Skip to content

fix(x2a): git using authN credentials better #2745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
elai-shalev merged 1 commit into from
Apr 16, 2026
+25 −17
Merged

fix(x2a): git using authN credentials better #2745

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 25 additions & 17 deletions workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,22 @@
ERROR_MESSAGE=""
}

# Authenticated git wrappers.
# Use url.<auth>.insteadOf to inject the token at the transport layer only.
# The -c flag is transient (applies only to that git invocation), so the
# token never appears in remote URLs, git config, or generated files like
# Policyfile.lock.json. This works across GitHub, GitLab, and Bitbucket
# because git natively handles the https://token@host URL format.
git_source_repo() {

Check warning on line 118 in workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function. 


See more on https://sonarcloud.io/project/issues?id=redhat-developer_rhdh-plugins&issues=AZ14BiE3kpOC1dcb1joP&open=AZ14BiE3kpOC1dcb1joP&pullRequest=2745
local auth_url="https://${SOURCE_REPO_TOKEN}@${SOURCE_REPO_URL#https://}"
git -c "url.${auth_url}.insteadOf=${SOURCE_REPO_URL}" "$@"
}

git_target_repo() {

Check warning on line 123 in workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function. 


See more on https://sonarcloud.io/project/issues?id=redhat-developer_rhdh-plugins&issues=AZ14BiE3kpOC1dcb1joQ&open=AZ14BiE3kpOC1dcb1joQ&pullRequest=2745
local auth_url="https://${TARGET_REPO_TOKEN}@${TARGET_REPO_URL#https://}"
git -c "url.${auth_url}.insteadOf=${TARGET_REPO_URL}" "$@"
}
Comment on lines +118 to +126
Copy link
Copy Markdown

@rhdh-qodo-merge rhdh-qodo-merge bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Insteadof key malformed 🐞 Bug ≡ Correctness

git_source_repo/git_target_repo build -c url.${auth_url}.insteadOf=... without quoting the URL
subsection, so dots in hosts like github.com are parsed as config key separators and the rewrite
may not apply. This can cause clone/pull/push to run without credentials and fail for private repos.
Agent Prompt 
### Issue description
The git config key `url.${auth_url}.insteadOf=...` is constructed without quoting the URL subsection, which breaks parsing for typical hosts containing dots (e.g., `github.com`). As a result, `insteadOf` rewriting may not occur and authenticated operations can fail.

### Issue Context
This affects both `git_source_repo` and `git_target_repo` wrappers.

### Fix Focus Areas
- workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh[118-126]

### Suggested change
Update the `-c` key to quote the subsection (URL), e.g.:
- `git -c "url.\"${auth_url}\".insteadOf=${SOURCE_REPO_URL}" ...`
- `git -c "url.\"${auth_url}\".insteadOf=${TARGET_REPO_URL}" ...`
(Ensure escaping is correct in bash so the quotes reach git.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


# Cleanup trap: fires on every exit (success or failure).
# Guarantees exactly one report_result call regardless of how the script ends.
cleanup() {
Expand All @@ -132,9 +148,9 @@

Co-Authored-By: ${GIT_AUTHOR_NAME} <${GIT_AUTHOR_EMAIL}>
" || true
git pull --rebase origin "${TARGET_REPO_BRANCH}" 2>/dev/null || true
git_target_repo pull --rebase origin "${TARGET_REPO_BRANCH}" 2>/dev/null || true
COMMIT_ID=$(git rev-parse HEAD 2>/dev/null || echo "")
if ! git push origin "${TARGET_REPO_BRANCH}"; then
if ! git_target_repo push origin "${TARGET_REPO_BRANCH}"; then
PUSH_FAILED="Failed to push to ${TARGET_REPO_URL} branch ${TARGET_REPO_BRANCH}"
echo "ERROR: ${PUSH_FAILED}"
fi
Expand All @@ -154,25 +170,17 @@
git_clone_repos() {
echo "=== Cloning source repository ==="
ERROR_MESSAGE="Failed to clone source repository from ${SOURCE_REPO_URL}"
git clone --depth=1 --single-branch --branch="${SOURCE_REPO_BRANCH}" \
"https://${SOURCE_REPO_TOKEN}@${SOURCE_REPO_URL#https://}" \
/workspace/source

# Strip the token from the git remote URL so that tools like Chef's
# CookbookProfiler::Git (which reads `git config --get remote.origin.url`)
# never see the credential. This prevents tokens from leaking into
# generated files such as Policyfile.lock.json.
git -C /workspace/source remote set-url origin "${SOURCE_REPO_URL}"
git_source_repo clone --depth=1 --single-branch \
--branch="${SOURCE_REPO_BRANCH}" "${SOURCE_REPO_URL}" /workspace/source

echo "=== Cloning target repository ==="
local target_auth_url="https://${TARGET_REPO_TOKEN}@${TARGET_REPO_URL#https://}"

ERROR_MESSAGE="Failed to clone target repository from ${TARGET_REPO_URL}"
if git clone --depth=1 --single-branch --branch="${TARGET_REPO_BRANCH}" \
"${target_auth_url}" /workspace/target 2>/dev/null; then
if git_target_repo clone --depth=1 --single-branch \
--branch="${TARGET_REPO_BRANCH}" "${TARGET_REPO_URL}" /workspace/target 2>/dev/null; then
# Repo and branch exist — cloned successfully
:
elif git clone --depth=1 "${target_auth_url}" /workspace/target 2>/dev/null; then
elif git_target_repo clone --depth=1 \
"${TARGET_REPO_URL}" /workspace/target 2>/dev/null; then
# Repo exists but branch doesn't — create target branch locally
echo "Branch '${TARGET_REPO_BRANCH}' not found on remote, creating it"
cd /workspace/target
Expand All @@ -184,7 +192,7 @@
cd /workspace/target
git init
git checkout -b "${TARGET_REPO_BRANCH}"
git remote add origin "${target_auth_url}"
git remote add origin "${TARGET_REPO_URL}"
fi

ERROR_MESSAGE=""
Expand Down
Loading