feat: add --source-token for authenticating private repo pulls#178
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds optional authentication support for actions-sync pull (and by extension sync, which embeds PullOnlyFlags) so users can mirror private source repositories by providing a --source-token that is threaded through go-git clone/fetch operations.
Changes:
- Adds
--source-tokenCLI flag, builds a go-gittransport.AuthMethod, and passes it through pull/clone/fetch call paths. - Introduces test doubles and new unit tests to verify auth construction, validation, and auth propagation.
- Updates README to document the new flag for both
syncandpull.
Show a summary per file
| File | Description |
|---|---|
src/pull.go |
Adds the new flag, validation, auth helper, and threads auth into clone/fetch. |
src/pull_test.go |
Adds unit tests for auth helper, validation, and auth propagation through pull workflows. |
src/testutils_test.go |
Adds shared test doubles to record auth usage in clone/fetch. |
README.md |
Documents the new source-token flag in sync and pull sections. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
src/pull.go:120
- Clone errors get a friendly message when authentication is required, but fetch errors return the raw go-git error. This matters when the repo already exists locally (clone skipped) or when credentials expire: an auth-required fetch will currently surface a low-level error instead of the intended guidance about authentication / existence.
if err != nil && err != git.NoErrAlreadyUpToDate {
return err
- Files reviewed: 4/4 changed files
- Comments generated: 3
4d095b3 to
342cba7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a
--source-tokenflag toactions-sync pull(andsync) so private repositories can be pulled from the source instance. Without it, pulling a private repo fails because the clone/fetch is unauthenticated. Inspired by #162.Why
actions-synccould only pull public repositories. Customers mirroring private actions from a source GitHub instance had no way to authenticate the pull. This flag accepts a personal access token or a GitHub App installation token (ghs_*) and uses it for the underlying git clone/fetch.Changes
--source-tokenflag to the pull/sync commands, threaded as a typedtransport.AuthMethod(built once at the entrypoint;nilmeans anonymous, preserving existing behavior).x-access-tokenso both PATs and App installation tokens work.--source-tokenwhen--source-urlis insecurehttp://(case-insensitive), so the token is never sent in cleartext.testutils_test.go.Testing
go build,go vet,gofmt, andgo test ./src/...all pass.ghs_installation token succeeds and fetches all refs.http://is rejected before any network call.