git-clone: Set up SSH authentication

Assisted-by: Claude Opus 4.6
Signed-off-by: Tomáš Nevrlka <tnevrlka@redhat.com>

Author: tnevrlka

pkg/commands/git_clone/git_clone.go

@@ -68,9 +68,12 @@ func (c *GitClone) Run() error {
 		return fmt.Errorf("failed to create internal directory: %w", err)
 	}
 	c.internalDir = internalDir
+
+	// Save and restore all environment variables that may be modified during Run().
+	restoreEnv := saveAndRestoreEnv("GIT_CONFIG_GLOBAL", "GIT_SSH_COMMAND", "GIT_SSL_NO_VERIFY", "GIT_SSL_CAINFO")
 	defer func() {
 		_ = os.RemoveAll(c.internalDir)
-		_ = os.Unsetenv("GIT_CONFIG_GLOBAL")
+		restoreEnv()
 	}()
 
 	if err := c.setupGitConfig(); err != nil {
@@ -82,6 +85,10 @@ func (c *GitClone) Run() error {
 		return err
 	}
 
+	if err := c.setupSSH(); err != nil {
+		return err
+	}
+
 	// Clean checkout directory if requested
 	if c.Params.DeleteExisting {
 		if err := c.cleanCheckoutDir(); err != nil {
@@ -228,3 +235,30 @@ func (c *GitClone) validateParams() error {
 func (c *GitClone) getCheckoutDir() string {
 	return filepath.Join(c.Params.OutputDir, c.Params.Subdirectory)
 }
+
+// saveAndRestoreEnv saves the current values of the given environment variables
+// and returns a function that restores them to their original state.
+func saveAndRestoreEnv(keys ...string) func() {
+	type envEntry struct {
+		val     string
+		existed bool
+	}
+	saved := make(map[string]envEntry, len(keys))
+	for _, key := range keys {
+		val, existed := os.LookupEnv(key)
+		saved[key] = envEntry{val, existed}
+	}
+	return func() {
+		for key, e := range saved {
+			if e.existed {
+				if err := os.Setenv(key, e.val); err != nil {
+					l.Logger.Debugf("failed to restore env var %s: %v", key, err)
+				}
+			} else {
+				if err := os.Unsetenv(key); err != nil {
+					l.Logger.Debugf("failed to unset env var %s: %v", key, err)
+				}
+			}
+		}
+	}
+}

pkg/commands/git_clone/setup.go

@@ -179,6 +179,76 @@ func rewriteGitConfigCredentialHelper(configContent, credentialsPath string) str
 	return strings.Join(lines, "\n")
 }
 
+// setupSSH sets up SSH keys from an ssh-directory workspace.
+// SSH files are copied to c.internalDir/.ssh/ and GIT_SSH_COMMAND is set
+// with explicit flags so that git uses the custom SSH config without modifying $HOME.
+func (c *GitClone) setupSSH() error {
+	if c.Params.SSHDirectory == "" {
+		return nil
+	}
+
+	sshDir := c.Params.SSHDirectory
+
+	if _, err := os.Stat(sshDir); os.IsNotExist(err) {
+		l.Logger.Infof("SSH directory not found: %s", sshDir)
+		return nil
+	}
+
+	l.Logger.Infof("Setting up SSH keys from %s", sshDir)
+
+	destSSHDir := filepath.Join(c.internalDir, ".ssh")
+
+	if err := os.MkdirAll(destSSHDir, 0700); err != nil {
+		return fmt.Errorf("failed to create .ssh directory: %w", err)
+	}
+
+	entries, err := os.ReadDir(sshDir)
+	if err != nil {
+		return fmt.Errorf("failed to read SSH directory: %w", err)
+	}
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue // Skip subdirectories
+		}
+
+		srcPath := filepath.Join(sshDir, entry.Name())
+		destPath := filepath.Join(destSSHDir, entry.Name())
+
+		if err := copyFile(srcPath, destPath, 0400); err != nil {
+			return fmt.Errorf("failed to copy SSH file %s: %w", entry.Name(), err)
+		}
+	}
+
+	sshCmd := "ssh"
+
+	configPath := filepath.Join(destSSHDir, "config")
+	if fileExists(configPath) {
+		sshCmd += fmt.Sprintf(` -F "%s"`, configPath)
+	} else {
+		sshCmd += " -F /dev/null"
+	}
+
+	for _, entry := range entries {
+		name := entry.Name()
+		if strings.HasPrefix(name, "id_") && !strings.HasSuffix(name, ".pub") && !entry.IsDir() {
+			sshCmd += fmt.Sprintf(` -i "%s"`, filepath.Join(destSSHDir, name))
+		}
+	}
+
+	knownHostsPath := filepath.Join(destSSHDir, "known_hosts")
+	if fileExists(knownHostsPath) {
+		sshCmd += fmt.Sprintf(` -o UserKnownHostsFile="%s"`, knownHostsPath)
+	}
+
+	if err := os.Setenv("GIT_SSH_COMMAND", sshCmd); err != nil {
+		return err
+	}
+
+	l.Logger.Infof("SSH keys configured (GIT_SSH_COMMAND=%s)", sshCmd)
+	return nil
+}
+
 // fileExists checks if a file exists and is not a directory.
 func fileExists(path string) bool {
 	info, err := os.Stat(path)