gitcaddy/GitCaddy Server
Limited
2
0
Fork 0
Code Issues Releases 14

refactor(ci): use http.extraheader for git authentication
Some checks failed
Build and Release / Create Release (push) Successful in 0s
Details
Build and Release / Unit Tests (push) Successful in 3m24s
Details
Build and Release / Integration Tests (PostgreSQL) (push) Successful in 4m49s
Details
Build and Release / Lint (push) Successful in 6m2s
Details
Build and Release / Build Binaries (amd64, windows, windows-latest) (push) Failing after 9h0m47s
Details
Build and Release / Build Binaries (amd64, linux, linux-latest) (push) Successful in 3m3s
Details
Build and Release / Build Binaries (amd64, darwin, macos) (push) Successful in 4m29s
Details
Build and Release / Build Binaries (arm64, darwin, macos) (push) Successful in 5m3s
Details
Build and Release / Build Binary (linux/arm64) (push) Failing after 34s
Details

Browse Source 
Replace URL-embedded token authentication with http.extraheader configuration for git operations. This approach is more secure as tokens don't appear in URLs or logs.

Change from:
  git clone https://token:SECRET@host/repo.git

To:
  git -c "http.extraheader=Authorization: token SECRET" clone https://host/repo.git

Also switch to direct.git.marketally.com for vault repository access.
This commit is contained in:
David H. Friedel Jr.
2026-01-28 00:20:35 -05:00
parent b2fcbf82de
commit 324c2f5f37
2 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.gitea/workflows/build.yml
View File

@@ -32,7 +32,7 @@ jobs:
env:
VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
- name: Setup Go
uses: actions/setup-go@v5
@@ -73,7 +73,7 @@ jobs:
env:
VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
- name: Setup Go
uses: actions/setup-go@v5
@@ -120,7 +120,7 @@ jobs:
env:
VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" ../gitcaddy-vault
git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git ../gitcaddy-vault
- name: Setup Go
uses: actions/setup-go@v5
@@ -273,8 +273,8 @@ jobs:
env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git config --global url."https://token:${RELEASE_TOKEN}@git.marketally.com/".insteadOf "https://git.marketally.com/"
git config --global url."https://token:${RELEASE_TOKEN}@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
- name: Configure private repo access (Windows)
if: matrix.goos == 'windows'
@@ -282,8 +282,8 @@ jobs:
env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git config --global url."https://token:$($env:RELEASE_TOKEN)@git.marketally.com/".insteadOf "https://git.marketally.com/"
git config --global url."https://token:$($env:RELEASE_TOKEN)@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
git config --global http.https://git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token $($env:RELEASE_TOKEN)"
- name: Sync vault templates and locales (Unix)
if: matrix.goos != 'windows'
@@ -300,7 +300,7 @@ jobs:
VAULT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
# Clone vault repo
git clone --depth 1 "https://token:$($env:VAULT_TOKEN)@git.marketally.com/gitcaddy/gitcaddy-vault.git" "$env:TEMP\gitcaddy-vault"
git -c "http.extraheader=Authorization: token $($env:VAULT_TOKEN)" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git "$env:TEMP\gitcaddy-vault"
# Sync templates
Copy-Item -Path "$env:TEMP\gitcaddy-vault\templates\repo\vault\*" -Destination "templates\repo\vault\" -Force -Recurse
@@ -601,8 +601,8 @@ jobs:
env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
git config --global url."https://token:${RELEASE_TOKEN}@git.marketally.com/".insteadOf "https://git.marketally.com/"
git config --global url."https://token:${RELEASE_TOKEN}@direct.git.marketally.com/".insteadOf "https://direct.git.marketally.com/"
git config --global http.https://git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
git config --global http.https://direct.git.marketally.com/.extraheader "Authorization: token ${RELEASE_TOKEN}"
- name: Sync vault templates and locales
env:

2
scripts/sync-vault.sh
View File

@@ -16,7 +16,7 @@ if [ -z "$VAULT_PATH" ]; then
CLEANUP_VAULT=true
echo "Cloning gitcaddy-vault to $VAULT_PATH..."
if [ -n "${VAULT_TOKEN:-}" ]; then
git clone --depth 1 "https://token:${VAULT_TOKEN}@git.marketally.com/gitcaddy/gitcaddy-vault.git" "$VAULT_PATH"
git -c "http.extraheader=Authorization: token ${VAULT_TOKEN}" clone --depth 1 https://direct.git.marketally.com/gitcaddy/gitcaddy-vault.git "$VAULT_PATH"
else
git clone --depth 1 https://git.marketally.com/gitcaddy/gitcaddy-vault.git "$VAULT_PATH"
fi