git-checkout lacks any authentication paramaters

[andy-welsh-dwp]

The git-checkout pipeline does not appear to have any paramaters or obvious ways to authenticate against a private repository.

Typically the easiest way to get authentication in to a clone or checkout is by manipulating the git URI, I.E.:

git clone https://$username:[email protected]/privaterepo

Doing this in a secure system needs some kind of way to inject a secret. Currently I am able to inject an environment variable containing such a secret, however when running:

- uses: git-checkout
  with:
    repository: https://myuser:${GIT_SECRET}@gitlab.com/privaterepo
    branch: somebranch
    destination: privaterepo

$GIT_SECRET does not appear to be evaluated and authentication fails as if it weren't there.

As a workaround currently, I can use:

- runs: |
    git clone https://myuser:${GIT_SECRET}@gitlab.com/privaterepo -b somebranch

Thanks!

[xnox]

I wonder if it is better to allow injecting a ".gitcookies" file and configuring http to use cookies - which is slightly better than static passwors / netrc, as it is pre-authenticated cookie (which can be easily rotated/expired/logedout etc).

I.e. https://groups.google.com/a/chromium.org/g/chromium-os-discuss/c/MX1C8kHaNXo

[arodland]

On a similar note, I'm looking at using melange in a situation where some of our packages come from private repos that need ssh auth. I figured out how I can inject an SSH_AUTH_SOCK into the build environment, but it's complicated and fragile and seems like something that would be better with some tooling support.