeGitConfig(git, configKey) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
if ((yield git.configExists(configKey)) && if ((yield git.configExists(configKey)) &&
!(yield git.tryConfigUnset(configKey))) { !(yield git.tryConfigUnset(configKey))) {
// Load the config contents // Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`); core.warning(`Failed to remove '${configKey}' from the git config`);
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
fsHelper.fileExistsSync(configPath);
let contents = fs.readFileSync(configPath).toString() || '';
// Filter - only includes lines that do not contain the config key
const upperConfigKey = configKey.toUpperCase();
const split = contents
.split('\n')
.filter(x => !x.toUpperCase().includes(upperConfigKey));
contents = split.join('\n');
// Rewrite the config file
fs.writeFileSync(configPath, contents);
} }
}); });
} }
@ -8403,12 +8405,12 @@ const retryHelper = __importStar(__webpack_require__(587));
const toolCache = __importStar(__webpack_require__(533)); const toolCache = __importStar(__webpack_require__(533));
const v4_1 = __importDefault(__webpack_require__(826)); const v4_1 = __importDefault(__webpack_require__(826));
const IS_WINDOWS = process.platform === 'win32'; const IS_WINDOWS = process.platform === 'win32';
function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPath) { function downloadRepository(authToken, owner, repo, ref, commit, repositoryPath) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
// Download the archive // Download the archive
let archiveData = yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () { let archiveData = yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () {
core.info('Downloading the archive'); core.info('Downloading the archive');
return yield downloadArchive(accessToken, owner, repo, ref, commit); return yield downloadArchive(authToken, owner, repo, ref, commit);
})); }));
// Write archive to disk // Write archive to disk
core.info('Writing archive to disk'); core.info('Writing archive to disk');
@ -8449,9 +8451,9 @@ function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPat
}); });
} }
exports.downloadRepository = downloadRepository; exports.downloadRepository = downloadRepository;
function downloadArchive(accessToken, owner, repo, ref, commit) { function downloadArchive(authToken, owner, repo, ref, commit) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const octokit = new github.GitHub(accessToken); const octokit = new github.GitHub(authToken);
const params = { const params = {
owner: owner, owner: owner,
repo: repo, repo: repo,
@ -12764,8 +12766,11 @@ function getInputs() {
// LFS // LFS
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'; result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE';
core.debug(`lfs = ${result.lfs}`); core.debug(`lfs = ${result.lfs}`);
// Access token // Auth token
result.accessToken = core.getInput('token'); result.authToken = core.getInput('token');
// Persist credentials
result.persistCredentials =
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE';
return result; return result;
} }
exports.getInputs = getInputs; exports.getInputs = getInputs;

@ -116,7 +116,7 @@ class GitCommandManager {
} }
async config(configKey: string, configValue: string): Promise<void> { async config(configKey: string, configValue: string): Promise<void> {
await this.execGit(['config', configKey, configValue]) await this.execGit(['config', '--local', configKey, configValue])
} }
async configExists(configKey: string): Promise<boolean> { async configExists(configKey: string): Promise<boolean> {
@ -124,7 +124,7 @@ class GitCommandManager {
return `\\${x}` return `\\${x}`
}) })
const output = await this.execGit( const output = await this.execGit(
['config', '--name-only', '--get-regexp', pattern], ['config', '--local', '--name-only', '--get-regexp', pattern],
true true
) )
return output.exitCode === 0 return output.exitCode === 0
@ -211,20 +211,23 @@ class GitCommandManager {
async tryConfigUnset(configKey: string): Promise<boolean> { async tryConfigUnset(configKey: string): Promise<boolean> {
const output = await this.execGit( const output = await this.execGit(
['config', '--unset-all', configKey], ['config', '--local', '--unset-all', configKey],
true true
) )
return output.exitCode === 0 return output.exitCode === 0
} }
async tryDisableAutomaticGarbageCollection(): Promise<boolean> { async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
const output = await this.execGit(['config', 'gc.auto', '0'], true) const output = await this.execGit(
['config', '--local', 'gc.auto', '0'],
true
)
return output.exitCode === 0 return output.exitCode === 0
} }
async tryGetFetchUrl(): Promise<string> { async tryGetFetchUrl(): Promise<string> {
const output = await this.execGit( const output = await this.execGit(
['config', '--get', 'remote.origin.url'], ['config', '--local', '--get', 'remote.origin.url'],
true true
) )

@ -1,5 +1,4 @@
import * as core from '@actions/core' import * as core from '@actions/core'
import * as coreCommand from '@actions/core/lib/command'
import * as fs from 'fs' import * as fs from 'fs'
import * as fsHelper from './fs-helper' import * as fsHelper from './fs-helper'
import * as gitCommandManager from './git-command-manager' import * as gitCommandManager from './git-command-manager'
@ -21,7 +20,8 @@ export interface ISourceSettings {
clean: boolean clean: boolean
fetchDepth: number fetchDepth: number
lfs: boolean lfs: boolean
accessToken: string authToken: string
persistCredentials: boolean
} }
export async function getSource(settings: ISourceSettings): Promise<void> { export async function getSource(settings: ISourceSettings): Promise<void> {
@ -65,7 +65,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH` `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
) )
await githubApiHelper.downloadRepository( await githubApiHelper.downloadRepository(
settings.accessToken, settings.authToken,
settings.repositoryOwner, settings.repositoryOwner,
settings.repositoryName, settings.repositoryName,
settings.ref, settings.ref,
@ -94,43 +94,43 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
// Remove possible previous extraheader // Remove possible previous extraheader
await removeGitConfig(git, authConfigKey) await removeGitConfig(git, authConfigKey)
// Add extraheader (auth) try {
const base64Credentials = Buffer.from( // Config auth token
`x-access-token:${settings.accessToken}`, await configureAuthToken(git, settings.authToken)
'utf8'
).toString('base64')
core.setSecret(base64Credentials)
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
await git.config(authConfigKey, authConfigValue)
// LFS install // LFS install
if (settings.lfs) { if (settings.lfs) {
await git.lfsInstall() await git.lfsInstall()
}
// Fetch
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
await git.fetch(settings.fetchDepth, refSpec)
// Checkout info
const checkoutInfo = await refHelper.getCheckoutInfo(
git,
settings.ref,
settings.commit
)
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
}
// Checkout
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
// Dump some info about the checked out commit
await git.log1()
} finally {
if (!settings.persistCredentials) {
await removeGitConfig(git, authConfigKey)
}
} }
// Fetch
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
await git.fetch(settings.fetchDepth, refSpec)
// Checkout info
const checkoutInfo = await refHelper.getCheckoutInfo(
git,
settings.ref,
settings.commit
)
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
}
// Checkout
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
// Dump some info about the checked out commit
await git.log1()
} }
} }
@ -255,6 +255,20 @@ async function prepareExistingDirectory(
} }
} }
async function configureAuthToken(
git: IGitCommandManager,
authToken: string
): Promise<void> {
// Add extraheader (auth)
const base64Credentials = Buffer.from(
`x-access-token:${authToken}`,
'utf8'
).toString('base64')
core.setSecret(base64Credentials)
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
await git.config(authConfigKey, authConfigValue)
}
async function removeGitConfig( async function removeGitConfig(
git: IGitCommandManager, git: IGitCommandManager,
configKey: string configKey: string
@ -264,21 +278,6 @@ async function removeGitConfig(
!(await git.tryConfigUnset(configKey)) !(await git.tryConfigUnset(configKey))
) { ) {
// Load the config contents // Load the config contents
core.warning( core.warning(`Failed to remove '${configKey}' from the git config`)
`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
)
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
fsHelper.fileExistsSync(configPath)
let contents = fs.readFileSync(configPath).toString() || ''
// Filter - only includes lines that do not contain the config key
const upperConfigKey = configKey.toUpperCase()
const split = contents
.split('\n')
.filter(x => !x.toUpperCase().includes(upperConfigKey))
contents = split.join('\n')
// Rewrite the config file
fs.writeFileSync(configPath, contents)
} }
} }

@ -12,7 +12,7 @@ import {ReposGetArchiveLinkParams} from '@octokit/rest'
const IS_WINDOWS = process.platform === 'win32' const IS_WINDOWS = process.platform === 'win32'
export async function downloadRepository( export async function downloadRepository(
accessToken: string, authToken: string,
owner: string, owner: string,
repo: string, repo: string,
ref: string, ref: string,
@ -22,7 +22,7 @@ export async function downloadRepository(
// Download the archive // Download the archive
let archiveData = await retryHelper.execute(async () => { let archiveData = await retryHelper.execute(async () => {
core.info('Downloading the archive') core.info('Downloading the archive')
return await downloadArchive(accessToken, owner, repo, ref, commit) return await downloadArchive(authToken, owner, repo, ref, commit)
}) })
// Write archive to disk // Write archive to disk
@ -68,13 +68,13 @@ export async function downloadRepository(
} }
async function downloadArchive( async function downloadArchive(
accessToken: string, authToken: string,
owner: string, owner: string,
repo: string, repo: string,
ref: string, ref: string,
commit: string commit: string
): Promise<Buffer> { ): Promise<Buffer> {
const octokit = new github.GitHub(accessToken) const octokit = new github.GitHub(authToken)
const params: ReposGetArchiveLinkParams = { const params: ReposGetArchiveLinkParams = {
owner: owner, owner: owner,
repo: repo, repo: repo,

@ -97,8 +97,12 @@ export function getInputs(): ISourceSettings {
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE' result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
core.debug(`lfs = ${result.lfs}`) core.debug(`lfs = ${result.lfs}`)
// Access token // Auth token
result.accessToken = core.getInput('token') result.authToken = core.getInput('token')
// Persist credentials
result.persistCredentials =
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
return result return result
} }