7

I'm trying to create a bash script that initializes a server and clones a git repository as part of initialization.

The installing user will set a personal access token (PAT) as an environment variable $TOKEN to clone via script. I want each subsequent user that pulls or pushes code to this cloned repository to set their PAT via environment variable $TOKEN, instead of using the original PAT the installer used.

However, when the script clones the repository gitconfig stores the interpreted value of the $TOKEN instead of variable $TOKEN so any subsequent pull/push uses the original installer's PAT.

i.e. when I do:

git clone https://oauth2:[email protected]/repo.git

gitconfig says:

[remote "origin"]
        url = https://oauth2:[email protected]/repo.git
        fetch = +refs/heads/*:refs/remotes/origin/*

when I want it to say:

[remote "origin"]
        url = https://oauth2:[email protected]/repo.git
        fetch = +refs/heads/*:refs/remotes/origin/*

I can't figure out how to force each user to use their token each time in a simple way.

Any ideas? Thanks

Improve this question
1
  • Git doesn't substitute environment variables in .git/config so having https://oauth2:[email protected]/repo.git in the config is meaningless. The only way is to have the URL in the shell script where shell expands the variable. After git clone reset the URL with git remote set-url origin https://gitlab.com/repo.git Commented Feb 2, 2022 at 20:57

1 Answer 1

Reset to default
14

You should avoid placing the token into the URL at all, since this is exposed to other users and saved in the configuration file. Instead, you can have the user configure a special credential helper to read from the environment, as outlined in the Git FAQ (substituting author below):

$ git config credential.helper \
    '!f() { echo username=author; echo "password=$TOKEN"; };f'

If you want to do this as part of a clone operation, you can do that with the -c argument to clone:

$ git clone -c credential.helper= \
  -c credential.helper='!f() { echo username=author; echo "password=$TOKEN"; };f' \
  https://gitlab.com/repo.git

The additional empty value for credential.helper causes any existing credential helpers to be removed, preventing the addition of this token into the user's credential helper. If you'd like the user to be able to save it, then remove that directive.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

It looks like you doubled the -c credential.helper= in the second code box.
The first one is an empty value to reset the list, and the second one sets the desired value, as mentioned in the answer. The code is the way it is intentionally.
Frankly, I understand it differently. Having it empty prevents from using any helper. Setting it, overrides anything that was set before, whatever it was. Your method is like assigning zero to some variable just before assigning a certain number to it. Meh.
The option is multi-valued, so you can have multiple credential helpers set at once. Setting an empty value resets the list (as the documentation says) so that new credential.helper settings don't just get appended what's already there.
You're looking for the "helper" argument in "Configuration Options" in gitcredentials(7).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.