actions
/
checkout
mirror of https://github.com/actions/checkout
1
0
Fork 0
Code

Pin GIT_CONFIG_GLOBAL to the temp config during global auth setup 

configureTempGlobalConfig isolates global git config by overriding HOME to
a temporary directory. But GIT_CONFIG_GLOBAL takes precedence over HOME when
git locates the global config file, so when a workflow already has
GIT_CONFIG_GLOBAL set in the environment, 'git config --global' writes land
in that file instead of the temporary config. replaceTokenPlaceholder then
reads the temporary config, cannot find the placeholder, and fails with
'Unable to replace auth placeholder'.

Set GIT_CONFIG_GLOBAL to the temporary config alongside the HOME override so
global config operations always target the temp file regardless of any
inherited value, and unset it again in removeGlobalConfig.

Assisted-By: Claude Opus 4.8
This commit is contained in:
Nathan Moin Vaziri 2026-06-05 11:08:14 -07:00
parent df4cb1c069
commit e1d91899ae
No known key found for this signature in database
3 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
__test__/git-auth-helper.test.ts
View File

@ -902,6 +902,25 @@ describe('git-auth-helper tests', () => {
} }
}) })
const configureGlobalAuth_overridesGitConfigGlobal =
'configureGlobalAuth overrides GIT_CONFIG_GLOBAL'
it(configureGlobalAuth_overridesGitConfigGlobal, async () => {
// Arrange
await setup(configureGlobalAuth_overridesGitConfigGlobal)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
// Act
await authHelper.configureAuth()
await authHelper.configureGlobalAuth()
// Assert GIT_CONFIG_GLOBAL is pinned to the temporary global config, so an
// inherited GIT_CONFIG_GLOBAL cannot redirect --global writes
expect(git.env['HOME']).toBeTruthy()
expect(git.env['GIT_CONFIG_GLOBAL']).toBe(
path.join(git.env['HOME'], '.gitconfig')
)
})
const removeGlobalConfig_removesOverride = const removeGlobalConfig_removesOverride =
'removeGlobalConfig removes override' 'removeGlobalConfig removes override'
it(removeGlobalConfig_removesOverride, async () => { it(removeGlobalConfig_removesOverride, async () => {
@ -912,6 +931,7 @@ describe('git-auth-helper tests', () => {
await authHelper.configureGlobalAuth() await authHelper.configureGlobalAuth()
const homeOverride = git.env['HOME'] // Sanity check const homeOverride = git.env['HOME'] // Sanity check
expect(homeOverride).toBeTruthy() expect(homeOverride).toBeTruthy()
expect(git.env['GIT_CONFIG_GLOBAL']).toBeTruthy()
await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig')) await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
// Act // Act
@ -919,6 +939,7 @@ describe('git-auth-helper tests', () => {
// Assert // Assert
expect(git.env['HOME']).toBeUndefined() expect(git.env['HOME']).toBeUndefined()
expect(git.env['GIT_CONFIG_GLOBAL']).toBeUndefined()
try { try {
await fs.promises.stat(homeOverride) await fs.promises.stat(homeOverride)
throw new Error(`Should have been deleted '${homeOverride}'`) throw new Error(`Should have been deleted '${homeOverride}'`)

7
dist/index.js vendored
View File

@ -224,6 +224,10 @@ class GitAuthHelper {
// Override HOME // Override HOME
core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`); core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
this.git.setEnvironmentVariable('HOME', this.temporaryHomePath); this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
// GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
// config file. Pin it to the temporary config so an inherited
// GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath);
return newGitConfigPath; return newGitConfigPath;
}); });
} }
@ -307,8 +311,9 @@ class GitAuthHelper {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
var _a; var _a;
if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) { if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) {
core.debug(`Unsetting HOME override`); core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`);
this.git.removeEnvironmentVariable('HOME'); this.git.removeEnvironmentVariable('HOME');
this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL');
yield io.rmRF(this.temporaryHomePath); yield io.rmRF(this.temporaryHomePath);
} }
}); });

8
src/git-auth-helper.ts
View File

@ -122,6 +122,11 @@ class GitAuthHelper {
) )
this.git.setEnvironmentVariable('HOME', this.temporaryHomePath) this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
// GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
// config file. Pin it to the temporary config so an inherited
// GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath)
return newGitConfigPath return newGitConfigPath
} }
@ -237,8 +242,9 @@ class GitAuthHelper {
async removeGlobalConfig(): Promise<void> { async removeGlobalConfig(): Promise<void> {
if (this.temporaryHomePath?.length > 0) { if (this.temporaryHomePath?.length > 0) {
core.debug(`Unsetting HOME override`) core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`)
this.git.removeEnvironmentVariable('HOME') this.git.removeEnvironmentVariable('HOME')
this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL')
await io.rmRF(this.temporaryHomePath) await io.rmRF(this.temporaryHomePath)
} }
} }