-
Notifications
You must be signed in to change notification settings - Fork 47
Use token #200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use token #200
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -34,8 +34,13 @@ override_dh_autoreconf: | |||||||||||||||||
|
|
||||||||||||||||||
| # dh_make generated override targets | ||||||||||||||||||
| # This is example for Cmake (See https://bugs.debian.org/641051 ) | ||||||||||||||||||
| # TOKEN should be set by caller if accessing a private repo | ||||||||||||||||||
| override_dh_auto_configure: | ||||||||||||||||||
| mkdir -p $(HOME) | ||||||||||||||||||
|
|
||||||||||||||||||
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | ||||||||||||||||||
|
||||||||||||||||||
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | |
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > $(HOME)/.git-credentials |
Copilot
AI
Feb 13, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The TOKEN variable is used without any validation or fallback handling. If TOKEN is not set or is empty, this will create a malformed git credential URL with an empty password field (https://stellar-jenkins-readonly:@github.com). Consider adding a conditional check to only configure git credentials when TOKEN is actually provided, or at minimum document that TOKEN must be set before running this target.
| echo "https://stellar-jenkins-readonly:$(TOKEN)@github.com" > ~/.git-credentials | |
| git config --global credential.helper store | |
| if [ -n "$$TOKEN" ]; then \ | |
| echo "https://stellar-jenkins-readonly:$$TOKEN@github.com" > ~/.git-credentials; \ | |
| git config --global credential.helper store; \ | |
| fi |
Copilot
AI
Feb 13, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Storing credentials in plaintext in ~/.git-credentials poses a security risk. The git credential store helper saves credentials unencrypted on disk. While this may be acceptable for a CI/CD environment with ephemeral build containers, the credentials will persist in the file system. Consider documenting the security implications, using environment-specific credential helpers, or ensuring this runs only in isolated build environments. Additionally, ensure the credentials file is properly cleaned up after the build.
Copilot
AI
Feb 13, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The git config command sets the credential helper globally (--global flag). This modifies the global git configuration for the user running the build, which could have unintended side effects if the build environment is reused or shared. Consider using --local instead to limit the configuration to the current repository, or use GIT_CONFIG_GLOBAL environment variable to point to a build-specific config file within $(HOME).
| git config --global credential.helper store | |
| git config --file "$(HOME)/gitconfig" credential.helper store |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a trailing whitespace on this otherwise empty line. This should be removed to maintain code cleanliness and avoid potential issues with whitespace-sensitive tools.