From 5b572a2c2aee22bb868e3e78a0c03016ca4baec6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 14 May 2024 10:24:02 +0200 Subject: [PATCH 1/3] make GITHUB_TOKEN in lfs_probe a fallback rather than an override --- misc/bazel/internal/git_lfs_probe.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/misc/bazel/internal/git_lfs_probe.py b/misc/bazel/internal/git_lfs_probe.py index 018725c82da8..3eccb33c3f8b 100755 --- a/misc/bazel/internal/git_lfs_probe.py +++ b/misc/bazel/internal/git_lfs_probe.py @@ -68,16 +68,17 @@ def get_endpoint(): # see https://github.com/actions/checkout/blob/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b/src/git-auth-helper.ts#L56-L63 auth = git("config", f"http.{url.scheme}://{url.netloc}/.extraheader") endpoint.update_headers(get_env(auth, sep=": ")) - if "GITHUB_TOKEN" in os.environ: - endpoint.headers["Authorization"] = f"token {os.environ['GITHUB_TOKEN']}" if "Authorization" not in endpoint.headers: - # last chance: use git credentials (possibly backed by a credential helper like the one installed by gh) - # see https://git-scm.com/docs/git-credential - credentials = get_env(git("credential", "fill", check=True, - # drop leading / from url.path - input=f"protocol={url.scheme}\nhost={url.netloc}\npath={url.path[1:]}\n")) - auth = base64.b64encode(f'{credentials["username"]}:{credentials["password"]}'.encode()).decode('ascii') - endpoint.headers["Authorization"] = f"Basic {auth}" + if "GITHUB_TOKEN" in os.environ: + endpoint.headers["Authorization"] = f"token {os.environ['GITHUB_TOKEN']}" + else: + # last chance: use git credentials (possibly backed by a credential helper like the one installed by gh) + # see https://git-scm.com/docs/git-credential + credentials = get_env(git("credential", "fill", check=True, + # drop leading / from url.path + input=f"protocol={url.scheme}\nhost={url.netloc}\npath={url.path[1:]}\n")) + auth = base64.b64encode(f'{credentials["username"]}:{credentials["password"]}'.encode()).decode('ascii') + endpoint.headers["Authorization"] = f"Basic {auth}" return endpoint From faa2dcee240c3bb75e2cae3f89a8d5dd94470ecd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 14 May 2024 11:18:18 +0200 Subject: [PATCH 2/3] test GITHUB_TOKEN non-emptyness before using it in auth headers --- misc/bazel/internal/git_lfs_probe.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/misc/bazel/internal/git_lfs_probe.py b/misc/bazel/internal/git_lfs_probe.py index 3eccb33c3f8b..a3b2890b732f 100755 --- a/misc/bazel/internal/git_lfs_probe.py +++ b/misc/bazel/internal/git_lfs_probe.py @@ -68,17 +68,16 @@ def get_endpoint(): # see https://github.com/actions/checkout/blob/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b/src/git-auth-helper.ts#L56-L63 auth = git("config", f"http.{url.scheme}://{url.netloc}/.extraheader") endpoint.update_headers(get_env(auth, sep=": ")) + if "GITHUB_TOKEN" in os.environ and os.environ.get("GITHUB_TOKEN") != "": + endpoint.headers["Authorization"] = f"token {os.environ['GITHUB_TOKEN']}" if "Authorization" not in endpoint.headers: - if "GITHUB_TOKEN" in os.environ: - endpoint.headers["Authorization"] = f"token {os.environ['GITHUB_TOKEN']}" - else: - # last chance: use git credentials (possibly backed by a credential helper like the one installed by gh) - # see https://git-scm.com/docs/git-credential - credentials = get_env(git("credential", "fill", check=True, - # drop leading / from url.path - input=f"protocol={url.scheme}\nhost={url.netloc}\npath={url.path[1:]}\n")) - auth = base64.b64encode(f'{credentials["username"]}:{credentials["password"]}'.encode()).decode('ascii') - endpoint.headers["Authorization"] = f"Basic {auth}" + # last chance: use git credentials (possibly backed by a credential helper like the one installed by gh) + # see https://git-scm.com/docs/git-credential + credentials = get_env(git("credential", "fill", check=True, + # drop leading / from url.path + input=f"protocol={url.scheme}\nhost={url.netloc}\npath={url.path[1:]}\n")) + auth = base64.b64encode(f'{credentials["username"]}:{credentials["password"]}'.encode()).decode('ascii') + endpoint.headers["Authorization"] = f"Basic {auth}" return endpoint From 9105faa3fdca1f1a01f6449779a70d75ce64f3b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 14 May 2024 11:22:07 +0200 Subject: [PATCH 3/3] make sure GITHUB_TOKEN exists and is not empty before using it in auth headers --- misc/bazel/internal/git_lfs_probe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/bazel/internal/git_lfs_probe.py b/misc/bazel/internal/git_lfs_probe.py index a3b2890b732f..d22747e8547e 100755 --- a/misc/bazel/internal/git_lfs_probe.py +++ b/misc/bazel/internal/git_lfs_probe.py @@ -68,7 +68,7 @@ def get_endpoint(): # see https://github.com/actions/checkout/blob/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b/src/git-auth-helper.ts#L56-L63 auth = git("config", f"http.{url.scheme}://{url.netloc}/.extraheader") endpoint.update_headers(get_env(auth, sep=": ")) - if "GITHUB_TOKEN" in os.environ and os.environ.get("GITHUB_TOKEN") != "": + if os.environ.get("GITHUB_TOKEN"): endpoint.headers["Authorization"] = f"token {os.environ['GITHUB_TOKEN']}" if "Authorization" not in endpoint.headers: # last chance: use git credentials (possibly backed by a credential helper like the one installed by gh)