From 679fa4f5aa73febca10e89a6c5f5f55e9519348b Mon Sep 17 00:00:00 2001 From: Drew Minnear Date: Mon, 11 Aug 2025 14:09:57 -0400 Subject: [PATCH] Only rewrite repo URL for public repos cloned over SSH Fixes the following issues in the current implementation: * HTTP git remotes are rewritten to invalid URL https://http://<...> * Private repos with SSH git remotes are converted to HTTPS URLs for the validate-origin check. This requires username/PAT auth on GitHub instead of just checking the remote via SSH --- Makefile | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 2db61185..1d6af9e9 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ endif # Set this to true if you want to skip any origin validation DISABLE_VALIDATE_ORIGIN ?= false ifeq ($(DISABLE_VALIDATE_ORIGIN),true) - VALIDATE_ORIGIN := + VALIDATE_ORIGIN := else VALIDATE_ORIGIN := validate-origin endif @@ -31,9 +31,8 @@ TARGET_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) #default to the branch remote TARGET_ORIGIN ?= $(shell git config branch.$(TARGET_BRANCH).remote) -# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL -# This is because we expect to use tokens for repo authentication as opposed to SSH keys -TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%') +# The URL for the configured origin (could be HTTP/HTTPS/SSH) +TARGET_REPO_RAW := $(shell git ls-remote --get-url --symref $(TARGET_ORIGIN)) UUID_FILE ?= ~/.config/validated-patterns/pattern-uuid UUID_HELM_OPTS ?= @@ -50,13 +49,22 @@ TOKEN_SECRET ?= TOKEN_NAMESPACE ?= ifeq ($(TOKEN_SECRET),) - HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS) + # SSH agents are not created for public repos (repos with no secret token) by the patterns operator so we convert to HTTPS + TARGET_REPO := $(shell echo "$(TARGET_REPO_RAW)" | sed 's/^git@\(.*\):\(.*\)/https:\/\/\1\/\2/') + SECRET_OPTS := else - # When we are working with a private repository we do not escape the git URL as it might be using an ssh secret which does not use https:// - TARGET_CLEAN_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN)) - HELM_OPTS=-f values-global.yaml --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE) --set main.git.repoURL="$(TARGET_CLEAN_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS) + TARGET_REPO := $(TARGET_REPO_RAW) + SECRET_OPTS := --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE) endif +HELM_OPTS := -f values-global.yaml \ + --set main.git.repoURL="$(TARGET_REPO)" \ + --set main.git.revision=$(TARGET_BRANCH) \ + $(SECRET_OPTS) \ + $(TARGET_SITE_OPT) \ + $(UUID_HELM_OPTS) \ + $(EXTRA_HELM_OPTS) + # Helm does the right thing and fetches all the tags and detects the newest one PATTERN_INSTALL_CHART ?= oci://quay.io/hybridcloudpatterns/pattern-install @@ -138,8 +146,6 @@ token-kubeconfig: ## Create a local ~/.kube/config with password (not usually ne ##@ Validation Tasks -# We only check the remote ssh git branch's existance if we're not running inside a container -# as getting ssh auth working inside a container seems a bit brittle # If the main repoUpstreamURL field is set, then we need to check against # that and not target_repo .PHONY: validate-origin