diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts index 2c963b9..0e5f14a 100644 --- a/__test__/git-auth-helper.test.ts +++ b/__test__/git-auth-helper.test.ts @@ -923,6 +923,25 @@ describe('git-auth-helper tests', () => { } }) + const configureGlobalAuth_overridesGitConfigGlobal = + 'configureGlobalAuth overrides GIT_CONFIG_GLOBAL' + it(configureGlobalAuth_overridesGitConfigGlobal, async () => { + // Arrange + await setup(configureGlobalAuth_overridesGitConfigGlobal) + const authHelper = gitAuthHelper.createAuthHelper(git, settings) + + // Act + await authHelper.configureAuth() + await authHelper.configureGlobalAuth() + + // Assert GIT_CONFIG_GLOBAL is pinned to the temporary global config, so an + // inherited GIT_CONFIG_GLOBAL cannot redirect --global writes + expect(git.env['HOME']).toBeTruthy() + expect(git.env['GIT_CONFIG_GLOBAL']).toBe( + path.join(git.env['HOME'], '.gitconfig') + ) + }) + const removeGlobalConfig_removesOverride = 'removeGlobalConfig removes override' it(removeGlobalConfig_removesOverride, async () => { @@ -933,6 +952,7 @@ describe('git-auth-helper tests', () => { await authHelper.configureGlobalAuth() const homeOverride = git.env['HOME'] // Sanity check expect(homeOverride).toBeTruthy() + expect(git.env['GIT_CONFIG_GLOBAL']).toBeTruthy() await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig')) // Act @@ -940,6 +960,7 @@ describe('git-auth-helper tests', () => { // Assert expect(git.env['HOME']).toBeUndefined() + expect(git.env['GIT_CONFIG_GLOBAL']).toBeUndefined() try { await fs.promises.stat(homeOverride) throw new Error(`Should have been deleted '${homeOverride}'`) diff --git a/dist/index.js b/dist/index.js index b381bd2..13faf11 100644 --- a/dist/index.js +++ b/dist/index.js @@ -35109,6 +35109,10 @@ class GitAuthHelper { // Override HOME info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`); this.git.setEnvironmentVariable('HOME', this.temporaryHomePath); + // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global + // config file. Pin it to the temporary config so an inherited + // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere. + this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath); return newGitConfigPath; } async configureGlobalAuth() { @@ -35183,8 +35187,9 @@ class GitAuthHelper { } async removeGlobalConfig() { if (this.temporaryHomePath?.length > 0) { - core_debug(`Unsetting HOME override`); + core_debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`); this.git.removeEnvironmentVariable('HOME'); + this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL'); await rmRF(this.temporaryHomePath); } } diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index dd7e6fb..e2d1054 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -122,6 +122,11 @@ class GitAuthHelper { ) this.git.setEnvironmentVariable('HOME', this.temporaryHomePath) + // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global + // config file. Pin it to the temporary config so an inherited + // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere. + this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath) + return newGitConfigPath } @@ -237,8 +242,9 @@ class GitAuthHelper { async removeGlobalConfig(): Promise { if (this.temporaryHomePath?.length > 0) { - core.debug(`Unsetting HOME override`) + core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`) this.git.removeEnvironmentVariable('HOME') + this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL') await io.rmRF(this.temporaryHomePath) } }