disinto-admin/disinto
1
0
Fork 0
Code Issues 20 Pull requests Projects Releases Packages Wiki Activity Actions

fix: fix: stop baking credentials into git remote URLs — use clean URLs + existing credential helper everywhere (#604)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-10 17:04:10 +00:00
parent d076528193
commit 5c4ea7373a
10 changed files with 336 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

46
docker/agents/entrypoint.sh
View file

@ -42,42 +42,20 @@ init_state_dir() {
log "Initialized state directory"
}
# Configure git credential helper for password-based HTTP auth.
# Forgejo 11.x rejects API tokens for git push (#361); password auth works.
# This ensures all git operations (clone, fetch, push) from worktrees use
# password auth without needing tokens embedded in remote URLs.
configure_git_creds() {
# Source shared git credential helper library (#604).
# shellcheck source=lib/git-creds.sh
source "${DISINTO_BAKED}/lib/git-creds.sh"
# Wrapper that calls the shared configure_git_creds with agent-specific paths,
# then repairs any legacy baked-credential URLs in existing clones.
_setup_git_creds() {
configure_git_creds "/home/agent" "gosu agent"
if [ -n "${FORGE_PASS:-}" ] && [ -n "${FORGE_URL:-}" ]; then
_forge_host=$(printf '%s' "$FORGE_URL" | sed 's|https\?://||; s|/.*||')
_forge_proto=$(printf '%s' "$FORGE_URL" | sed 's|://.*||')
# Determine the bot username from FORGE_TOKEN identity (or default to dev-bot)
_bot_user=$(curl -sf -H "Authorization: token ${FORGE_TOKEN}" \
"${FORGE_URL}/api/v1/user" 2>/dev/null | jq -r '.login // empty') || _bot_user=""
_bot_user="${_bot_user:-dev-bot}"
# Write a static credential helper script (git credential protocol)
cat > /home/agent/.git-credentials-helper <<CREDEOF
#!/bin/sh
# Auto-generated git credential helper for Forgejo password auth (#361)
# Only respond to "get" action; ignore "store" and "erase".
[ "\$1" = "get" ] || exit 0
# Read and discard stdin (git sends protocol/host info)
cat >/dev/null
echo "protocol=${_forge_proto}"
echo "host=${_forge_host}"
echo "username=${_bot_user}"
echo "password=${FORGE_PASS}"
CREDEOF
chmod 755 /home/agent/.git-credentials-helper
chown agent:agent /home/agent/.git-credentials-helper
gosu agent bash -c "git config --global credential.helper '/home/agent/.git-credentials-helper'"
log "Git credential helper configured for ${_bot_user}@${_forge_host} (password auth)"
log "Git credential helper configured (password auth)"
fi
# Set safe.directory to work around dubious ownership after container restart
# (https://github.com/disinto-admin/disinto/issues/517)
gosu agent bash -c "git config --global --add safe.directory '*'"
# Repair legacy clones with baked-in stale credentials (#604).
_GIT_CREDS_LOG_FN=log repair_baked_cred_urls /home/agent/repos
}
# Configure tea CLI login for forge operations (runs as agent user).
@ -272,7 +250,7 @@ pull_factory_repo() {
}
# Configure git and tea once at startup (as root, then drop to agent)
configure_git_creds
_setup_git_creds
configure_tea_login
# Bootstrap ops repos from forgejo into container volumes (#586)