feat(image): bake molecule-askpass binary for env-driven HTTPS git auth
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 2s
CI / Template validation (static) (pull_request) Successful in 28s
CI / Template validation (static) (push) Successful in 1m10s
CI / Adapter unit tests (push) Successful in 1m17s
CI / T4 tier-4 conformance (live) (push) Failing after 4s
CI / Adapter unit tests (pull_request) Successful in 1m11s
CI / Template validation (runtime) (pull_request) Successful in 3m41s
CI / Template validation (runtime) (push) Successful in 3m33s
CI / T4 tier-4 conformance (live) (pull_request) Successful in 3m44s
CI / validate (push) Failing after 1s
CI / validate (pull_request) Successful in 1s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 2s
CI / Template validation (static) (pull_request) Successful in 28s
CI / Template validation (static) (push) Successful in 1m10s
CI / Adapter unit tests (push) Successful in 1m17s
CI / T4 tier-4 conformance (live) (push) Failing after 4s
CI / Adapter unit tests (pull_request) Successful in 1m11s
CI / Template validation (runtime) (pull_request) Successful in 3m41s
CI / Template validation (runtime) (push) Successful in 3m33s
CI / T4 tier-4 conformance (live) (pull_request) Successful in 3m44s
CI / validate (push) Failing after 1s
CI / validate (pull_request) Successful in 1s
Image-side companion to molecule-core PR #1525 (merge_sha 73a09443a086, workspace-server applyAgentGitIdentity). PR #1525 sets GIT_ASKPASS= /usr/local/bin/molecule-askpass on every workspace container so git can authenticate to private HTTPS remotes from the persona env vars already arriving via workspace_secrets — but until this binary ships in the runtime image, git invocations error with 'exec: /usr/local/bin/ molecule-askpass: not found' (forward-only pin gap). This is the same class as Hermes list_peers / codex #219: ws-server changed contract, runtime image hadn't yet caught up. Closing the image-side gap unblocks Dev-A/Dev-B (claude-code runtime) durable HTTPS git auth on any private host. Generic by design — no hardcoded hostnames, no vendor literals. Script body is identical to workspace/scripts/molecule-askpass in molecule-core and the parallel external workspace template repos, so any deployer can fork this template and use it against their own git host without editing.
This commit is contained in:
+21
@@ -119,6 +119,27 @@ COPY scripts/molecule-git-token-helper.sh /app/scripts/molecule-git-token-helper
|
||||
COPY scripts/molecule-gh-token-refresh.sh /app/scripts/molecule-gh-token-refresh.sh
|
||||
RUN chmod +x /app/scripts/molecule-git-token-helper.sh /app/scripts/molecule-gh-token-refresh.sh
|
||||
|
||||
# Generic GIT_ASKPASS helper — image-side companion to molecule-core PR
|
||||
# #1525 (workspace-server applyAgentGitIdentity, merge_sha 73a09443a086).
|
||||
# Reads HTTPS Basic-Auth credentials from env vars (GIT_HTTP_USERNAME /
|
||||
# GIT_HTTP_PASSWORD, with GITEA_USER / GITEA_TOKEN as fallback) and emits
|
||||
# them on the git credential-prompt protocol, so container-side `git` can
|
||||
# authenticate to any private HTTPS remote without on-disk ~/.gitconfig
|
||||
# or ~/.git-credentials mutation. The platform provisioner sets
|
||||
# GIT_ASKPASS=/usr/local/bin/molecule-askpass via applyAgentGitIdentity;
|
||||
# until this binary ships in the runtime image, git invocations error
|
||||
# with "exec: /usr/local/bin/molecule-askpass: not found" (forward-only
|
||||
# pin gap — same class as Hermes list_peers and codex template breakage,
|
||||
# fixed image-side here).
|
||||
#
|
||||
# No hardcoded hostnames or vendor names — the script body is identical
|
||||
# to the one shipped in molecule-core workspace/scripts/molecule-askpass
|
||||
# and the parallel external workspace template repos, so any deployer
|
||||
# can fork this template and use it against their own git host without
|
||||
# editing.
|
||||
COPY scripts/molecule-askpass /usr/local/bin/molecule-askpass
|
||||
RUN chmod +x /usr/local/bin/molecule-askpass
|
||||
|
||||
# Drop-priv entrypoint — claude-code refuses --dangerously-skip-permissions
|
||||
# as root, so we run molecule-runtime as the agent user (uid 1000).
|
||||
# The script handles volume-ownership fix + session-dir symlink before
|
||||
|
||||
Executable
+35
@@ -0,0 +1,35 @@
|
||||
#!/bin/sh
|
||||
# git-askpass helper. Reads HTTPS Basic-Auth credentials from env vars so
|
||||
# the deployer can wire git authentication for any private remote without
|
||||
# touching ~/.gitconfig or ~/.git-credentials inside the container.
|
||||
#
|
||||
# Wire-up: set GIT_ASKPASS=/usr/local/bin/molecule-askpass in the
|
||||
# container env, then export GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or the
|
||||
# GITEA_USER / GITEA_TOKEN fallback pair). When git encounters an HTTPS
|
||||
# auth challenge on a host that has no credential.helper configured for
|
||||
# it, git invokes GIT_ASKPASS twice — once with a "Username for ..."
|
||||
# prompt and once with a "Password for ..." prompt. We pattern-match on
|
||||
# that prompt and emit the matching env var.
|
||||
#
|
||||
# No hardcoded hostnames or vendor names — the deployer decides which
|
||||
# host these credentials apply to by virtue of setting GIT_ASKPASS only
|
||||
# when the target remote is in scope. The helper itself is reusable for
|
||||
# any HTTPS git remote.
|
||||
#
|
||||
# Failure mode: if the env vars are unset, we emit an empty string and
|
||||
# let git surface "Authentication failed" — this is intentional, so a
|
||||
# misconfigured deployment fails loudly at first push instead of silently
|
||||
# falling through to an unrelated credential chain.
|
||||
|
||||
case "$1" in
|
||||
Username*)
|
||||
printf '%s\n' "${GIT_HTTP_USERNAME:-${GITEA_USER:-}}"
|
||||
;;
|
||||
Password*)
|
||||
printf '%s\n' "${GIT_HTTP_PASSWORD:-${GITEA_TOKEN:-}}"
|
||||
;;
|
||||
*)
|
||||
# Unknown prompt — emit empty and let git decide.
|
||||
printf '\n'
|
||||
;;
|
||||
esac
|
||||
Reference in New Issue
Block a user