Description
Since #2286 and v6.0.0 release, Git credential management was updated to persist credentials in a separate configuration file. This file is currently loaded using Git's includeIf mechanism to improve security by isolating sensitive credentials from the main .git/config.
While this works for both main repository and submodule, it causes authentication failures in CI/CD workflows that utilize Git worktrees.
Current Behavior
|
// Configure host includeIf |
|
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path` |
|
await this.git.config(hostIncludeKey, credentialsConfigPath) |
|
// Configure container includeIf |
|
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` |
|
await this.git.config(containerIncludeKey, containerCredentialsPath) |
The current configuration uses an includeIf directive that strictly matches the main Git directory:
[includeIf "gitdir:/home/runner/work/owner/repo/.git"]
path = /path/to/credentials/fileWhen a new worktree is created, the gitdir resolves to a subdirectory pattern (typically .git/worktrees/name). Because the current directive does not match this path, the credential helper config is not included, and Git operations inside the worktree fail to authenticate.
Proposed Solution
To support worktrees, we need to add a second includeIf directive that matches the worktrees subdirectory pattern.
Suggested Configuration:
# Existing match for the main repo
[includeIf "gitdir:/home/runner/work/owner/repo/.git"]
path = /path/to/credentials/file
# PROPOSED ADDITION: Match for worktrees
[includeIf "gitdir:/home/runner/work/owner/repo/.git/worktrees/*"]
path = /path/to/credentials/file
Description
Since #2286 and v6.0.0 release, Git credential management was updated to persist credentials in a separate configuration file. This file is currently loaded using Git's
includeIfmechanism to improve security by isolating sensitive credentials from the main.git/config.While this works for both main repository and submodule, it causes authentication failures in CI/CD workflows that utilize Git worktrees.
Current Behavior
checkout/src/git-auth-helper.ts
Lines 373 to 375 in c2d88d3
checkout/src/git-auth-helper.ts
Lines 395 to 397 in c2d88d3
The current configuration uses an
includeIfdirective that strictly matches the main Git directory:When a new worktree is created, the
gitdirresolves to a subdirectory pattern (typically.git/worktrees/name). Because the current directive does not match this path, the credential helper config is not included, and Git operations inside the worktree fail to authenticate.Proposed Solution
To support worktrees, we need to add a second
includeIfdirective that matches theworktreessubdirectory pattern.Suggested Configuration: