Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds git credential configuration to the stellar-core Debian package build process to enable access to private GitHub repositories during the build. The change is required for a pipeline issue (stellar/pipelines#698) and configures git to use a token-based authentication for GitHub access.
Changes:
- Add git credential store configuration in the debian build rules to authenticate with GitHub using a TOKEN variable
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| override_dh_auto_configure: | ||
| mkdir -p $(HOME) | ||
|
|
||
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials |
There was a problem hiding this comment.
The hardcoded path /.git-credentials uses the tilde () instead of the HOME variable. This is inconsistent with line 39 which uses
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | |
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > $(HOME)/.git-credentials |
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | ||
| git config --global credential.helper store |
There was a problem hiding this comment.
The TOKEN variable is used without any validation or fallback handling. If TOKEN is not set or is empty, this will create a malformed git credential URL with an empty password field (https://stellar-jenkins-readonly:@github.com). Consider adding a conditional check to only configure git credentials when TOKEN is actually provided, or at minimum document that TOKEN must be set before running this target.
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | |
| git config --global credential.helper store | |
| if [ -n "$$TOKEN" ]; then \ | |
| echo "https://stellar-jenkins-readonly:$$TOKEN@github.com" > ~/.git-credentials; \ | |
| git config --global credential.helper store; \ | |
| fi |
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | ||
| git config --global credential.helper store |
There was a problem hiding this comment.
Storing credentials in plaintext in ~/.git-credentials poses a security risk. The git credential store helper saves credentials unencrypted on disk. While this may be acceptable for a CI/CD environment with ephemeral build containers, the credentials will persist in the file system. Consider documenting the security implications, using environment-specific credential helpers, or ensuring this runs only in isolated build environments. Additionally, ensure the credentials file is properly cleaned up after the build.
| mkdir -p $(HOME) | ||
|
|
||
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | ||
| git config --global credential.helper store |
There was a problem hiding this comment.
The git config command sets the credential helper globally (--global flag). This modifies the global git configuration for the user running the build, which could have unintended side effects if the build environment is reused or shared. Consider using --local instead to limit the configuration to the current repository, or use GIT_CONFIG_GLOBAL environment variable to point to a build-specific config file within $(HOME).
| git config --global credential.helper store | |
| git config --file "$(HOME)/gitconfig" credential.helper store |
| # TOKEN should be set by caller if accessing a private repo | ||
| override_dh_auto_configure: | ||
| mkdir -p $(HOME) | ||
|
|
There was a problem hiding this comment.
There is a trailing whitespace on this otherwise empty line. This should be removed to maintain code cleanliness and avoid potential issues with whitespace-sensitive tools.
1 participant
Required for https://github.com/stellar/pipelines/issues/698