core-devops
4659d92695
CI / Adapter unit tests (push) Successful in 40s
CI / Template validation (static) (push) Successful in 1m51s
CI / Adapter unit tests (pull_request) Successful in 31s
CI / Template validation (static) (pull_request) Successful in 1m53s
CI / Template validation (runtime) (push) Successful in 51s
CI / T4 tier-4 conformance (live) (push) Successful in 2m47s
CI / validate (push) Successful in 2s
CI / Template validation (runtime) (pull_request) Successful in 43s
CI / T4 tier-4 conformance (live) (pull_request) Successful in 3m10s
CI / validate (pull_request) Successful in 1s
Adds a hostname-free, vendor-neutral askpass script that reads HTTPS Basic-Auth credentials from env vars (GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD, with GITEA_USER / GITEA_TOKEN as fallback) and emits them on the git credential-prompt protocol. Installed at /usr/local/bin/molecule-askpass so that any deployer who sets GIT_ASKPASS=/usr/local/bin/molecule-askpass on the container env can wire `git` HTTPS auth to those env vars — with no on-disk .gitconfig / .git-credentials mutation needed. Script body contains no hardcoded hostnames and no vendor literals; the deployer scopes the credentials to a specific remote by virtue of choosing when to populate the env vars. This makes the helper safe to ship inside the open-source workspace template image alongside any platform's provisioner. Filename `molecule-askpass` is the only project-specific marker; the script body is identical across all four molecule-ai workspace runtime images (claude-code/molecule-core, codex, hermes, openclaw). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
36 lines
1.5 KiB
Bash
Executable File
36 lines
1.5 KiB
Bash
Executable File
#!/bin/sh
|
|
# git-askpass helper. Reads HTTPS Basic-Auth credentials from env vars so
|
|
# the deployer can wire git authentication for any private remote without
|
|
# touching ~/.gitconfig or ~/.git-credentials inside the container.
|
|
#
|
|
# Wire-up: set GIT_ASKPASS=/usr/local/bin/molecule-askpass in the
|
|
# container env, then export GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or the
|
|
# GITEA_USER / GITEA_TOKEN fallback pair). When git encounters an HTTPS
|
|
# auth challenge on a host that has no credential.helper configured for
|
|
# it, git invokes GIT_ASKPASS twice — once with a "Username for ..."
|
|
# prompt and once with a "Password for ..." prompt. We pattern-match on
|
|
# that prompt and emit the matching env var.
|
|
#
|
|
# No hardcoded hostnames or vendor names — the deployer decides which
|
|
# host these credentials apply to by virtue of setting GIT_ASKPASS only
|
|
# when the target remote is in scope. The helper itself is reusable for
|
|
# any HTTPS git remote.
|
|
#
|
|
# Failure mode: if the env vars are unset, we emit an empty string and
|
|
# let git surface "Authentication failed" — this is intentional, so a
|
|
# misconfigured deployment fails loudly at first push instead of silently
|
|
# falling through to an unrelated credential chain.
|
|
|
|
case "$1" in
|
|
Username*)
|
|
printf '%s\n' "${GIT_HTTP_USERNAME:-${GITEA_USER:-}}"
|
|
;;
|
|
Password*)
|
|
printf '%s\n' "${GIT_HTTP_PASSWORD:-${GITEA_TOKEN:-}}"
|
|
;;
|
|
*)
|
|
# Unknown prompt — emit empty and let git decide.
|
|
printf '\n'
|
|
;;
|
|
esac
|