follow proxy settings

.github/workflows/test.yml

@@ -83,7 +83,7 @@ jobs:
         shell: bash
         run: __test__/verify-lfs.sh
 
-  test-job-container:
+  test-rest-api:
     runs-on: ubuntu-latest
     container: alpine:latest
     steps:
@@ -99,3 +99,42 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
+
+  test-proxy:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine/git:latest
+      options: --dns 127.0.0.1
+    services:
+      squid-proxy:
+        image: datadog/squid:latest
+        ports:
+          - 3128:3128
+    env:
+      https_proxy: http://squid-proxy:3128
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@users/ericsciple/m165proxy # todo: switch to v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+      - name: Remove basic
+        run: rm -rf basic
+
+      # Basic checkout using REST API
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive

__test__/override-git-version.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+mkdir override-git-version
+cd override-git-version
+echo "#!/bin/sh" > git
+echo "echo override git version 1.2.3" >> git
+chmod +x git
+echo "::add-path::$(pwd)"
+cd ..

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -15,14 +15,30 @@
       "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
     },
     "@actions/github": {
-      "version": "2.0.0",
+      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz",
-      "integrity": "sha512-sNpZ5dJyJyfJIO5lNYx8r/Gha4Tlm8R0MLO2cBkGdOnAAEn3t1M/MHVcoBhY/VPfjGVe5RNAUPz+6INrViiUPA==",
+      "integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==",
       "requires": {
+        "@actions/http-client": "^1.0.3",
         "@octokit/graphql": "^4.3.1",
         "@octokit/rest": "^16.15.0"
       }
     },
+    "@actions/http-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
+      "integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
+      "requires": {
+        "tunnel": "0.0.6"
+      },
+      "dependencies": {
+        "tunnel": {
+          "version": "0.0.6",
+          "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+          "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+        }
+      }
+    },
     "@actions/io": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz",
@@ -597,6 +613,14 @@
         "@types/yargs": "^13.0.0"
       }
     },
+    "@octokit/auth-token": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.4.0.tgz",
+      "integrity": "sha512-eoOVMjILna7FVQf96iWc3+ZtE/ZT6y8ob8ZzcqKY1ibSQCnu4O/B7pJvzMx5cyZ/RjAff6DAdEb0O0Cjcxidkg==",
+      "requires": {
+        "@octokit/types": "^2.0.0"
+      }
+    },
     "@octokit/endpoint": {
       "version": "5.5.1",
       "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
@@ -643,10 +667,11 @@
       }
     },
     "@octokit/rest": {
-      "version": "16.35.0",
+      "version": "16.38.1",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.35.0.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz",
-      "integrity": "sha512-9ShFqYWo0CLoGYhA1FdtdykJuMzS/9H6vSbbQWDX4pWr4p9v+15MsH/wpd/3fIU+tSxylaNO48+PIHqOkBRx3w==",
+      "integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==",
       "requires": {
+        "@octokit/auth-token": "^2.4.0",
         "@octokit/request": "^5.2.0",
         "@octokit/request-error": "^1.0.2",
         "atob-lite": "^2.0.0",
@@ -662,9 +687,9 @@
       }
     },
     "@octokit/types": {
-      "version": "2.0.2",
+      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz",
-      "integrity": "sha512-StASIL2lgT3TRjxv17z9pAqbnI7HGu9DrJlg3sEBFfCLaMEqp+O3IQPUF6EZtQ4xkAu2ml6kMBBCtGxjvmtmuQ==",
+      "integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==",
       "requires": {
         "@types/node": ">= 8"
       }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -31,7 +31,8 @@
   "dependencies": {
     "@actions/core": "^1.1.3",
     "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.0.0",
+    "@actions/github": "^2.0.2",
+    "@actions/http-client": "^1.0.3",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
     "uuid": "^3.3.3"

src/git-source-provider.ts

@@ -3,13 +3,17 @@ import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
 import * as githubApiHelper from './github-api-helper'
+import * as httpClient from '@actions/http-client'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
+import * as url from 'url'
 import {IGitCommandManager} from './git-command-manager'
 
-const authConfigKey = `http.https://github.com/.extraheader`
+const serverUrl = 'https://github.com/'
+const authConfigKey = `http.${serverUrl}.extraheader`
+const proxyConfigKey = `http.${serverUrl}.proxy`
 
 export interface ISourceSettings {
   repositoryPath: string
@@ -91,11 +95,13 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
       )
     }
 
-    // Remove possible previous extraheader
+    // Remove possible previous proxy and extraheader
+    await removeGitConfig(git, proxyConfigKey)
     await removeGitConfig(git, authConfigKey)
 
     try {
-      // Config auth token
+      // Config proxy and extraheader
+      await configureProxy(git)
       await configureAuthToken(git, settings.authToken)
 
       // LFS install
@@ -128,6 +134,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
       await git.log1()
     } finally {
       if (!settings.persistCredentials) {
+        await removeGitConfig(git, proxyConfigKey)
         await removeGitConfig(git, authConfigKey)
       }
     }
@@ -136,16 +143,22 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
 
 export async function cleanup(repositoryPath: string): Promise<void> {
   // Repo exists?
-  if (!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))) {
+  if (
+    !repositoryPath ||
+    !fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))
+  ) {
     return
   }
-  fsHelper.directoryExistsSync(repositoryPath, true)
 
-  // Remove the config key
+  // Remove proxy and extraheader
-  const git = await gitCommandManager.CreateCommandManager(
+  let git: IGitCommandManager
-    repositoryPath,
+  try {
-    false
+    git = await gitCommandManager.CreateCommandManager(repositoryPath, false)
-  )
+  } catch {
+    return
+  }
+
+  await removeGitConfig(git, proxyConfigKey)
   await removeGitConfig(git, authConfigKey)
 }
 
@@ -255,6 +268,34 @@ async function prepareExistingDirectory(
   }
 }
 
+async function configureProxy(git: IGitCommandManager): Promise<void> {
+  const proxyUrl = httpClient.getProxyUrl(serverUrl)
+  const parsedUrl = url.parse(proxyUrl)
+  const placeholder = parsedUrl.auth
+    ? proxyUrl.replace(parsedUrl.auth, '***')
+    : ''
+
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  await git.config(proxyConfigKey, placeholder || proxyUrl)
+
+  if (placeholder) {
+    // Replace the value in the config file
+    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+    let content = (await fs.promises.readFile(configPath)).toString()
+    const placeholderIndex = content.indexOf(placeholder)
+    if (
+      placeholderIndex < 0 ||
+      placeholderIndex != content.lastIndexOf(placeholder)
+    ) {
+      throw new Error('Unable to replace auth placeholder in .git/config')
+    }
+    content = content.replace(placeholder, proxyUrl)
+    await fs.promises.writeFile(configPath, content)
+  }
+}
+
 async function configureAuthToken(
   git: IGitCommandManager,
   authToken: string