Skip to content

Replace persist-credentials with explicit git re-authentication#2664

Merged
pelikhan merged 4 commits into
mainfrom
copilot/update-git-re-authentication
Oct 28, 2025
Merged

Replace persist-credentials with explicit git re-authentication#2664
pelikhan merged 4 commits into
mainfrom
copilot/update-git-re-authentication

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 28, 2025
edited
Loading

Replaces persist-credentials: true in checkout steps with explicit git authentication via git remote set-url to provide better control over credential scope.

Changes

  • pkg/workflow/push_to_pull_request_branch.go: Set persist-credentials: false in buildCheckoutRepository()
  • pkg/workflow/yaml_generation.go: Add git remote set-url command to generateGitConfigurationSteps()
  • Tests: Update assertions to expect new authentication pattern

Before/After

Before:

- uses: actions/checkout@...
  with:
    persist-credentials: true

After:

- uses: actions/checkout@...
  with:
    persist-credentials: false

- name: Configure Git credentials
  run: |
    SERVER_URL="${{ github.server_url }}"
    SERVER_URL="${SERVER_URL#https://}"
    git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL}/${{ github.repository }}.git"

Impact

All 56 compiled workflows (.lock.yml files) regenerated with new authentication pattern.

Original prompt

Update the generated code to re-authenticate git instead of using persist-credentials: true.

git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@${{ github.server_url#https:// }}/$GITHUB_REPOSITORY.git"

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Oct 28, 2025
Copilot AI and others added 2 commits October 28, 2025 07:35
@pelikhan
Replace persist-credentials with git remote set-url authentication
f5ff318 
- Changed buildCheckoutRepository to use persist-credentials: false
- Updated generateGitConfigurationSteps to add git remote set-url command
- Updated all tests to expect persist-credentials: false
- All unit tests passing

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Format code with gofmt
edc6754 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update generated code to re-authenticate git Replace persist-credentials with explicit git re-authentication Oct 28, 2025
Copilot AI requested a review from pelikhan October 28, 2025 07:43
@pelikhan pelikhan marked this pull request as ready for review October 28, 2025 07:50
Copilot AI review requested due to automatic review settings October 28, 2025 07:50
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 28, 2025

Agentic Changeset Generator triggered by this pull request.

Copilot AI reviewed Oct 28, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the use of persist-credentials: true in GitHub Actions checkout steps with explicit git authentication using git remote set-url. This provides better control over credential scope by authenticating git explicitly when needed rather than persisting credentials throughout the workflow.

  • Changed persist-credentials from true to false in checkout steps
  • Added explicit git remote URL configuration with GitHub token in git configuration steps
  • Updated tests to reflect the new authentication pattern

Reviewed Changes

Copilot reviewed 60 out of 60 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/yaml_generation.go Added git remote set-url command to re-authenticate with GitHub token
pkg/workflow/push_to_pull_request_branch.go Changed persist-credentials to false in checkout configuration
pkg/workflow/git_config_test.go Updated test assertions to expect 9 lines instead of 5 and added checks for new authentication commands
pkg/workflow/checkout_persist_credentials_test.go Updated test names, descriptions, and logic to reflect that all jobs now use persist-credentials: false
.github/workflows/*.lock.yml (56 files) Regenerated workflow files with new authentication pattern
Comments suppressed due to low confidence (2)

pkg/workflow/yaml_generation.go:1

  • The shell parameter expansion ${SERVER_URL#https://} removes only the literal prefix 'https://', but github.server_url may use 'http://' in some enterprise configurations. Consider using a more robust URL parsing approach or handle both protocols.
    pkg/workflow/checkout_persist_credentials_test.go:1
  • The variable expectTrueJobs is now an empty map that is never populated, making the subsequent logic unnecessary. Consider removing this variable and simplifying the verification logic since all jobs should now use persist-credentials: false.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit f206704 into main Oct 28, 2025
3 checks passed
@pelikhan pelikhan deleted the copilot/update-git-re-authentication branch October 28, 2025 07:54
This was referenced May 20, 2026
Merged
Merged
Closed
@coderabbitai coderabbitai Bot mentioned this pull request May 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan