From 9a3a9ade8222dcdf9d3c77710b10df47ee7c7c89 Mon Sep 17 00:00:00 2001
From: eric sciple <ericsciple@users.noreply.github.com>
Date: Thu, 12 Mar 2020 11:42:38 -0400
Subject: [PATCH] persist core.sshCommand for submodules (#184)

* persist core.sshCommand for submodules

* update verbiage; add comments

* fail when submodules or ssh-key and fallback to REST API
---
 README.md                        |  10 +-
 __test__/git-auth-helper.test.ts | 168 ++++++++++++++-----------------
 action.yml                       |   6 +-
 dist/index.js                    |  27 +++--
 src/git-auth-helper.ts           |  23 +++--
 src/git-source-provider.ts       |  10 ++
 6 files changed, 125 insertions(+), 119 deletions(-)

diff --git a/README.md b/README.md
index df3355c..68ae7f7 100644
--- a/README.md
+++ b/README.md
@@ -49,19 +49,19 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # with the local git config, which enables your scripts to run authenticated git
     # commands. The post-job step removes the PAT.
     #
-    # We recommend creating a service account with the least permissions necessary.
-    # Also when generating a new PAT, select the least scopes necessary.
+    # We recommend using a service account with the least permissions necessary. Also
+    # when generating a new PAT, select the least scopes necessary.
     #
     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     #
     # Default: ${{ github.token }}
     token: ''
 
-    # SSH key used to fetch the repository. SSH key is configured with the local git
-    # config, which enables your scripts to run authenticated git commands. The
+    # SSH key used to fetch the repository. The SSH key is configured with the local
+    # git config, which enables your scripts to run authenticated git commands. The
     # post-job step removes the SSH key.
     #
-    # We recommend creating a service account with the least permissions necessary.
+    # We recommend using a service account with the least permissions necessary.
     #
     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     ssh-key: ''
diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts
index dc03ab3..1d5c3d5 100644
--- a/__test__/git-auth-helper.test.ts
+++ b/__test__/git-auth-helper.test.ts
@@ -320,6 +320,8 @@ describe('git-auth-helper tests', () => {
     ).toString()
     expect(actualSshKeyContent).toBe(settings.sshKey + '\n')
     if (!isWindows) {
+      // Assert read/write for user, not group or others.
+      // Otherwise SSH client will error.
       expect((await fs.promises.stat(actualSshKeyPath)).mode & 0o777).toBe(
         0o600
       )
@@ -437,14 +439,74 @@ describe('git-auth-helper tests', () => {
     }
   )
 
-  const configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet =
-    'configureSubmoduleAuth configures token when persist credentials true and SSH key not set'
+  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet =
+    'configureSubmoduleAuth configures submodules when persist credentials false and SSH key not set'
   it(
-    configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet,
+    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet,
     async () => {
       // Arrange
       await setup(
-        configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeyNotSet
+        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet
+      )
+      settings.persistCredentials = false
+      settings.sshKey = ''
+      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+      await authHelper.configureAuth()
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      mockSubmoduleForeach.mockClear() // reset calls
+
+      // Act
+      await authHelper.configureSubmoduleAuth()
+
+      // Assert
+      expect(mockSubmoduleForeach).toBeCalledTimes(1)
+      expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch(
+        /unset-all.*insteadOf/
+      )
+    }
+  )
+
+  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet =
+    'configureSubmoduleAuth configures submodules when persist credentials false and SSH key set'
+  it(
+    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet,
+    async () => {
+      if (!sshPath) {
+        process.stdout.write(
+          `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
+        )
+        return
+      }
+
+      // Arrange
+      await setup(
+        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet
+      )
+      settings.persistCredentials = false
+      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+      await authHelper.configureAuth()
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      mockSubmoduleForeach.mockClear() // reset calls
+
+      // Act
+      await authHelper.configureSubmoduleAuth()
+
+      // Assert
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(1)
+      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
+        /unset-all.*insteadOf/
+      )
+    }
+  )
+
+  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet =
+    'configureSubmoduleAuth configures submodules when persist credentials true and SSH key not set'
+  it(
+    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet,
+    async () => {
+      // Arrange
+      await setup(
+        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet
       )
       settings.sshKey = ''
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
@@ -465,21 +527,21 @@ describe('git-auth-helper tests', () => {
     }
   )
 
-  const configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet =
-    'configureSubmoduleAuth configures token when persist credentials true and SSH key set'
+  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet =
+    'configureSubmoduleAuth configures submodules when persist credentials true and SSH key set'
   it(
-    configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet,
+    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet,
     async () => {
       if (!sshPath) {
         process.stdout.write(
-          `Skipped test "${configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
+          `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
         )
         return
       }
 
       // Arrange
       await setup(
-        configureSubmoduleAuth_configuresTokenWhenPersistCredentialsTrueAndSshKeySet
+        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet
       )
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
@@ -490,96 +552,12 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-    }
-  )
-
-  const configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse =
-    'configureSubmoduleAuth does not configure token when persist credentials false'
-  it(
-    configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse,
-    async () => {
-      // Arrange
-      await setup(
-        configureSubmoduleAuth_doesNotConfigureTokenWhenPersistCredentialsFalse
-      )
-      settings.persistCredentials = false
-      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
-      mockSubmoduleForeach.mockClear() // reset calls
-
-      // Act
-      await authHelper.configureSubmoduleAuth()
-
-      // Assert
-      expect(mockSubmoduleForeach).toBeCalledTimes(1)
-      expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch(
-        /unset-all.*insteadOf/
-      )
-    }
-  )
-
-  const configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet =
-    'configureSubmoduleAuth does not configure URL insteadOf when persist credentials true and SSH key set'
-  it(
-    configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet,
-    async () => {
-      if (!sshPath) {
-        process.stdout.write(
-          `Skipped test "${configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
-        )
-        return
-      }
-
-      // Arrange
-      await setup(
-        configureSubmoduleAuth_doesNotConfigureUrlInsteadOfWhenPersistCredentialsTrueAndSshKeySet
-      )
-      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
-      mockSubmoduleForeach.mockClear() // reset calls
-
-      // Act
-      await authHelper.configureSubmoduleAuth()
-
-      // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
-      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
-        /unset-all.*insteadOf/
-      )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-    }
-  )
-
-  const configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse =
-    'configureSubmoduleAuth removes URL insteadOf when persist credentials false'
-  it(
-    configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse,
-    async () => {
-      // Arrange
-      await setup(
-        configureSubmoduleAuth_removesUrlInsteadOfWhenPersistCredentialsFalse
-      )
-      settings.persistCredentials = false
-      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
-      mockSubmoduleForeach.mockClear() // reset calls
-
-      // Act
-      await authHelper.configureSubmoduleAuth()
-
-      // Assert
-      expect(mockSubmoduleForeach).toBeCalledTimes(1)
-      expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch(
-        /unset-all.*insteadOf/
-      )
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
     }
   )
 
diff --git a/action.yml b/action.yml
index 7d5412d..58e11b7 100644
--- a/action.yml
+++ b/action.yml
@@ -16,7 +16,7 @@ inputs:
       commands. The post-job step removes the PAT.
 
 
-      We recommend creating a service account with the least permissions necessary.
+      We recommend using a service account with the least permissions necessary.
       Also when generating a new PAT, select the least scopes necessary.
 
 
@@ -24,12 +24,12 @@ inputs:
     default: ${{ github.token }}
   ssh-key:
     description: >
-      SSH key used to fetch the repository. SSH key is configured with the local
+      SSH key used to fetch the repository. The SSH key is configured with the local
       git config, which enables your scripts to run authenticated git commands.
       The post-job step removes the SSH key.
 
 
-      We recommend creating a service account with the least permissions necessary.
+      We recommend using a service account with the least permissions necessary.
 
 
       [Learn more about creating and using
diff --git a/dist/index.js b/dist/index.js
index 706f035..3992650 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -5122,6 +5122,7 @@ class GitAuthHelper {
         this.tokenConfigKey = `http.https://${HOSTNAME}/.extraheader`;
         this.insteadOfKey = `url.https://${HOSTNAME}/.insteadOf`;
         this.insteadOfValue = `git@${HOSTNAME}:`;
+        this.sshCommand = '';
         this.sshKeyPath = '';
         this.sshKnownHostsPath = '';
         this.temporaryHomePath = '';
@@ -5205,8 +5206,12 @@ class GitAuthHelper {
                     core.debug(`Replacing token placeholder in '${configPath}'`);
                     this.replaceTokenPlaceholder(configPath);
                 }
-                // Configure HTTPS instead of SSH
-                if (!this.settings.sshKey) {
+                if (this.settings.sshKey) {
+                    // Configure core.sshCommand
+                    yield this.git.submoduleForeach(`git config --local '${SSH_COMMAND_KEY}' '${this.sshCommand}'`, this.settings.nestedSubmodules);
+                }
+                else {
+                    // Configure HTTPS instead of SSH
                     yield this.git.submoduleForeach(`git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`, this.settings.nestedSubmodules);
                 }
             }
@@ -5268,16 +5273,16 @@ class GitAuthHelper {
             yield fs.promises.writeFile(this.sshKnownHostsPath, knownHosts);
             // Configure GIT_SSH_COMMAND
             const sshPath = yield io.which('ssh', true);
-            let sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(this.sshKeyPath)}"`;
+            this.sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(this.sshKeyPath)}"`;
             if (this.settings.sshStrict) {
-                sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no';
+                this.sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no';
             }
-            sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(this.sshKnownHostsPath)}"`;
-            core.info(`Temporarily overriding GIT_SSH_COMMAND=${sshCommand}`);
-            this.git.setEnvironmentVariable('GIT_SSH_COMMAND', sshCommand);
+            this.sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(this.sshKnownHostsPath)}"`;
+            core.info(`Temporarily overriding GIT_SSH_COMMAND=${this.sshCommand}`);
+            this.git.setEnvironmentVariable('GIT_SSH_COMMAND', this.sshCommand);
             // Configure core.sshCommand
             if (this.settings.persistCredentials) {
-                yield this.git.config(SSH_COMMAND_KEY, sshCommand);
+                yield this.git.config(SSH_COMMAND_KEY, this.sshCommand);
             }
         });
     }
@@ -5820,6 +5825,12 @@ function getSource(settings) {
             // Downloading using REST API
             core.info(`The repository will be downloaded using the GitHub REST API`);
             core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
+            if (settings.submodules) {
+                throw new Error(`Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
+            }
+            else if (settings.sshKey) {
+                throw new Error(`Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
+            }
             yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
             return;
         }
diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts
index 7418c7c..06e8912 100644
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -37,6 +37,7 @@ class GitAuthHelper {
   private readonly tokenPlaceholderConfigValue: string
   private readonly insteadOfKey: string = `url.https://${HOSTNAME}/.insteadOf`
   private readonly insteadOfValue: string = `git@${HOSTNAME}:`
+  private sshCommand = ''
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
   private temporaryHomePath = ''
@@ -144,8 +145,14 @@ class GitAuthHelper {
         this.replaceTokenPlaceholder(configPath)
       }
 
-      // Configure HTTPS instead of SSH
-      if (!this.settings.sshKey) {
+      if (this.settings.sshKey) {
+        // Configure core.sshCommand
+        await this.git.submoduleForeach(
+          `git config --local '${SSH_COMMAND_KEY}' '${this.sshCommand}'`,
+          this.settings.nestedSubmodules
+        )
+      } else {
+        // Configure HTTPS instead of SSH
         await this.git.submoduleForeach(
           `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
           this.settings.nestedSubmodules
@@ -218,21 +225,21 @@ class GitAuthHelper {
 
     // Configure GIT_SSH_COMMAND
     const sshPath = await io.which('ssh', true)
-    let sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
+    this.sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
       this.sshKeyPath
     )}"`
     if (this.settings.sshStrict) {
-      sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no'
+      this.sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no'
     }
-    sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
+    this.sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
       this.sshKnownHostsPath
     )}"`
-    core.info(`Temporarily overriding GIT_SSH_COMMAND=${sshCommand}`)
-    this.git.setEnvironmentVariable('GIT_SSH_COMMAND', sshCommand)
+    core.info(`Temporarily overriding GIT_SSH_COMMAND=${this.sshCommand}`)
+    this.git.setEnvironmentVariable('GIT_SSH_COMMAND', this.sshCommand)
 
     // Configure core.sshCommand
     if (this.settings.persistCredentials) {
-      await this.git.config(SSH_COMMAND_KEY, sshCommand)
+      await this.git.config(SSH_COMMAND_KEY, this.sshCommand)
     }
   }
 
diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts
index 7ce9fb7..4bce702 100644
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -57,6 +57,16 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     core.info(
       `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
     )
+    if (settings.submodules) {
+      throw new Error(
+        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+      )
+    } else if (settings.sshKey) {
+      throw new Error(
+        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+      )
+    }
+
     await githubApiHelper.downloadRepository(
       settings.authToken,
       settings.repositoryOwner,