From 324c2f5f37ce975fd0652f63225179fc6c055d3c Mon Sep 17 00:00:00 2001
From: logikonline <dave@marketally.com>
Date: Wed, 28 Jan 2026 00:20:35 -0500
Subject: [PATCH] refactor(ci): use http.extraheader for git authentication

Replace URL-embedded token authentication with http.extraheader configuration for git operations. This approach is more secure as tokens don't appear in URLs or logs.

Change from:
  git clone https://token:SECRET@host/repo.git

To:
  git -c "http.extraheader=Authorization: token SECRET" clone https://host/repo.git

Also switch to direct.git.marketally.com for vault repository access.
---
 .gitea/workflows/build.yml | 20 ++++++++++----------
 scripts/sync-vault.sh      |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 06be3a2f6e..5c21767dc6 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -32,7 +32,7 @@ jobs:
         env:
           VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
+          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -73,7 +73,7 @@ jobs:
         env:
           VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
+          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -120,7 +120,7 @@ jobs:
         env:
           VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
+          git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -273,8 +273,8 @@ jobs:
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git config --global url."https://token:${RELEASE_TOKEN}@git.marketally.com/".insteadOf "https://git.marketally.com/"
-          git config --global url."https://token:${RELEASE_TOKEN}@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
+          git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
+          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
 
       - name: Configure private repo access (Windows)
         if: matrix.goos == 'windows'
@@ -282,8 +282,8 @@ jobs:
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git config --global url."https://token:$($env:RELEASE_TOKEN)@git.marketally.com/".insteadOf "https://git.marketally.com/"
-          git config --global url."https://token:$($env:RELEASE_TOKEN)@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
+          git config --global http.https://git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
+          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
 
       - name: Sync vault templates and locales (Unix)
         if: matrix.goos != 'windows'
@@ -300,7 +300,7 @@ jobs:
           VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
           # Clone vault repo
-          git clone --depth 1 "https://token:$($env:VAULT_TOKEN)@git.marketally.com/gitcaddy/gitcaddy-vault.git" "$env:TEMP\gitcaddy-vault"
+          git -c "http.extraheader=Authorization: token $($env:VAULT_TOKEN)" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git "$env:TEMP\gitcaddy-vault"
 
           # Sync templates
           Copy-Item -Path "$env:TEMP\gitcaddy-vault\templates\repo\vault\*" -Destination "templates\repo\vault\" -Force -Recurse
@@ -601,8 +601,8 @@ jobs:
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          git config --global url."https://token:${RELEASE_TOKEN}@git.marketally.com/".insteadOf "https://git.marketally.com/"
-          git config --global url."https://token:${RELEASE_TOKEN}@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
+          git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
+          git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
 
       - name: Sync vault templates and locales
         env:
diff --git a/scripts/sync-vault.sh b/scripts/sync-vault.sh
index 88b2bb581a..72e89ac15c 100644
--- a/scripts/sync-vault.sh
+++ b/scripts/sync-vault.sh
@@ -16,7 +16,7 @@ if [ -z "$VAULT_PATH" ]; then
     CLEANUP_VAULT=true
     echo "Cloning gitcaddy-vault to $VAULT_PATH..."
     if [ -n "${VAULT_TOKEN:-}" ]; then
-        git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" "$VAULT_PATH"
+        git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git "$VAULT_PATH"
     else
         git clone --depth 1 https://git.marketally.com/gitcaddy/gitcaddy-vault.git "$VAULT_PATH"
     fi