Skip to content

Commit 440fdde

Browse files
kryswisnaskasdependabot[bot]Copilot
authored
[TTAHUB-5241] Fix release tag push to avoid read-only SSH auth (#3683)
* Bump fast-xml-builder from 1.1.5 to 1.2.0 Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * [TTAHUB-5241] Build production releases from annotated tags * Stop embedding GITHUB_TOKEN in Git remote URLs * Fix findings * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix incorrectly applied suggestion * [TTAHUB-5241] Fix release tag push to avoid read-only SSH auth --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
1 parent 966abde commit 440fdde

1 file changed

Lines changed: 14 additions & 56 deletions

File tree

.circleci/config.yml

Lines changed: 14 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -707,25 +707,11 @@ jobs:
707707
exit 1
708708
fi
709709
710-
git_askpass="$(mktemp)"
711-
{
712-
printf '%s\n' '#!/bin/sh'
713-
printf '%s\n' 'case "$1" in'
714-
printf '%s\n' ' *Username*) printf '\''%s\n'\'' "x-access-token" ;;'
715-
printf '%s\n' ' *Password*) printf '\''%s\n'\'' "$GITHUB_TOKEN" ;;'
716-
printf '%s\n' ' *) printf '\''\n'\'' ;;'
717-
printf '%s\n' 'esac'
718-
} > "${git_askpass}"
719-
chmod 700 "${git_askpass}"
720-
export GIT_ASKPASS="${git_askpass}"
721-
export GIT_TERMINAL_PROMPT=0
722-
trap 'rm -f "${git_askpass}"' EXIT
723-
724-
git_url="https://github.com/HHS/Head-Start-TTADP.git"
725-
git fetch --force --no-tags "${git_url}" "+refs/heads/production:refs/remotes/origin/production"
726-
727-
remote_tag_ref=$(git ls-remote "${git_url}" "refs/tags/${release_tag}" | awk '{print $1}')
728-
remote_target_ref=$(git ls-remote "${git_url}" "refs/tags/${release_tag}^{}" | awk '{print $1}')
710+
auth_git_url="https://x-access-token:${GITHUB_TOKEN}@github.com/HHS/Head-Start-TTADP.git"
711+
git fetch --force --no-tags "${auth_git_url}" "+refs/heads/production:refs/remotes/origin/production"
712+
713+
remote_tag_ref=$(git ls-remote "${auth_git_url}" "refs/tags/${release_tag}" | awk '{print $1}')
714+
remote_target_ref=$(git ls-remote "${auth_git_url}" "refs/tags/${release_tag}^{}" | awk '{print $1}')
729715
if [ -n "${remote_tag_ref}" ]; then
730716
if [ -z "${remote_target_ref}" ] || [ "${remote_tag_ref}" = "${remote_target_ref}" ]; then
731717
echo "Remote production release tag ${release_tag} must be annotated"
@@ -737,7 +723,7 @@ jobs:
737723
exit 1
738724
fi
739725
740-
git fetch --force --no-tags "${git_url}" "+refs/tags/${release_tag}:refs/tags/${release_tag}"
726+
git fetch --force --no-tags "${auth_git_url}" "+refs/tags/${release_tag}:refs/tags/${release_tag}"
741727
fetched_tag_ref=$(git rev-parse "refs/tags/${release_tag}")
742728
if [ "${fetched_tag_ref}" != "${remote_tag_ref}" ]; then
743729
echo "Fetched production release tag ${release_tag} is ${fetched_tag_ref}, not remote tag object ${remote_tag_ref}"
@@ -1022,22 +1008,8 @@ jobs:
10221008
git config user.name "circleci"
10231009
git config user.email "circleci@users.noreply.github.com"
10241010
1025-
git_askpass="$(mktemp)"
1026-
{
1027-
printf '%s\n' '#!/bin/sh'
1028-
printf '%s\n' 'case "$1" in'
1029-
printf '%s\n' ' *Username*) printf '\''%s\n'\'' "x-access-token" ;;'
1030-
printf '%s\n' ' *Password*) printf '\''%s\n'\'' "$GITHUB_TOKEN" ;;'
1031-
printf '%s\n' ' *) printf '\''\n'\'' ;;'
1032-
printf '%s\n' 'esac'
1033-
} > "${git_askpass}"
1034-
chmod 700 "${git_askpass}"
1035-
export GIT_ASKPASS="${git_askpass}"
1036-
export GIT_TERMINAL_PROMPT=0
1037-
trap 'rm -f "${git_askpass}"' EXIT
1038-
1039-
git_url="https://github.com/HHS/Head-Start-TTADP.git"
1040-
git fetch --tags "${git_url}"
1011+
auth_git_url="https://x-access-token:${GITHUB_TOKEN}@github.com/HHS/Head-Start-TTADP.git"
1012+
git fetch --tags "${auth_git_url}"
10411013
10421014
if git rev-parse -q --verify "refs/tags/${BUILD_RELEASE_TAG}" >/dev/null; then
10431015
existing_commit=$(git rev-list -n 1 "${BUILD_RELEASE_TAG}")
@@ -1060,12 +1032,12 @@ jobs:
10601032
"PR: ${pr_url}")
10611033
git tag -a "${BUILD_RELEASE_TAG}" "${CIRCLE_SHA1}" -m "${tag_message}"
10621034
1063-
if git push "${git_url}" "refs/tags/${BUILD_RELEASE_TAG}"; then
1035+
if git push "${auth_git_url}" "refs/tags/${BUILD_RELEASE_TAG}"; then
10641036
exit 0
10651037
fi
10661038
10671039
echo "Release tag push reported failure; checking remote state"
1068-
remote_commit=$(git ls-remote "${git_url}" "refs/tags/${BUILD_RELEASE_TAG}^{}" | awk '{print $1}')
1040+
remote_commit=$(git ls-remote "${auth_git_url}" "refs/tags/${BUILD_RELEASE_TAG}^{}" | awk '{print $1}')
10691041
if [ "${remote_commit}" = "${CIRCLE_SHA1}" ]; then
10701042
echo "Remote tag ${BUILD_RELEASE_TAG} exists at ${CIRCLE_SHA1}; treating push as successful"
10711043
exit 0
@@ -1113,25 +1085,11 @@ jobs:
11131085
return 1
11141086
fi
11151087
1116-
git_askpass="$(mktemp)"
1117-
{
1118-
printf '%s\n' '#!/bin/sh'
1119-
printf '%s\n' 'case "$1" in'
1120-
printf '%s\n' ' *Username*) printf '\''%s\n'\'' "x-access-token" ;;'
1121-
printf '%s\n' ' *Password*) printf '\''%s\n'\'' "$GITHUB_TOKEN" ;;'
1122-
printf '%s\n' ' *) printf '\''\n'\'' ;;'
1123-
printf '%s\n' 'esac'
1124-
} > "${git_askpass}"
1125-
chmod 700 "${git_askpass}"
1126-
export GIT_ASKPASS="${git_askpass}"
1127-
export GIT_TERMINAL_PROMPT=0
1128-
trap 'rm -f "${git_askpass}"' EXIT
1129-
1130-
git_url="https://github.com/HHS/Head-Start-TTADP.git"
1088+
auth_git_url="https://x-access-token:${GITHUB_TOKEN}@github.com/HHS/Head-Start-TTADP.git"
11311089
11321090
remote_tag_matches_release() {
1133-
remote_tag_ref=$(git ls-remote "${git_url}" "refs/tags/${BUILD_RELEASE_TAG}" | awk '{print $1}') || return 1
1134-
remote_target_ref=$(git ls-remote "${git_url}" "refs/tags/${BUILD_RELEASE_TAG}^{}" | awk '{print $1}') || return 1
1091+
remote_tag_ref=$(git ls-remote "${auth_git_url}" "refs/tags/${BUILD_RELEASE_TAG}" | awk '{print $1}') || return 1
1092+
remote_target_ref=$(git ls-remote "${auth_git_url}" "refs/tags/${BUILD_RELEASE_TAG}^{}" | awk '{print $1}') || return 1
11351093
11361094
if [ -z "${remote_tag_ref}" ]; then
11371095
return 2
@@ -1183,7 +1141,7 @@ jobs:
11831141
remote_tag_matches_release
11841142
remote_tag_status=$?
11851143
if [ "${remote_tag_status}" -eq 2 ]; then
1186-
if ! git push "${git_url}" "refs/tags/${BUILD_RELEASE_TAG}"; then
1144+
if ! git push "${auth_git_url}" "refs/tags/${BUILD_RELEASE_TAG}"; then
11871145
echo "Release tag push reported failure; checking remote state"
11881146
remote_tag_matches_release
11891147
remote_tag_status=$?

0 commit comments

Comments
 (0)