Credentials are not properly configured and/or propogated

[shivarammysore]

I have an Organization setting for my repos. I am building go binary for one with another private module in a different repo. The token supplied has organization setting.

With the below action the repo itself is not found. Am I missing any settings?

    - uses: fusion-engineering/setup-git-credentials@v2
      with:
        credentials: ${{ secrets.SNMIX_REPO_ACCESS_TOKEN }}
    - run: cat ~/.gitconfig

Output when running the action:

Run fusion-engineering/setup-git-credentials@v2
  with:
    credentials: ***
  env:
    GOROOT: /opt/hostedtoolcache/go/1.15.5/x64
git config --global credential.helper store
git config --global url.https://github.com/.insteadOf ssh://[email protected]/
git config --global --add url.https://github.com/.insteadOf [email protected]:

Run cat ~/.gitconfig
[credential]
	helper = store
[url "https://github.com/"]
	insteadOf = ssh://[email protected]/
	insteadOf = [email protected]:

[de-vri-es]

I'm guessing that your secret is just the github token. It should instead be git credentials in the format specified by man 7 git-credential-store (under STORAGE FORMAT).

You can change the credentials settings to this (you'll have to fill-in the $username bit):

    - uses: fusion-engineering/setup-git-credentials@v2
      with:
        credentials: https://$username:${{ secrets.SNMIX_REPO_ACCESS_TOKEN }}@github.com/
    - run: cat ~/.gitconfig

Alternatively, you can put that directly in a secret, which also allows you to add credentials for different URLs.

Does this solve your issue? :)

[shivarammysore]

Thanks for the response. I did not understand your "alternate" suggestion. Can you give an example?

I tried your suggestion: ($username replaced with correct one)

    - uses: fusion-engineering/setup-git-credentials@v2
      with:
        credentials: https://$username:${{ secrets.SNMIX_REPO_ACCESS_TOKEN }}@github.com/
    - run: cat ~/.gitconfig

output:

Run fusion-engineering/setup-git-credentials@v2
  with:
    credentials: ***github.com/
  env:
    GOROOT: /opt/hostedtoolcache/go/1.15.5/x64
git config --global credential.helper store
git config --global url.https://github.com/.insteadOf ssh://[email protected]/
git config --global --add url.https://github.com/.insteadOf [email protected]:

Run cat ~/.gitconfig
[credential]
	helper = store
[url "https://github.com/"]
	insteadOf = ssh://[email protected]/
	insteadOf = [email protected]:

....
Setting up auth
  /usr/bin/git config --local --name-only --get-regexp core\.sshCommand
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
  /usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
  /usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
Determining the default branch
  Retrieving the default branch name
  Not Found

[de-vri-es]

Setting up auth
  /usr/bin/git config --local --name-only --get-regexp core\.sshCommand
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
  /usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
  /usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***

Where does this come from? It doesn't look like anything that git-setup-credentials does. It may conflict with git-setup-credentials.

[shivarammysore]

Hello,

I have myorg/repo-a in which this github action runs. Both repo-a and repo-b are Go lang programs. The corresponding workflow yaml is as below:

    - uses: fusion-engineering/setup-git-credentials@v2
      with:
        credentials: https://$username:${{ secrets.MY_PAT }}@github.com/
    - run: cat ~/.gitconfig

    - name: Check out code into the Go module directory
      uses: actions/checkout@v2
      env:
          GOPRIVATE: "github.com/myorg/*"
      with:
        fetch-depth: 1
        path: src/github.com/myorg/repo-a
        submodules: true

    - name: Checkout myorg/repo-b
      uses: actions/checkout@v2
      with:
        repository: switchnomix/repo-b
        path: src/github.com/myorg/repo-b

The first checkout of repo-a works. The second checkout of repo-b fails. The details of the failure were posted previously.
Does this help?

[nWacky]

I might've had a similar problem

I tried cloning a local repository. In CI repository was not found, but locally everything worked.

By default Github Actions (and Azure CI) adds an extra header to clone the repository

Git config file examples from ci workflows after running
actions/checkout and de-vri-es/setup-git-credentials:

# Run cat .git/config
> cat .git/config
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = https://github.com/octocat/Hello-World
	fetch = +refs/heads/*:refs/remotes/origin/*
[gc]
	auto = 0
[http "https://github.com/"]
	extraheader = AUTHORIZATION: basic ***
[branch "main"]
	remote = origin
	merge = refs/heads/main

# Run cat ~/.gitconfig
> cat ~/.gitconfig
[credential]
	helper = store
[url "https://github.com/"]
	insteadOf = ssh://[email protected]/
	insteadOf = [email protected]:

Running git config --local --unset http.https://github.com/.extraheader to remove the extra header fixed the issue for me

CI workflow example:

steps:
  - name: Checkout
    uses: actions/checkout@v4

  - name: remove default credentials
    run: git config --local --unset  http.https://github.com/.extraheader

  - uses: de-vri-es/setup-git-credentials@v2
    with:
      credentials: ${{secrets.GIT_CREDENTIALS}}

[de-vri-es]

Hmm, that seems odd. The extraheader is configured in .git/config, not the global git configuration. Why would it be used? :o

What command/tool is cloning the extra repositories?

[nWacky]

I was trying to install a node module from a private git repository.

The ci looked like this

jobs:
  checks:
    name: Checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - uses: de-vri-es/setup-git-credentials@v2
        with:
          credentials: ${{secrets.GIT_CREDENTIALS}}
      
      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci --no-audit

I think actions/checkout@v4 set the extraheader to clone the local repository

Then npm ci tried to check that a private repository on github exists with

git --no-replace-objects ls-remote ssh://[email protected]/octocat/private.git

I think git used both extraheader from local config and global credentials, and that didn't work

[de-vri-es]

Ah.. yeah.. It's kinda the fault of the checkout action. The token it configures is only valid for that one specific repository, but they configure it for all github repositories.

They should really set it only for https://github.com/$owner/$repo.

But I'm also hesitant to add a work-around for it here. At best, it would only work if you run this action after the checkout action.

But we could add your workaround to the README.

[nWacky]

Perhaps, adding the workaround to the README is the best option.

Then people will be aware that the checkout action adds additional git credentials,
and they will be able to add a step to clear those if needed