git-credential-manager
git-credential-manager copied to clipboard
git-ecosystem
Better documentation on git credential-manager store
We are in a CI environment and can't use UI. We obtain a token for auth to push to Azure Repos, but not sure what's the right way to add the token to Git.
I'm failing to find good documentation on git credential-manager store. It just says you don't need to use it, but it probably implies I'm a regular user in a UI scenario, not a service account on a CI machine.
I think the canonical way to store a credential is via git credential approve, not via the credential helper. Does that help?
If you need to use git credential-manager store, here is the implementation of that command, and it looks as if it accepted the username and password input the same way as git credential approve, i.e. <key>=<value> pairs provided via stdin.
Thanks, I'll look into approve (it wasn't very intuitive :))
The issue remains though - the docs for store are lacking. Whatever it's doing needs to be documented.
Thanks, I'll look into approve (it wasn't very intuitive :))
Heh. Git's credential machinery was not designed to be used like that. For pre-authentication, I think the idea was to use a non-interactive credential helper like git credential-netrc.
Granted, the only really useful credential helper that is shipped with Git for Windows (which you seem to need to be using) is GCM.
The issue remains though - the docs for store are lacking. Whatever it's doing needs to be documented.
This lack of documentation is probably due to the fact that this store subcommand is part of the "protocol" Git speaks to the credential helpers, as documented here: https://git-scm.com/docs/gitcredentials#_custom_helpers. Therefore, it's not really up to GCM how this subcommand works, it has to abide by Git's rules, which are already documented in the Git project 😉
****someone strealing software Sims and data itenty theft Gloria Lilly accounts they getting accounts login glorialilly727 and switched accounts my Gmail [email protected] please accounts on security my inhernent Wi-Fi nacho name to home at 5214 Burton Street Philadelphia PA 19124 these people are dangerous my son is I u right die trying poison my children and myself and chemicals UTF find out mixed accounts so find [email protected] and stealing everything investments companies and inl need help please FBI agents and govement agents pengon military they into I believe terrorist
My name is Gloria Lilly and I trying into accounts they switch accounts and log me it's bad get credit cards do these stealing my inheritance accounts and [email protected] is new Gmail [email protected] was old with military family and families and all accounts stolen along with investments shareholders etc please government they has royle I living sewage and bugs infested and mold Jacqueline SWARTZ landlord has 3 bedrooms on property when only 2 this my son in ICU and need help for [email protected]
@KirillOsenkov if you're looking to use GCM and authentication from automation for Azure Repos you may also like to look at the service principal and managed identity support in GCM https://aka.ms/gcm/misp
Otherwise, @dscho is correct that using git credential approve is the best way to pre-load a credential to GCM. git-credential-manager [get|store|erase] are not meant to be called by anyone other than Git itself. The user facing equivalents of get|store|erase is provided by Git's git credential [fill|approve|reject].. confusing, I know! 😅
We are in a CI environment and can't use UI. We obtain a token for auth to push to Azure Repos, but not sure what's the right way to add the token to Git.
I had ostensibly exactly this problem and found my way here, although my problem may be specific to pipeline use of Unity. I need to authenticate with a git repo in a non-interactive (pipeline) context. I could not find a sensible use of git credential manager that worked long-term so came up with the below.
The problem
Unity allows projects to reference packages in other projects as a source code reference, with references being prefixed with git+https://, see their documentation:
https://docs.unity3d.com/6000.1/Documentation/Manual/upm-git.html#Git-HTTPS
During build time, Unity will setup a new git repo in a temporary area inside the Unity project's Library\PackageCache folder. This is effectively a new repo inside the agent's checkout of your project's repo. Unity will then run:
git remote add origin "https://dev.azure.com/account/project/_git/repo"
Then Unity determines the $sha1 from the #branch and runs:
git fetch -q --depth=1 origin $sha1
(Captured via ProcessMonitor)
The fetch operation then requires authentication, which is fine in an interactive context as it just triggers gcm, but it fails in a pipeline.
My solution
I took the Azure pipeline token ($System.AccessToken) that is provided to the Microsoft agent and added that as extraheader for the target domain that contains my repo. I changed ADO settings to give the token read permissions to my arget repo.
# Should run before Unity tries to access any package by "git+https://[ourTenant]@dev.azure.com/ourTenant/[ourRepo].." reference
- task: PowerShell@2
displayName: "Set git http.extraheader so Unity can later checkout UnityPackages"
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
targetType: 'inline'
script: |
$token = $env:SYSTEM_ACCESSTOKEN
if (-not $token) {
Write-Error "Pipeline bearer token not available to script"
exit 1
}
git config --global --replace-all http.https://dev.azure.com.extraheader "AUTHORIZATION: bearer $token"
Unfortunately this conflicts with some scripts that the Microsoft checkout task runs, so I also had to add this before any checkout steps on our persistent agent:
- task: PowerShell@2
displayName: "Cleanup http.extraheader"
inputs:
targetType: 'inline'
condition: always()
script: |
git config --global --unset-all http.https://dev.azure.com.extraheader
exit 0 # Because above command 'fails' if the header does not already exist
(You won't need to do this if your agents are stateless).
It seems fairly hacky. Hopefully this may be useful to someone else, and I'd welcome feedback.
