getsentry · Jeffreyhung · Feb 19, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025
diff --git a/src/targets/awsLambdaLayer.ts b/src/targets/awsLambdaLayer.ts
@@ -4,10 +4,9 @@ import * as path from 'path';
 import { Octokit } from '@octokit/rest';
 import simpleGit from 'simple-git';
 import {
-  getAuthUsername,
-  getGitHubApiToken,
   getGitHubClient,
   GitHubRemote,
+  getGitHubAuthHeader,
 } from '../utils/githubApi';
 
 import { TargetConfig } from '../schemas/project_config';
@@ -139,16 +138,16 @@ export class AwsLambdaLayerTarget extends BaseTarget {
     this.logger.trace('AWS regions: ', awsRegions);
 
     const remote = this.awsLambdaConfig.registryRemote;
-    const username = await getAuthUsername(this.github);
-    remote.setAuth(username, getGitHubApiToken());
 
     await withTempDir(
       async directory => {
         const git = simpleGit(directory);
+        /** Add the GitHub token to the git auth header */
+        await git.raw(getGitHubAuthHeader());
         this.logger.info(
           `Cloning ${remote.getRemoteString()} to ${directory}...`
         );
-        await git.clone(remote.getRemoteStringWithAuth(), directory);
+        await git.clone(remote.getRemoteString(), directory);
 
         if (!isDryRun()) {
           await this.publishRuntimes(

diff --git a/src/targets/ghPages.ts b/src/targets/ghPages.ts
@@ -8,10 +8,10 @@ import { GitHubGlobalConfig, TargetConfig } from '../schemas/project_config';
 import { ConfigurationError, reportError } from '../utils/errors';
 import { withTempDir } from '../utils/files';
 import {
-  getAuthUsername,
   getGitHubApiToken,
   getGitHubClient,
   GitHubRemote,
+  getGitHubAuthHeader,
 } from '../utils/githubApi';
 import { isDryRun } from '../utils/helpers';
 import { extractZipArchive } from '../utils/system';
@@ -148,11 +148,13 @@ export class GhPagesTarget extends BaseTarget {
     archivePath: string,
     version: string
   ): Promise<void> {
+    const git = simpleGit(directory);
+    /** Add the GitHub token to the git auth header */
+    await git.raw(getGitHubAuthHeader());
     this.logger.info(
       `Cloning "${remote.getRemoteString()}" to "${directory}"...`
     );
-    await simpleGit().clone(remote.getRemoteStringWithAuth(), directory);
-    const git = simpleGit(directory);
+    await git.clone(remote.getRemoteString(), directory);
     this.logger.debug(`Checking out branch: "${branch}"`);
     try {
       await git.checkout([branch]);
@@ -219,12 +221,9 @@ export class GhPagesTarget extends BaseTarget {
       packageFiles[0]
     );
 
-    const username = await getAuthUsername(this.github);
-
     const remote = new GitHubRemote(
       githubOwner,
       githubRepo,
-      username,
       getGitHubApiToken()
     );
 

diff --git a/src/targets/registry.ts b/src/targets/registry.ts
@@ -6,8 +6,7 @@ import { GitHubGlobalConfig, TargetConfig } from '../schemas/project_config';
 import { ConfigurationError, reportError } from '../utils/errors';
 import { withTempDir } from '../utils/files';
 import {
-  getAuthUsername,
-  getGitHubApiToken,
+  getGitHubAuthHeader,
   getGitHubClient,
   GitHubRemote,
 } from '../utils/githubApi';
@@ -427,14 +426,14 @@ export class RegistryTarget extends BaseTarget {
 
   private async cloneRegistry(directory: string): Promise<SimpleGit> {
     const remote = this.remote;
-    const username = await getAuthUsername(this.github);
-    remote.setAuth(username, getGitHubApiToken());
 
     const git = simpleGit(directory);
+    /** Add the GitHub token to the git auth header */
+    await git.raw(getGitHubAuthHeader());
     this.logger.info(
       `Cloning "${remote.getRemoteString()}" to "${directory}"...`
     );
-    await git.clone(remote.getRemoteStringWithAuth(), directory, [
+    await git.clone(remote.getRemoteString(), directory, [
       '--filter=tree:0',
       '--single-branch',
     ]);

diff --git a/src/targets/upm.ts b/src/targets/upm.ts
@@ -1,8 +1,8 @@
 import { Octokit } from '@octokit/rest';
 import simpleGit from 'simple-git';
 import {
-  getAuthUsername,
   getGitHubApiToken,
+  getGitHubAuthHeader,
   getGitHubClient,
   GitHubRemote,
 } from '../utils/githubApi';
@@ -107,11 +107,9 @@ export class UpmTarget extends BaseTarget {
       packageFile
     );
 
-    const username = await getAuthUsername(this.github);
     const remote = new GitHubRemote(
       this.config.releaseRepoOwner,
       this.config.releaseRepoName,
-      username,
       getGitHubApiToken()
     );
     const remoteAddr = remote.getRemoteString();
@@ -120,8 +118,10 @@ export class UpmTarget extends BaseTarget {
     await withTempDir(
       async directory => {
         const git = simpleGit(directory);
+        /** Add the GitHub token to the git auth header */
+        await git.raw(getGitHubAuthHeader());
         this.logger.info(`Cloning ${remoteAddr} to ${directory}...`);
-        await git.clone(remote.getRemoteStringWithAuth(), directory);
+        await git.clone(remote.getRemoteString(), directory);
 
         this.logger.info('Clearing the repository.');
         await git.rm(['-r', '-f', '.']);

diff --git a/src/utils/githubApi.ts b/src/utils/githubApi.ts
@@ -26,27 +26,14 @@
  public constructor(
    owner: string,
    repo: string,
    username?: string,
    apiToken?: string
   ) {
     this.owner = owner;
     this.repo = repo;
-    if (username && apiToken) {
-      this.setAuth(username, apiToken);
-    }
     this.url = `/${this.owner}/${this.repo}/`;
   }
 
-  /**
-   * Sets authentication arguments: username and personal API token
-   *
-   * @param username GitHub username
-   * @param apiToken GitHub API token
-   */
-  public setAuth(username: string, apiToken: string): void {
-    this.username = username;
-    this.apiToken = apiToken;
-  }
 
   /**
    * Returns an HTTP-based git remote
@@ -56,19 +43,6 @@
   public getRemoteString(): string {
     return this.PROTOCOL_PREFIX + this.GITHUB_HOSTNAME + this.url;
   }
-
-  /**
-   * Returns an HTTP-based git remote with embedded HTTP basic auth
-   *
-   * It MAY contain sensitive information (e.g. API tokens)
-   */
-  public getRemoteStringWithAuth(): string {
-    const authData =
-      this.username && this.apiToken
-        ? `${this.username}:${this.apiToken}@`
-        : '';
-    return this.PROTOCOL_PREFIX + authData + this.GITHUB_HOSTNAME + this.url;
-  }
 }
 
 /**
@@ -87,6 +61,20 @@
   return githubApiToken;
 }
 
+/**
+ * Returns the GitHub auth header
+ *
+ * @returns GitHub auth header
+ */
+export function getGitHubAuthHeader(): Array<string> {
+  return [
+    'config',
+    '--global',
+    'http.extraheader',
+    'AUTHORIZATION: bearer ' + getGitHubApiToken()
+  ];
+}
+
 const _GitHubClientCache: Record<string, Octokit> = {};
 
 /**
@@ -123,21 +111,6 @@
   return _GitHubClientCache[githubApiToken];
 }
 
-/**
- * Gets the currently authenticated GitHub user from the client
- *
- * @param github GitHub client
- * @returns GitHub username
- */
-export async function getAuthUsername(github: Octokit): Promise<string> {
-  const userData = await github.users.getAuthenticated({});
-  const username = (userData.data || {}).login;
-  if (!username) {
-    throw new Error('Cannot reliably detect GitHub username, aborting');
-  }
-  return username;
-}
-
 /**
  * Loads a file from the context's repository
  *