Use git config --show-origin to reliably get submodule config paths

dist/index.js

@@ -270,17 +270,37 @@ class GitAuthHelper {
             // Remove possible previous HTTPS instead of SSH
             yield this.removeGitConfig(this.insteadOfKey, true);
             if (this.settings.persistCredentials) {
-                // Configure a placeholder value. This approach avoids the credential being captured
-                // by process creation audit events, which are commonly logged. For more information,
-                // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-                const output = yield this.git.submoduleForeach(
-                // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-                `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
-                // Replace the placeholder
+                // Use the same credentials config file created for the main repo
+                const credentialsConfigPath = yield this.getCredentialsConfigPath();
+                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                // Calculate container git directory base path
+                const workingDirectory = this.git.getWorkingDirectory();
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
+                relativePath = relativePath.replace(/\\/g, '/');
+                const containerWorkspaceBase = path.posix.join('/github/workspace', relativePath);
+                // Get submodule config file paths.
+                // Use `--show-origin` to get the config file path for each submodule.
+                const output = yield this.git.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, this.settings.nestedSubmodules);
+                // Extract config file paths from the output (lines starting with "file:").
                 const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
+                // For each submodule, configure includeIf entries pointing to the shared credentials file.
+                // Configure both host and container paths to support Docker container actions.
                 for (const configPath of configPaths) {
-                    core.debug(`Replacing token placeholder in '${configPath}'`);
-                    yield this.replaceTokenPlaceholder(configPath);
+                    // Get the submodule path from its config file path.
+                    const submodulePath = path.dirname(path.dirname(configPath));
+                    // Configure host path includeIf.
+                    // Use forward slashes for git config, even on Windows.
+                    let submoduleGitDir = path.join(submodulePath, '.git');
+                    submoduleGitDir = submoduleGitDir.replace(/\\/g, '/');
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, false, configPath);
+                    // Configure container path includeIf.
+                    // Use forward slashes for git config, even on Windows.
+                    let submoduleRelativePath = path.relative(workingDirectory, submodulePath);
+                    submoduleRelativePath = submoduleRelativePath.replace(/\\/g, '/');
+                    const containerSubmoduleGitDir = path.posix.join(containerWorkspaceBase, submoduleRelativePath, '.git');
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath);
                 }
                 if (this.settings.sshKey) {
                     // Configure core.sshCommand
@@ -380,31 +400,32 @@ class GitAuthHelper {
             yield this.replaceTokenPlaceholder(credentialsConfigPath);
             // Add include or includeIf to reference the credentials config
             if (globalConfig) {
-                // For global config, use unconditional include.
-                // No need to track for cleanup since the temp .gitconfig file (which contains
-                // this include.path entry) gets deleted by removeGlobalConfig().
+                // Global config file is temporary
                 yield this.git.config('include.path', credentialsConfigPath, true);
             }
             else {
                 // For local config, use includeIf.gitdir to match the .git directory.
                 // Configure for both host and container paths to support Docker container actions.
-                const gitDir = path.join(this.git.getWorkingDirectory(), '.git');
+                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
+                // Use forward slashes for git config, even on Windows
+                gitDir = gitDir.replace(/\\/g, '/');
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
                 this.credentialsIncludeKeys.push(hostIncludeKey);
                 // Configure for container scenario where paths are mapped to fixed locations
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
-                if (githubWorkspace) {
-                    // Calculate the relative path of the working directory from GITHUB_WORKSPACE
-                    const workingDirectory = this.git.getWorkingDirectory();
-                    const relativePath = path.relative(githubWorkspace, workingDirectory);
-                    // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
-                    const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
-                    const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
-                    const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
-                    yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                    this.credentialsIncludeKeys.push(containerIncludeKey);
-                }
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                // Calculate the relative path of the working directory from GITHUB_WORKSPACE
+                const workingDirectory = this.git.getWorkingDirectory();
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
+                // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
+                // Use forward slashes for git config
+                relativePath = relativePath.replace(/\\/g, '/');
+                const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
+                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
+                yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                this.credentialsIncludeKeys.push(containerIncludeKey);
             }
         });
     }
@@ -460,6 +481,8 @@ class GitAuthHelper {
                 yield this.removeGitConfig(includeKey);
             }
             this.credentialsIncludeKeys = [];
+            // Remove includeIf entries from submodules
+            yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`, true);
             // Remove credentials config file
             if (this.credentialsConfigPath) {
                 try {

src/git-auth-helper.ts

@@ -171,21 +171,72 @@ class GitAuthHelper {
     await this.removeGitConfig(this.insteadOfKey, true)
 
     if (this.settings.persistCredentials) {
-      // Configure a placeholder value. This approach avoids the credential being captured
-      // by process creation audit events, which are commonly logged. For more information,
-      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+      // Use the same credentials config file created for the main repo
+      const credentialsConfigPath = await this.getCredentialsConfigPath()
+      const githubWorkspace = process.env['GITHUB_WORKSPACE']
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+
+      const containerCredentialsPath = path.posix.join(
+        '/github/runner_temp',
+        path.basename(credentialsConfigPath)
+      )
+
+      // Calculate container git directory base path
+      const workingDirectory = this.git.getWorkingDirectory()
+      let relativePath = path.relative(githubWorkspace, workingDirectory)
+      relativePath = relativePath.replace(/\\/g, '/')
+      const containerWorkspaceBase = path.posix.join(
+        '/github/workspace',
+        relativePath
+      )
+
+      // Get submodule config file paths.
+      // Use `--show-origin` to get the config file path for each submodule.
       const output = await this.git.submoduleForeach(
-        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
+        `git config --local --show-origin --name-only --get-regexp remote.origin.url`,
         this.settings.nestedSubmodules
       )
 
-      // Replace the placeholder
-      const configPaths: string[] =
+      // Extract config file paths from the output (lines starting with "file:").
+      const configPaths =
         output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
+
+      // For each submodule, configure includeIf entries pointing to the shared credentials file.
+      // Configure both host and container paths to support Docker container actions.
       for (const configPath of configPaths) {
-        core.debug(`Replacing token placeholder in '${configPath}'`)
-        await this.replaceTokenPlaceholder(configPath)
+        // Get the submodule path from its config file path.
+        const submodulePath = path.dirname(path.dirname(configPath))
+        // Configure host path includeIf.
+        // Use forward slashes for git config, even on Windows.
+        let submoduleGitDir = path.join(submodulePath, '.git')
+        submoduleGitDir = submoduleGitDir.replace(/\\/g, '/')
+        await this.git.config(
+          `includeIf.gitdir:${submoduleGitDir}.path`,
+          credentialsConfigPath,
+          false,
+          false,
+          configPath
+        )
+
+        // Configure container path includeIf.
+        // Use forward slashes for git config, even on Windows.
+        let submoduleRelativePath = path.relative(
+          workingDirectory,
+          submodulePath
+        )
+        submoduleRelativePath = submoduleRelativePath.replace(/\\/g, '/')
+        const containerSubmoduleGitDir = path.posix.join(
+          containerWorkspaceBase,
+          submoduleRelativePath,
+          '.git'
+        )
+        await this.git.config(
+          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
+          containerCredentialsPath,
+          false,
+          false,
+          configPath
+        )
       }
 
       if (this.settings.sshKey) {
@@ -311,40 +362,42 @@ class GitAuthHelper {
 
     // Add include or includeIf to reference the credentials config
     if (globalConfig) {
-      // For global config, use unconditional include.
-      // No need to track for cleanup since the temp .gitconfig file (which contains
-      // this include.path entry) gets deleted by removeGlobalConfig().
+      // Global config file is temporary
       await this.git.config('include.path', credentialsConfigPath, true)
     } else {
       // For local config, use includeIf.gitdir to match the .git directory.
       // Configure for both host and container paths to support Docker container actions.
-      const gitDir = path.join(this.git.getWorkingDirectory(), '.git')
+      let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
+      // Use forward slashes for git config, even on Windows
+      gitDir = gitDir.replace(/\\/g, '/')
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
       this.credentialsIncludeKeys.push(hostIncludeKey)
 
       // Configure for container scenario where paths are mapped to fixed locations
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
-      if (githubWorkspace) {
-        // Calculate the relative path of the working directory from GITHUB_WORKSPACE
-        const workingDirectory = this.git.getWorkingDirectory()
-        const relativePath = path.relative(githubWorkspace, workingDirectory)
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      
+      // Calculate the relative path of the working directory from GITHUB_WORKSPACE
+      const workingDirectory = this.git.getWorkingDirectory()
+      let relativePath = path.relative(githubWorkspace, workingDirectory)
 
-        // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
-        const containerGitDir = path.posix.join(
-          '/github/workspace',
-          relativePath,
-          '.git'
-        )
-        const containerCredentialsPath = path.posix.join(
-          '/github/runner_temp',
-          path.basename(credentialsConfigPath)
-        )
+      // Container paths: GITHUB_WORKSPACE -> /github/workspace, RUNNER_TEMP -> /github/runner_temp
+      // Use forward slashes for git config
+      relativePath = relativePath.replace(/\\/g, '/')
+      const containerGitDir = path.posix.join(
+        '/github/workspace',
+        relativePath,
+        '.git'
+      )
+      const containerCredentialsPath = path.posix.join(
+        '/github/runner_temp',
+        path.basename(credentialsConfigPath)
+      )
 
-        const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
-        await this.git.config(containerIncludeKey, containerCredentialsPath)
-        this.credentialsIncludeKeys.push(containerIncludeKey)
-      }
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
+      await this.git.config(containerIncludeKey, containerCredentialsPath)
+      this.credentialsIncludeKeys.push(containerIncludeKey)
     }
   }
 
@@ -403,6 +456,12 @@ class GitAuthHelper {
     }
     this.credentialsIncludeKeys = []
 
+    // Remove includeIf entries from submodules
+    await this.git.submoduleForeach(
+      `sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`,
+      true
+    )
+
     // Remove credentials config file
     if (this.credentialsConfigPath) {
       try {