Fix http authentication for git resolver

aThorp96 · aThorp96 · commit 217779c34c9e · 2025-08-01T15:10:59.000-04:00
diff --git a/examples/v1/pipelineruns/no-ci/git-resolver-custom-secret.yaml b/examples/v1/pipelineruns/no-ci/git-resolver-custom-secret.yaml
@@ -31,9 +31,11 @@ spec:
             # my-secret-token should be created in the namespace where the
             # pipelinerun is created and contain a GitHub personal access
             # token in the token key of the secret.
-            - name: token
+            # Can be created with the command:
+            #  kubectl create secret generic my-secret-token --from-literal token=$RAW_TOKEN
+            - name: gitToken
               value: my-secret-token
-            - name: tokenKey
+            - name: gitTokenKey
               value: token
         params:
           - name: url
diff --git a/pkg/resolution/resolver/git/repository.go b/pkg/resolution/resolver/git/repository.go
@@ -47,7 +47,7 @@ func (r remote) clone(ctx context.Context) (*repository, func(), error) {
 		os.RemoveAll(tmpDir)
 	}
 
-	repo := repository{
+	repo := &repository{
 		url:       r.url,
 		username:  r.username,
 		password:  r.password,
@@ -62,7 +62,7 @@ func (r remote) clone(ctx context.Context) (*repository, func(), error) {
 		}
 		return nil, cleanupFunc, err
 	}
-	return &repo, cleanupFunc, nil
+	return repo, cleanupFunc, nil
 }
 
 type repository struct {
@@ -105,19 +105,18 @@ func (repo *repository) execGit(ctx context.Context, subCmd string, args ...stri
 	// We need to configure  which directory contains the cloned repository since `cd`ing
 	// into the repository directory is not concurrency-safe
 	configArgs := []string{"-C", repo.directory}
+
 	env := []string{"GIT_TERMINAL_PROMPT=false"}
-	if subCmd == "clone" {
-		// NOTE: Since this is only HTTP basic auth, authentication only supports http
-		// cloning, while unauthenticated cloning works for any other protocol supported
-		// by the git binary which doesn't require authentication.
-		if repo.username != "" && repo.password != "" {
-			token := base64.URLEncoding.EncodeToString([]byte(repo.username + ":" + repo.password))
-			env = append(
-				env,
-				"GIT_AUTH_HEADER=Authorization=Basic "+token,
-			)
-			configArgs = append(configArgs, "--config-env", "http.extraHeader=GIT_AUTH_HEADER")
-		}
+	// NOTE: Since this is only HTTP basic auth, authentication is only supported for http
+	// cloning, while unauthenticated cloning is supported for any other protocol supported
+	// by git which doesn't require authentication.
+	if repo.username != "" && repo.password != "" {
+		token := base64.URLEncoding.EncodeToString([]byte(repo.username + ":" + repo.password))
+		env = append(
+			env,
+			"GIT_AUTH_HEADER=Authorization: Basic "+token,
+		)
+		configArgs = append(configArgs, "--config-env", "http.extraHeader=GIT_AUTH_HEADER")
 	}
 	cmd := repo.executor(ctx, "git", append(configArgs, args...)...)
 	cmd.Env = append(cmd.Environ(), env...)
diff --git a/pkg/resolution/resolver/git/repository_test.go b/pkg/resolution/resolver/git/repository_test.go
@@ -71,7 +71,7 @@ func TestClone(t *testing.T) {
 			if test.username != "" {
 				token := base64.URLEncoding.EncodeToString([]byte(test.username + ":" + test.password))
 				expectedCmd = append(expectedCmd, "--config-env", "http.extraHeader=GIT_AUTH_HEADER")
-				expectedEnv = append(expectedEnv, "GIT_AUTH_HEADER=Authorization=Basic "+token)
+				expectedEnv = append(expectedEnv, "GIT_AUTH_HEADER=Authorization: Basic "+token)
 			}
 			expectedCmd = append(expectedCmd, "clone", test.url, repo.directory, "--depth=1", "--no-checkout")
 
diff --git a/test/resolvers_test.go b/test/resolvers_test.go
@@ -471,6 +471,59 @@ spec:
 	}
 }
 
+func TestGitResolver_HTTPAuth(t *testing.T) {
+	ctx := t.Context()
+	c, namespace := setup(ctx, t, gitFeatureFlags)
+
+	t.Parallel()
+
+	knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
+	defer tearDown(ctx, t, c, namespace)
+
+	giteaClusterHostname, tokenSecretName := setupGitea(ctx, t, c, namespace)
+
+	requestUrl := fmt.Sprintf("http://%s/%s/%s", net.JoinHostPort(giteaClusterHostname, "3000"), scmRemoteOrg, scmRemoteRepo)
+
+	trName := helpers.ObjectNameForTest(t)
+	tr := parse.MustParseV1TaskRun(t, fmt.Sprintf(`
+metadata:
+  name: %s
+  namespace: %s
+spec:
+  taskRef:
+    resolver: git
+    params:
+    - name: url
+      value: %s
+    - name: revision
+      value: %s
+    - name: pathInRepo
+      value: %s
+    - name: gitToken
+      value: %s
+    - name: gitTokenKey
+      value: %s
+`,
+		trName,
+		namespace,
+		requestUrl,
+		scmRemoteBranch,
+		scmRemoteTaskPath,
+		tokenSecretName,
+		scmTokenSecretKey,
+	))
+
+	_, err := c.V1TaskRunClient.Create(ctx, tr, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create TaskRun: %v", err)
+	}
+
+	t.Logf("Waiting for TaskRun %s in namespace %s to complete", trName, namespace)
+	if err := WaitForTaskRunState(ctx, c, trName, TaskRunSucceed(trName), "TaskRunSuccess", v1Version); err != nil {
+		t.Fatalf("Error waiting for TaskRun %s to finish: %s", trName, err)
+	}
+}
+
 func TestGitResolver_API(t *testing.T) {
 	ctx := t.Context()
 	c, namespace := setup(ctx, t, gitFeatureFlags)

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func TestClone(t *testing.T) {`
`71`	`71`	`if test.username != "" {`
`72`	`72`	`token := base64.URLEncoding.EncodeToString([]byte(test.username + ":" + test.password))`
`73`	`73`	`expectedCmd = append(expectedCmd, "--config-env", "http.extraHeader=GIT_AUTH_HEADER")`
`74`		`- expectedEnv = append(expectedEnv, "GIT_AUTH_HEADER=Authorization=Basic "+token)`
	`74`	`+ expectedEnv = append(expectedEnv, "GIT_AUTH_HEADER=Authorization: Basic "+token)`
`75`	`75`	`}`
`76`	`76`	`expectedCmd = append(expectedCmd, "clone", test.url, repo.directory, "--depth=1", "--no-checkout")`
`77`	`77`