core-devops
4f4604eabe
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 2s
CI / Template validation (static) (pull_request) Successful in 28s
CI / Template validation (static) (push) Successful in 1m10s
CI / Adapter unit tests (push) Successful in 1m17s
CI / T4 tier-4 conformance (live) (push) Failing after 4s
CI / Adapter unit tests (pull_request) Successful in 1m11s
CI / Template validation (runtime) (pull_request) Successful in 3m41s
CI / Template validation (runtime) (push) Successful in 3m33s
CI / T4 tier-4 conformance (live) (pull_request) Successful in 3m44s
CI / validate (push) Failing after 1s
CI / validate (pull_request) Successful in 1s
Image-side companion to molecule-core PR #1525 (merge_sha 73a09443a086, workspace-server applyAgentGitIdentity). PR #1525 sets GIT_ASKPASS= /usr/local/bin/molecule-askpass on every workspace container so git can authenticate to private HTTPS remotes from the persona env vars already arriving via workspace_secrets — but until this binary ships in the runtime image, git invocations error with 'exec: /usr/local/bin/ molecule-askpass: not found' (forward-only pin gap). This is the same class as Hermes list_peers / codex #219: ws-server changed contract, runtime image hadn't yet caught up. Closing the image-side gap unblocks Dev-A/Dev-B (claude-code runtime) durable HTTPS git auth on any private host. Generic by design — no hardcoded hostnames, no vendor literals. Script body is identical to workspace/scripts/molecule-askpass in molecule-core and the parallel external workspace template repos, so any deployer can fork this template and use it against their own git host without editing.
36 lines
1.5 KiB
Bash
Executable File
36 lines
1.5 KiB
Bash
Executable File
#!/bin/sh
|
|
# git-askpass helper. Reads HTTPS Basic-Auth credentials from env vars so
|
|
# the deployer can wire git authentication for any private remote without
|
|
# touching ~/.gitconfig or ~/.git-credentials inside the container.
|
|
#
|
|
# Wire-up: set GIT_ASKPASS=/usr/local/bin/molecule-askpass in the
|
|
# container env, then export GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or the
|
|
# GITEA_USER / GITEA_TOKEN fallback pair). When git encounters an HTTPS
|
|
# auth challenge on a host that has no credential.helper configured for
|
|
# it, git invokes GIT_ASKPASS twice — once with a "Username for ..."
|
|
# prompt and once with a "Password for ..." prompt. We pattern-match on
|
|
# that prompt and emit the matching env var.
|
|
#
|
|
# No hardcoded hostnames or vendor names — the deployer decides which
|
|
# host these credentials apply to by virtue of setting GIT_ASKPASS only
|
|
# when the target remote is in scope. The helper itself is reusable for
|
|
# any HTTPS git remote.
|
|
#
|
|
# Failure mode: if the env vars are unset, we emit an empty string and
|
|
# let git surface "Authentication failed" — this is intentional, so a
|
|
# misconfigured deployment fails loudly at first push instead of silently
|
|
# falling through to an unrelated credential chain.
|
|
|
|
case "$1" in
|
|
Username*)
|
|
printf '%s\n' "${GIT_HTTP_USERNAME:-${GITEA_USER:-}}"
|
|
;;
|
|
Password*)
|
|
printf '%s\n' "${GIT_HTTP_PASSWORD:-${GITEA_TOKEN:-}}"
|
|
;;
|
|
*)
|
|
# Unknown prompt — emit empty and let git decide.
|
|
printf '\n'
|
|
;;
|
|
esac
|