mirror of
https://github.com/actions/checkout
synced 2024-12-22 21:22:40 +00:00
do not pass cred on command line (#108)
This commit is contained in:
parent
c170eefc26
commit
a6747255bd
2 changed files with 43 additions and 10 deletions
23
dist/index.js
vendored
23
dist/index.js
vendored
|
@ -5271,11 +5271,24 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
|
||||||
}
|
}
|
||||||
function configureAuthToken(git, authToken) {
|
function configureAuthToken(git, authToken) {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
// Add extraheader (auth)
|
// Configure a placeholder value. This approach avoids the credential being captured
|
||||||
const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
|
// by process creation audit events, which are commonly logged. For more information,
|
||||||
core.setSecret(base64Credentials);
|
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
|
const placeholder = `AUTHORIZATION: basic ***`;
|
||||||
yield git.config(authConfigKey, authConfigValue);
|
yield git.config(authConfigKey, placeholder);
|
||||||
|
// Determine the basic credential value
|
||||||
|
const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
|
||||||
|
core.setSecret(basicCredential);
|
||||||
|
// Replace the value in the config file
|
||||||
|
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
|
||||||
|
let content = (yield fs.promises.readFile(configPath)).toString();
|
||||||
|
const placeholderIndex = content.indexOf(placeholder);
|
||||||
|
if (placeholderIndex < 0 ||
|
||||||
|
placeholderIndex != content.lastIndexOf(placeholder)) {
|
||||||
|
throw new Error('Unable to replace auth placeholder in .git/config');
|
||||||
|
}
|
||||||
|
content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
|
||||||
|
yield fs.promises.writeFile(configPath, content);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
function removeGitConfig(git, configKey) {
|
function removeGitConfig(git, configKey) {
|
||||||
|
|
|
@ -259,14 +259,34 @@ async function configureAuthToken(
|
||||||
git: IGitCommandManager,
|
git: IGitCommandManager,
|
||||||
authToken: string
|
authToken: string
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
// Add extraheader (auth)
|
// Configure a placeholder value. This approach avoids the credential being captured
|
||||||
const base64Credentials = Buffer.from(
|
// by process creation audit events, which are commonly logged. For more information,
|
||||||
|
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
|
||||||
|
const placeholder = `AUTHORIZATION: basic ***`
|
||||||
|
await git.config(authConfigKey, placeholder)
|
||||||
|
|
||||||
|
// Determine the basic credential value
|
||||||
|
const basicCredential = Buffer.from(
|
||||||
`x-access-token:${authToken}`,
|
`x-access-token:${authToken}`,
|
||||||
'utf8'
|
'utf8'
|
||||||
).toString('base64')
|
).toString('base64')
|
||||||
core.setSecret(base64Credentials)
|
core.setSecret(basicCredential)
|
||||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
|
|
||||||
await git.config(authConfigKey, authConfigValue)
|
// Replace the value in the config file
|
||||||
|
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
|
||||||
|
let content = (await fs.promises.readFile(configPath)).toString()
|
||||||
|
const placeholderIndex = content.indexOf(placeholder)
|
||||||
|
if (
|
||||||
|
placeholderIndex < 0 ||
|
||||||
|
placeholderIndex != content.lastIndexOf(placeholder)
|
||||||
|
) {
|
||||||
|
throw new Error('Unable to replace auth placeholder in .git/config')
|
||||||
|
}
|
||||||
|
content = content.replace(
|
||||||
|
placeholder,
|
||||||
|
`AUTHORIZATION: basic ${basicCredential}`
|
||||||
|
)
|
||||||
|
await fs.promises.writeFile(configPath, content)
|
||||||
}
|
}
|
||||||
|
|
||||||
async function removeGitConfig(
|
async function removeGitConfig(
|
||||||
|
|
Loading…
Reference in a new issue