Merge 2d76d21b2e into b9e0990d21

2026-06-27 16:25:32 +00:00 · 2026-06-24 10:28:00 -07:00 · 2026-06-24 10:28:00 -07:00 · 12c31d3d02
commit 12c31d3d02
parent b9e0990d21 2d76d21b2e
3 changed files with 34 additions and 2 deletions
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@ -923,6 +923,25 @@ describe('git-auth-helper tests', () => {
    }
  })

+  const configureGlobalAuth_overridesGitConfigGlobal =
+    'configureGlobalAuth overrides GIT_CONFIG_GLOBAL'
+  it(configureGlobalAuth_overridesGitConfigGlobal, async () => {
+    // Arrange
+    await setup(configureGlobalAuth_overridesGitConfigGlobal)
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+    await authHelper.configureGlobalAuth()
+
+    // Assert GIT_CONFIG_GLOBAL is pinned to the temporary global config, so an
+    // inherited GIT_CONFIG_GLOBAL cannot redirect --global writes
+    expect(git.env['HOME']).toBeTruthy()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBe(
+      path.join(git.env['HOME'], '.gitconfig')
+    )
+  })
+
  const removeGlobalConfig_removesOverride =
    'removeGlobalConfig removes override'
  it(removeGlobalConfig_removesOverride, async () => {
@ -933,6 +952,7 @@ describe('git-auth-helper tests', () => {
    await authHelper.configureGlobalAuth()
    const homeOverride = git.env['HOME'] // Sanity check
    expect(homeOverride).toBeTruthy()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBeTruthy()
    await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))

    // Act
@ -940,6 +960,7 @@ describe('git-auth-helper tests', () => {

    // Assert
    expect(git.env['HOME']).toBeUndefined()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBeUndefined()
    try {
      await fs.promises.stat(homeOverride)
      throw new Error(`Should have been deleted '${homeOverride}'`)
--- a/dist/index.js
+++ b/dist/index.js
@ -35109,6 +35109,10 @@ class GitAuthHelper {
        // Override HOME
        info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
        this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
+        // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
+        // config file. Pin it to the temporary config so an inherited
+        // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
+        this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath);
        return newGitConfigPath;
    }
    async configureGlobalAuth() {
@ -35183,8 +35187,9 @@ class GitAuthHelper {
    }
    async removeGlobalConfig() {
        if (this.temporaryHomePath?.length > 0) {
-            core_debug(`Unsetting HOME override`);
+            core_debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`);
            this.git.removeEnvironmentVariable('HOME');
+            this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL');
            await rmRF(this.temporaryHomePath);
        }
    }
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -122,6 +122,11 @@ class GitAuthHelper {
    )
    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)

+    // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
+    // config file. Pin it to the temporary config so an inherited
+    // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
+    this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath)
+
    return newGitConfigPath
  }

@ -237,8 +242,9 @@ class GitAuthHelper {

  async removeGlobalConfig(): Promise<void> {
    if (this.temporaryHomePath?.length > 0) {
-      core.debug(`Unsetting HOME override`)
+      core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`)
      this.git.removeEnvironmentVariable('HOME')
+      this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL')
      await io.rmRF(this.temporaryHomePath)
    }
  }