feat(auth): per-platform git identity via includeIf

Split GIT_USER_NAME/EMAIL into GH_USER_NAME/EMAIL and GL_USER_NAME/EMAIL
so each platform gets its own commit identity and GPG signing key.
Uses git includeIf hasconfig:remote.*.url to auto-select the right
identity based on the repo's remote URL. No manual per-repo config
needed.

RHCLOUD-47113

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Hyperkid123

Dockerfile

@@ -158,7 +158,7 @@ RUN mkdir -p /home/botuser/.config/containers /home/botuser/.local/share/contain
        > /home/botuser/.config/containers/registries.conf
 
 
-# Git config (identity is set at runtime via GIT_USER_NAME/GIT_USER_EMAIL env vars)
+# Git config (per-platform identity is set at runtime via includeIf)
 RUN git config --global http.https://gitlab.cee.redhat.com.sslVerify false \
     && git config --global gpg.format openpgp \
     && git config --global commit.gpgsign true

bot/run.py

@@ -31,36 +31,50 @@ def _resolve_path(p: str) -> str:
 
 
 def setup_git(script_dir: Path) -> None:
-    """Generate a .gitconfig with identity and optional GPG signing.
+    """Generate per-platform .gitconfig files with includeIf.
 
-    Reads from env: GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GPG_SIGNING_KEY.
-    Sets GIT_CONFIG_GLOBAL so all repos use this config.
+    Reads GH_USER_NAME/GH_USER_EMAIL and GL_USER_NAME/GL_USER_EMAIL
+    from env. Each platform gets its own identity and signing key.
+    Falls back to GIT_AUTHOR_NAME/GIT_AUTHOR_EMAIL for single-identity
+    local dev. Sets GIT_CONFIG_GLOBAL so all repos use this config.
     """
-    name = os.environ.get("GIT_AUTHOR_NAME")
-    email = os.environ.get("GIT_AUTHOR_EMAIL")
+    gh_name = os.environ.get("GH_USER_NAME") or os.environ.get("GIT_AUTHOR_NAME")
+    gh_email = os.environ.get("GH_USER_EMAIL") or os.environ.get("GIT_AUTHOR_EMAIL")
+    gl_name = os.environ.get("GL_USER_NAME") or os.environ.get("GIT_AUTHOR_NAME")
+    gl_email = os.environ.get("GL_USER_EMAIL") or os.environ.get("GIT_AUTHOR_EMAIL")
 
-    if not name and not email:
+    if not gh_name and not gl_name:
         return
 
     config_path = script_dir / ".gitconfig"
+    gh_config = script_dir / ".gitconfig-gh"
+    gl_config = script_dir / ".gitconfig-gl"
+
+    for path, name, email, key_env in [
+        (gh_config, gh_name, gh_email, "GH_GPG_SIGNING_KEY"),
+        (gl_config, gl_name, gl_email, "GL_GPG_SIGNING_KEY"),
+    ]:
+        lines = ["# Auto-generated by bot/run.py", "[user]"]
+        if name:
+            lines.append(f"\tname = {name}")
+        if email:
+            lines.append(f"\temail = {email}")
+        signing_key = os.environ.get(key_env) or os.environ.get("GPG_SIGNING_KEY")
+        if signing_key:
+            lines.append(f"\tsigningkey = {signing_key}")
+        path.write_text("\n".join(lines) + "\n")
+
     lines = [
         "# Auto-generated by bot/run.py — do not edit manually",
-        "[user]",
+        '[includeIf "hasconfig:remote.*.url:https://github.com/**"]',
+        f"\tpath = {gh_config}",
+        '[includeIf "hasconfig:remote.*.url:https://gitlab.cee.redhat.com/**"]',
+        f"\tpath = {gl_config}",
+        "[commit]",
+        "\tgpgsign = true",
+        "[gpg]",
+        "\tformat = openpgp",
     ]
-    if name:
-        lines.append(f"\tname = {name}")
-    if email:
-        lines.append(f"\temail = {email}")
-
-    signing_key = os.environ.get("GPG_SIGNING_KEY")
-    if signing_key:
-        lines += [
-            f"\tsigningkey = {signing_key}",
-            "[commit]",
-            "\tgpgsign = true",
-            "[gpg]",
-            "\tformat = openpgp",
-        ]
 
     config_path.write_text("\n".join(lines) + "\n")
     os.environ["GIT_CONFIG_GLOBAL"] = str(config_path)

deploy/template.yaml

@@ -21,13 +21,17 @@ parameters:
   value: hcc-ai-bot
 - name: BOT_REPLICAS
   value: "1"
-- name: GIT_USER_NAME
+- name: GH_USER_NAME
   required: true
-- name: GIT_USER_EMAIL
+- name: GH_USER_EMAIL
   required: true
 - name: GH_USERNAME
   required: true
-- name: GITLAB_USERNAME
+- name: GL_USER_NAME
+  required: true
+- name: GL_USER_EMAIL
+  required: true
+- name: GL_USERNAME
   required: true
 objects:
 
@@ -265,15 +269,19 @@ objects:
             value: "60"
           - name: GOOGLE_APPLICATION_CREDENTIALS
             value: /home/botuser/sa-key.json
-          # Git identity
-          - name: GIT_USER_NAME
-            value: ${GIT_USER_NAME}
-          - name: GIT_USER_EMAIL
-            value: ${GIT_USER_EMAIL}
+          # Git identity — per-platform (name, email, login)
+          - name: GH_USER_NAME
+            value: ${GH_USER_NAME}
+          - name: GH_USER_EMAIL
+            value: ${GH_USER_EMAIL}
           - name: GH_USERNAME
             value: ${GH_USERNAME}
-          - name: GITLAB_USERNAME
-            value: ${GITLAB_USERNAME}
+          - name: GL_USER_NAME
+            value: ${GL_USER_NAME}
+          - name: GL_USER_EMAIL
+            value: ${GL_USER_EMAIL}
+          - name: GL_USERNAME
+            value: ${GL_USERNAME}
           # Proxy — HTTP(S)_PROXY for git and HTTP clients
           - name: PROXY_HOST
             value: devbot-proxy

docker-compose.yml

@@ -68,10 +68,12 @@ services:
       - GPG_PRIVATE_KEY_B64
       - GH_TOKEN
       - GITLAB_TOKEN
+      - GH_USER_NAME
+      - GH_USER_EMAIL
       - GH_USERNAME
-      - GITLAB_USERNAME
-      - GIT_USER_NAME
-      - GIT_USER_EMAIL
+      - GL_USER_NAME
+      - GL_USER_EMAIL
+      - GL_USERNAME
       - GOOGLE_SA_KEY_B64
       - SSO_USERNAME
       - SSO_PASSWORD

entrypoint.sh

@@ -28,12 +28,12 @@ decode_or_raw() {
 }
 
 # Git credential helpers for HTTPS auth (replaces SSH keys)
-# GitHub: gh CLI acts as credential helper
+# GitHub: gh CLI acts as credential helper (set up below)
 # GitLab: custom helper script injects token
 if [ -n "${GITLAB_TOKEN:-}" ]; then
     cat > /home/botuser/.git-credential-gitlab <<CREDEOF
 #!/bin/bash
-echo "username=${GITLAB_USERNAME}"
+echo "username=${GL_USERNAME}"
 echo "password=${GITLAB_TOKEN}"
 CREDEOF
     chmod 700 /home/botuser/.git-credential-gitlab
@@ -49,16 +49,32 @@ EOF
     unset SSO_USERNAME SSO_PASSWORD
 fi
 
-# Git identity from env vars
-git config --global user.name "${GIT_USER_NAME}"
-git config --global user.email "${GIT_USER_EMAIL}"
-
-# Import GPG key for commit signing
+# Import GPG keys for commit signing (may contain keys for both platforms)
 if [ -n "${GPG_PRIVATE_KEY_B64:-}" ]; then
     gpg --batch --import <(decode_or_raw "$GPG_PRIVATE_KEY_B64") 2>/dev/null
 fi
-export GPG_SIGNING_KEY="$(gpg --list-secret-keys --keyid-format long 2>/dev/null | grep ed25519 | head -1 | awk '{print $2}' | cut -d/ -f2)"
-git config --global user.signingkey "$GPG_SIGNING_KEY"
+
+# Per-platform git identity via includeIf (git 2.36+)
+# Each platform gets its own name, email, and GPG signing key.
+GH_GPG_KEY="$(gpg --list-secret-keys --keyid-format long "${GH_USER_EMAIL}" 2>/dev/null | grep -oP '(?<=/)[A-F0-9]{16}' | head -1)"
+GL_GPG_KEY="$(gpg --list-secret-keys --keyid-format long "${GL_USER_EMAIL}" 2>/dev/null | grep -oP '(?<=/)[A-F0-9]{16}' | head -1)"
+
+cat > /home/botuser/.gitconfig-gh <<EOF
+[user]
+	name = ${GH_USER_NAME}
+	email = ${GH_USER_EMAIL}
+	signingkey = ${GH_GPG_KEY}
+EOF
+
+cat > /home/botuser/.gitconfig-gl <<EOF
+[user]
+	name = ${GL_USER_NAME}
+	email = ${GL_USER_EMAIL}
+	signingkey = ${GL_GPG_KEY}
+EOF
+
+git config --global 'includeIf.hasconfig:remote.*.url:https://github.com/**.path' /home/botuser/.gitconfig-gh
+git config --global 'includeIf.hasconfig:remote.*.url:https://gitlab.cee.redhat.com/**.path' /home/botuser/.gitconfig-gl
 
 # Decode GCP service account key
 if [ -n "${GOOGLE_SA_KEY_B64:-}" ]; then