Simplify git credential get
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do?
It removes unnecessary executor shell-specific management when setting the credential helper.
Why was this MR needed?
Having pwsh or powershell run by Git as a custom credential helper introduces unnecessary complexity.
The Git documentation states that any credential helper beginning with "!" is considered a shell snippet and is therefore executed by the shell.
When git credential approve is called, it stores credentials. To achieve this, "store" is appended to the credential helper string.
Due to the space character inserted between the credential helper string and "store",
which, in the case of Git for Windows, the sh process found in the PATH, likely the bundled sh. It has nothing to do with gitlab-runner executor shell, using the executor shell is unnecessary.
Even a credential helper consisting of a single process without required arguments, such as: helper = /C/Tools/my-credential-helper.exe is executed with sh:
10:57:49.807428 run-command.c:667 trace: run_command: '/C/Tools/my-credential-helper.exe store'
10:57:49.807428 run-command.c:928 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c '/C/Tools/my-credential-helper.exe store' '/C/Tools/my-credential-helper.exe store'
on Linux with pwsh, with a pre-MR gitlab-runner, the call graph looks like:
\_ ./gitlab-runner run --config config_ff_true.toml
\_ pwsh -NoProfile -NoLogo -InputFormat text -OutputFormat text -NonInteractive -ExecutionPolicy Bypass -EncodedCommand JABPA...
\_ /home/guillaume/tools/powershell-7.4.7-linux-x64/pwsh -NoProfile -NonInteractive -Command -
\_ /usr/bin/git -c http.userAgent=gitlab-runner 17.10.0~pre.5267.gff8b9e32 linux/amd64 fetch origin --no-recurse-submodules +refs/pipelines/***:refs/pipelines/*** +refs/heads/shell:refs/remotes/origin/shell --depth 20 --prune --quiet
\_ /usr/lib/git-core/git remote-https origin https://gitlab.com/***.git
\_ /usr/lib/git-core/git-remote-https origin https://gitlab.com/***.git
\_ /bin/sh -c pwsh -NoProfile -NoLogo -InputFormat text -OutputFormat text -NonInteractive -ExecutionPolicy Bypass -Command 'function f([string]$cmd){ if ($cmd.equals("get")) { Start-Sleep -Seconds 60; Write-Host -NoNewline "password=${env:CI_JOB_TOKEN}`n" } }; f' get pwsh -NoProfile -NoLogo -InputFormat text -OutputFormat text -NonInteractive -ExecutionPolicy Bypass -Command 'function f([string]$cmd){ if ($cmd.equals("get")) { Start-Sleep -Seconds 60; Write-Host -NoNewline "password=${env:CI_JOB_TOKEN}`n" } }; f' get
\_ pwsh -NoProfile -NoLogo -InputFormat text -OutputFormat text -NonInteractive -ExecutionPolicy Bypass -Command function f([string]$cmd){ if ($cmd.equals("get")) { Start-Sleep -Seconds 60; Write-Host -NoNewline "password=${env:CI_JOB_TOKEN}`n" } }; f getwith this MR
\_ ./gitlab-runner run --config config_ff_true.toml
\_ pwsh -NoProfile -NoLogo -InputFormat text -OutputFormat text -NonInteractive -ExecutionPolicy Bypass -EncodedCommand JABPAHUA...
\_ /home/guillaume/tools/powershell-7.4.7-linux-x64/pwsh -NoProfile -NonInteractive -Command -
\_ /usr/bin/git -c http.userAgent=gitlab-runner 17.10.0~pre.5268.g3cb1d11d linux/amd64 fetch origin --no-recurse-submodules +refs/pipelines/***:refs/pipelines/*** +refs/heads/shell:refs/remotes/origin/shell --depth 20 --prune --quiet
\_ /usr/lib/git-core/git remote-https origin https://gitlab.com/***.git
\_ /usr/lib/git-core/git-remote-https origin https://gitlab.com/***.git
\_ /bin/sh -c f(){ sleep 60; if [ "$1" = "get" ] ; then echo "password=${CI_JOB_TOKEN}" ; fi ; } ; f get f(){ sleep 60; if [ "$1" = "get" ] ; then echo "password=${CI_JOB_TOKEN}" ; fi ; } ; f getAs sh is always involved when a custom credential helper is used, it is sufficient to use !f(){ if [ "$1" = "get" ] ; then echo "password=${CI_JOB_TOKEN}" ; fi ; } ; f