feat(submodules): use env vars from getGitEnvironmentVariables #31934
Conversation
rarkins
changed the title
| const gitSubmoduleAuthEnvironmentVariables = getGitEnvironmentVariables(); | ||
| const gitEnv = { | ||
| // pass all existing env variables | ||
| ...process.env, |
There was a problem hiding this comment.
Was git already passing all env variables before this? Because normally we'd want this controlled by exposeAllEnv.
There was a problem hiding this comment.
not sure what you mean exactly, but right now git is not configured with the ENV var that forces github.com submodules to be cloned with https rather than ssh.
There was a problem hiding this comment.
this is the discussion about the problem #30942
There was a problem hiding this comment.
The question I'm asking is: does the simple-git library pass the entire env through to git already today?
Renovate contains controls for admins to decide if they want to pass all env (including secrets) through to child processes. I just want to make sure that we're not opening up any security holes here.
| @@ -366,7 +372,7 @@ export async function cloneSubmodules( | |||
| try { | |||
| logger.debug(`Cloning git submodule at ${submodule}`); | |||
| await gitRetry(() => | |||
| git.submoduleUpdate(['--init', '--recursive', submodule]), | |||
| git.env(gitEnv).submoduleUpdate(['--init', '--recursive', submodule]), | |||
There was a problem hiding this comment.
Another angle of the question above: if there's no git.env.submoduleUpdate and just git.submoduleUpdate then is the whole env passed through by default?
Changes
This change uses the existing
getGitEnvironmentVariablesfunction during the cloning of git submodules.This function has been used to include support for updating private git ssh submodules on github.com, but it was not added in the function triggered when the
cloneSubmodulesconfig file option is set to true.see: #22061
Context
#30942
Private submodules on the github.com app cannot currently be cloned with the
cloneSubmodulesoption when the.gitmodulesfile is configured with ssh.This is because the GitHub App token does not have SSH permissions, it can only auth via HTTP.
My use case is private Go submodules on github.com, for the
"postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"],options to work, I need my private git submodules cloned.Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: