-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to handle git credentials for git ops #578
Comments
Hello @xvandish, with regards to the github code host specifically since that is what you're mirroring: I believe the expectation in If the token is read from an environment variable then I believe we could avoid abstracting the git calls as you described because we'd still instantiate our git client the same as we do now. So this could be an option to add in the future. As for git credentials store I don't believe we use it for |
Hello, thanks for taking a look! To clarify the problem: the problem isn't The problem is the rest of the
zoekt/cmd/zoekt-indexserver/main.go Line 132 in b247fb5
And.. I think that's really it? For the moment I've gotten around this by just doing a global level I noticed the sourcegraph indexserver makes some git calls (like fetch) but does no apparent authentication - |
Hello - I ran into this while deploying the indexserver on a machine yesterday.
While
zoekt-mirror-*
have credential handlers that look for tokens or usernames for calling the API's that list either the repos in an org/user/etc, the rest of the git calls (fetch
,clone
, etc) have no authentication wrappers.I'm wondering how anyone who runs zoet-indexserver on a server to mirror private repos generally handles this - I know it'll depend on the codehost, but generally - do you all write the git credentials to a file? use the git-credentials store? In my case, I'm specifically using GitHub as the host, and am using a PAT with read scopes.
Right now I think leaning towards writing a github token as the password to the git-credentials store.
livegrep
gets around this by using an environment variable for the github token, then passing that env variable through apipe
to git (through a custom askpass script) so it never touches the file system, but introducing something like that would probably mean abstracting all git calls into something likecallGit(args []string, username, password string)
and then that function handles credentials if username and password aren't empty. I think that'd be a pretty involved change, and I'm not sure how many here would use it, so really not leaning that direction atm.Thoughts?
The text was updated successfully, but these errors were encountered: