che icon indicating copy to clipboard operation
che copied to clipboard
verified publisher icon eclipse-che

Clone a private repository into a workspace using the remote URL from a devfile, which is imported via an API request using the raw devfile URL with a PAT

Open dmytro-ndp opened this issue 3 months ago • 3 comments

Is your enhancement related to a problem? Please describe

Given: A devfile in a private repository that contains a project's remote URL pointing to the same private repository, for example:

schemaVersion: 2.3.0
metadata:
  name: test-raw-devfile-api-request-pat
projects:
  - name: devfile-api-pat
    git:
      remotes:
        origin: 'https://{gitlab-server-host}/test-user/private-sample-repo.git'

Use case: Go to User Dashboard > Import from Git and create a workspace using an API request to a raw devfile with a personal access token (PAT): https://{gitlab-server-host}/api/v4/projects/9/repository/files/devfile.yaml/raw?ref=main&private_token={PAT}

Actual result:

  1. The Che server reads the devfile and extracts the Git remote address from the projects property.
  2. The workspace starts, but the private repo FAILS TO CLONE private repo inside the workspace.

Describe the solution you'd like

  1. The Che server reads the devfile and extracts the Git remote address from the projects property.
  2. The Che server recognizes the same Git server host in the raw devfile URL and in the Git remote address in the projects property.
  3. The Che server extracts the PAT from the raw devfile URL and uses it to clone the private repo into workspace.
  4. The workspace creates and starts, and the private repo has been successfully cloned inside the workspace.

Describe alternatives you've considered

No response

Additional context

Related PR: https://github.com/eclipse-che/che-server/pull/803

dmytro-ndp avatar Sep 16 '25 16:09 dmytro-ndp

@dmytro-ndp In the description you mentioned a Gitlab API request to retrieve the file content and my concern is that this case is Gitlab specific. Most of the providers use authorization header for API requests, so the token query parameter is not expected, or may have a different query parameter name. Also the RAW devfile url flow is designed to work with urls received by clicking the RAW on a repository page. Such url usually does not have the token query parameter or if it does, like in GitHub case, the token works only for the file request. So I am not sure if this issue worth the effort to cover only a very specific case and only for Gitlab. @svor @ibuziuk WDYT?

vinokurig avatar Oct 10 '25 08:10 vinokurig

@vinokurig In this case, what’s the recommended way to start a workspace from a private repo and clone the project — use the project repo URL with the devfile instead of a raw devfile url?

svor avatar Oct 10 '25 12:10 svor

@svor yes, unless there is no specific reason to use RAW devfile url

vinokurig avatar Oct 10 '25 13:10 vinokurig