From 2f2a141b9c7e13d1bd9d478a8cbecf96f8869d45 Mon Sep 17 00:00:00 2001 From: Christophe Bedard Date: Sun, 20 Oct 2024 02:55:59 -0700 Subject: [PATCH] Use GITHUB_SERVER_URL for authentication configuration (#926) Signed-off-by: Christophe Bedard --- README.md | 5 ++++- action.yml | 1 + dist/index.js | 22 ++++++++++++---------- src/action-ros-ci.ts | 25 +++++++++++++++---------- 4 files changed, 32 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 5f02b57c..7d9a24fd 100644 --- a/README.md +++ b/README.md @@ -399,13 +399,16 @@ steps: - uses: ros-tooling/action-ros-ci@v0.3 with: package-name: my_package - # If there are no private dependencies, no need to create a PAT or add a secret + # If there are no private dependencies, use the default token, no need to create a PAT or add a secret import-token: ${{ secrets.GITHUB_TOKEN }} # If there are private dependencies (e.g., in a file provided through vcs-repo-file-url), a PAT is required import-token: ${{ secrets.REPO_TOKEN }} # ... ``` +Note that this currently only works for tokens for the GitHub server this action runs on. +For example, it will not work with a token for a private repo on github.com when the action is running on an enterprise GitHub server. + ### Skip `rosdep install` Include an option to bypass `rosdep install` for workflow that uses specific docker image and better control of dependencies. To check for missing dependencies within the workflow's image, user can run with `rosdep-check: true` flag. diff --git a/action.yml b/action.yml index 83f016b2..9e3631cb 100644 --- a/action.yml +++ b/action.yml @@ -39,6 +39,7 @@ inputs: GitHub personal access token (PAT) to use to import the repository. Useful if the repo is private. The PAT should have the "repo" scope. + This currently only works for tokens for the GitHub server this action runs on. required: false package-name: description: | diff --git a/dist/index.js b/dist/index.js index 7ba2e054..02dee7b3 100644 --- a/dist/index.js +++ b/dist/index.js @@ -31084,32 +31084,35 @@ function run_throw() { if (isLinux) { options.env = Object.assign(Object.assign({}, options.env), { DEBIAN_FRONTEND: "noninteractive" }); } + const githubServerUrl = process.env.GITHUB_SERVER_URL; + const gihubServerDomain = githubServerUrl.replace("https://", ""); if (importToken !== "") { // Unset all local extraheader config entries possibly set by actions/checkout, // because local settings take precedence and the default token used by // actions/checkout might not have the right permissions for any/all repos yield execShellCommand([ - `/usr/bin/git config --local --unset-all http.https://github.com/.extraheader || true`, + `/usr/bin/git config --local --unset-all http.https://${gihubServerDomain}/.extraheader || true`, ], options); + const gihubServerDomainRegex = gihubServerDomain.replace(".", String.raw `\.`); yield execShellCommand([ - String.raw `/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader'` + - ` && git config --local --unset-all 'http.https://github.com/.extraheader' || true`, + String.raw `/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/${gihubServerDomainRegex}\/\.extraheader'` + + ` && git config --local --unset-all 'http.https://${gihubServerDomain}/.extraheader' || true`, ], options); // Use a global insteadof entry because local configs aren't observed by git clone yield execShellCommand([ - `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com.insteadof 'https://github.com'`, + `/usr/bin/git config --global url.https://x-access-token:${importToken}@${gihubServerDomain}.insteadof 'https://${gihubServerDomain}'`, ], options); // same as last three comands but for ssh urls yield execShellCommand([ - `/usr/bin/git config --local --unset-all git@github.com:.extraheader || true`, + `/usr/bin/git config --local --unset-all git@${gihubServerDomain}:.extraheader || true`, ], options); yield execShellCommand([ - String.raw `/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'git@github\.com:.extraheader'` + - ` && git config --local --unset-all 'git@github.com:.extraheader' || true`, + String.raw `/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'git@${gihubServerDomainRegex}:.extraheader'` + + ` && git config --local --unset-all 'git@${gihubServerDomain}:.extraheader' || true`, ], options); // Use a global insteadof entry because local configs aren't observed by git clone (ssh) yield execShellCommand([ - `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com/.insteadof 'git@github.com:'`, + `/usr/bin/git config --global url.https://x-access-token:${importToken}@${gihubServerDomain}/.insteadof 'git@${gihubServerDomain}:'`, ], options); if (core.isDebug()) { yield execShellCommand([`/usr/bin/git config --list --show-origin || true`], options); @@ -31159,7 +31162,6 @@ done`; // if ref is set this overrides anything calculated above commitRef = core.getInput("ref") || commitRef; const repoFilePath = path.join(rosWorkspaceDir, "package.repo"); - const githubServerUrl = process.env.GITHUB_SERVER_URL; // Add a random string prefix to avoid naming collisions when checking out the test repository const randomStringPrefix = Math.random().toString(36).substring(2, 15); const repoFileContent = `repositories: @@ -31275,7 +31277,7 @@ done`; if (importToken !== "") { // Unset config so that it doesn't leak to other actions yield execShellCommand([ - `/usr/bin/git config --global --unset-all url.https://x-access-token:${importToken}@github.com.insteadof`, + `/usr/bin/git config --global --unset-all url.https://x-access-token:${importToken}@${gihubServerDomain}.insteadof`, ], options); } }); diff --git a/src/action-ros-ci.ts b/src/action-ros-ci.ts index 60c4ede4..b84eb98c 100644 --- a/src/action-ros-ci.ts +++ b/src/action-ros-ci.ts @@ -519,48 +519,54 @@ async function run_throw(): Promise { }; } + const githubServerUrl = process.env.GITHUB_SERVER_URL as string; + const gihubServerDomain = githubServerUrl.replace("https://", ""); if (importToken !== "") { // Unset all local extraheader config entries possibly set by actions/checkout, // because local settings take precedence and the default token used by // actions/checkout might not have the right permissions for any/all repos await execShellCommand( [ - `/usr/bin/git config --local --unset-all http.https://github.com/.extraheader || true`, + `/usr/bin/git config --local --unset-all http.https://${gihubServerDomain}/.extraheader || true`, ], options, ); + const gihubServerDomainRegex = gihubServerDomain.replace( + ".", + String.raw`\.`, + ); await execShellCommand( [ - String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader'` + - ` && git config --local --unset-all 'http.https://github.com/.extraheader' || true`, + String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/${gihubServerDomainRegex}\/\.extraheader'` + + ` && git config --local --unset-all 'http.https://${gihubServerDomain}/.extraheader' || true`, ], options, ); // Use a global insteadof entry because local configs aren't observed by git clone await execShellCommand( [ - `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com.insteadof 'https://github.com'`, + `/usr/bin/git config --global url.https://x-access-token:${importToken}@${gihubServerDomain}.insteadof 'https://${gihubServerDomain}'`, ], options, ); // same as last three comands but for ssh urls await execShellCommand( [ - `/usr/bin/git config --local --unset-all git@github.com:.extraheader || true`, + `/usr/bin/git config --local --unset-all git@${gihubServerDomain}:.extraheader || true`, ], options, ); await execShellCommand( [ - String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'git@github\.com:.extraheader'` + - ` && git config --local --unset-all 'git@github.com:.extraheader' || true`, + String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'git@${gihubServerDomainRegex}:.extraheader'` + + ` && git config --local --unset-all 'git@${gihubServerDomain}:.extraheader' || true`, ], options, ); // Use a global insteadof entry because local configs aren't observed by git clone (ssh) await execShellCommand( [ - `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com/.insteadof 'git@github.com:'`, + `/usr/bin/git config --global url.https://x-access-token:${importToken}@${gihubServerDomain}/.insteadof 'git@${gihubServerDomain}:'`, ], options, ); @@ -628,7 +634,6 @@ done`; // if ref is set this overrides anything calculated above commitRef = core.getInput("ref") || commitRef; const repoFilePath = path.join(rosWorkspaceDir, "package.repo"); - const githubServerUrl = process.env.GITHUB_SERVER_URL as string; // Add a random string prefix to avoid naming collisions when checking out the test repository const randomStringPrefix = Math.random().toString(36).substring(2, 15); const repoFileContent = `repositories: @@ -786,7 +791,7 @@ done`; // Unset config so that it doesn't leak to other actions await execShellCommand( [ - `/usr/bin/git config --global --unset-all url.https://x-access-token:${importToken}@github.com.insteadof`, + `/usr/bin/git config --global --unset-all url.https://x-access-token:${importToken}@${gihubServerDomain}.insteadof`, ], options, );