Persist creds to a separate file by ericsciple · Pull Request #2286 · actions/checkout

ericsciple · 2025-10-14T15:20:41Z

No description provided.

src/git-auth-helper.ts

Copilot

Pull Request Overview

This PR refactors Git credential management to persist credentials in a separate config file instead of directly in the repository's .git/config. The change improves security by isolating credentials from the main Git configuration and uses Git's includeIf mechanism to conditionally include the credentials when needed.

Key changes:

Moves credential storage from .git/config to a separate file in RUNNER_TEMP
Uses Git's includeIf.gitdir feature to conditionally include credentials based on Git directory path
Updates both main repository and submodule authentication to use the new approach

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/git-command-manager.ts	Adds new methods for config file operations and `configFile` parameter support
src/git-auth-helper.ts	Refactors credential management to use separate config files with `includeIf` entries
test/verify-submodules-true.sh	Updates test to use `--includes` flag when checking for credentials
test/verify-submodules-recursive.sh	Updates test to use `--includes` flag when checking for credentials
test/git-directory-helper.test.ts	Adds mock implementations for new git command manager methods
test/git-auth-helper.test.ts	Updates tests to verify new credential file structure and behavior
.github/workflows/test.yml	Adjusts workflow paths to avoid conflicts with new checkout behavior

Comments suppressed due to low confidence (1)

src/git-auth-helper.ts:1

The test name configureAuth_AcceptsGitHubServerUrlSetToGHEC doesn't match the test description 'inject https://github.com as github server url'. Consider using a more descriptive name like configureAuth_AcceptsGitHubServerUrl to match the actual test purpose.

import * as assert from 'assert'

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

src/git-auth-helper.ts

__test__/git-auth-helper.test.ts

.github/workflows/test.yml

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v5.0.1` -> `v6.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.0`](https://github.com/actions/checkout/releases/tag/v6.0.0) [Compare Source](actions/checkout@v5.0.1...v6.0.0) #### What's Changed - Update README to include Node.js 24 support details and requirements by [@salmanmkc](https://github.com/salmanmkc) in [#2248](actions/checkout#2248) - Persist creds to a separate file by [@ericsciple](https://github.com/ericsciple) in [#2286](actions/checkout#2286) - v6-beta by [@ericsciple](https://github.com/ericsciple) in [#2298](actions/checkout#2298) - update readme/changelog for v6 by [@ericsciple](https://github.com/ericsciple) in [#2311](actions/checkout#2311) **Full Changelog**: <actions/checkout@v5.0.0...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.tainton.uk/repos/roboluke/pulls/396 Co-authored-by: renovate[bot] <[email protected]> Co-committed-by: renovate[bot] <[email protected]>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v5.0.1` -> `v6.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.0`](https://github.com/actions/checkout/releases/tag/v6.0.0) [Compare Source](actions/checkout@v5.0.1...v6.0.0) #### What's Changed - Update README to include Node.js 24 support details and requirements by [@salmanmkc](https://github.com/salmanmkc) in [#2248](actions/checkout#2248) - Persist creds to a separate file by [@ericsciple](https://github.com/ericsciple) in [#2286](actions/checkout#2286) - v6-beta by [@ericsciple](https://github.com/ericsciple) in [#2298](actions/checkout#2298) - update readme/changelog for v6 by [@ericsciple](https://github.com/ericsciple) in [#2311](actions/checkout#2311) **Full Changelog**: <actions/checkout@v5.0.0...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.tainton.uk/repos/epage/pulls/179 Co-authored-by: renovate[bot] <[email protected]> Co-committed-by: renovate[bot] <[email protected]>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v5.0.1` -> `v6.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.0`](https://github.com/actions/checkout/releases/tag/v6.0.0) [Compare Source](actions/checkout@v5.0.1...v6.0.0) #### What's Changed - Update README to include Node.js 24 support details and requirements by [@salmanmkc](https://github.com/salmanmkc) in [#2248](actions/checkout#2248) - Persist creds to a separate file by [@ericsciple](https://github.com/ericsciple) in [#2286](actions/checkout#2286) - v6-beta by [@ericsciple](https://github.com/ericsciple) in [#2298](actions/checkout#2298) - update readme/changelog for v6 by [@ericsciple](https://github.com/ericsciple) in [#2311](actions/checkout#2311) **Full Changelog**: <actions/checkout@v5.0.0...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.tainton.uk/repos/pypilot/pulls/396 Co-authored-by: renovate[bot] <[email protected]> Co-committed-by: renovate[bot] <[email protected]>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v5.0.1` -> `v6.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.0`](https://github.com/actions/checkout/releases/tag/v6.0.0) [Compare Source](actions/checkout@v5.0.1...v6.0.0) #### What's Changed - Update README to include Node.js 24 support details and requirements by [@salmanmkc](https://github.com/salmanmkc) in [#2248](actions/checkout#2248) - Persist creds to a separate file by [@ericsciple](https://github.com/ericsciple) in [#2286](actions/checkout#2286) - v6-beta by [@ericsciple](https://github.com/ericsciple) in [#2298](actions/checkout#2298) - update readme/changelog for v6 by [@ericsciple](https://github.com/ericsciple) in [#2311](actions/checkout#2311) **Full Changelog**: <actions/checkout@v5.0.0...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.tainton.uk/repos/PwnedPW/pulls/311 Co-authored-by: renovate[bot] <[email protected]> Co-committed-by: renovate[bot] <[email protected]>

This adds `persist-credientials: false` to all uses of `actions/checkout`, as was done in GitoxideLabs/gitoxide#2187. This doesn't add a hard check to fail CI if this isn't present. But Zizmor does catch its absence, which might be sufficient in view of the lower (but not zero) attack surface for persisted credentials here compared to `gitoxide` in the event of unintended coupling between the test suite here and CI clone of the repository itself. Another factor that reduces the risk across the board (though not necessarily by enough that we should rely solely on it and Zizmor for this in the `gitoxide` repository) is that `actions/checkout` keeps its credentials in a separate file, rather than in `.git/config`, since `v6`. For details on that, see: - https://github.com/actions/checkout/blob/main/CHANGELOG.md#v600 - actions/checkout#2286

ericsciple commented Oct 17, 2025

View reviewed changes