Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-8260

Regression: gitToken and gitTokenKey not working with git resolver

XMLWordPrintable

    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Bug fix: Before this change, there was a regression in which the git resolver was not authenticating with the provided `gitToken` and `gitTokenKey`, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided `gitToken` for remote authentication. No user action is required for the bug fix to take effect.
      Show
      Bug fix: Before this change, there was a regression in which the git resolver was not authenticating with the provided `gitToken` and `gitTokenKey`, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided `gitToken` for remote authentication. No user action is required for the bug fix to take effect.
    • Bug Fix
    • Proposed
    • 2
    • Pipelines Sprint Tekshift 34, Pipelines Sprint Tekshift 35

      The following PipelineRun will fail at the resolution, failing to clone the private repository, with an error that says authentication required.

      apiVersion: tekton.dev/v1
kind: PipelineRun
metadata: 
  generateName: git-resolver-
spec: 
  workspaces: 
    - name: output  # this workspace name must be declared in the Pipeline
      volumeClaimTemplate: 
        spec: 
          accessModes: 
            - ReadWriteOnce  # access mode may affect how you can use this volume in parallel tasks
          resources: 
            requests: 
              storage: 1Gi
  pipelineSpec: 
    workspaces: 
      - name: output
    tasks: 
      - name: task1
        workspaces: 
          - name: output
        taskRef: 
          resolver: git
          params: 
            - name: url
              value: https://git@github.com/vdemeester/private-tasks.git
            - name: pathInRepo
              value: /task/git-clone/0.10/git-clone.yaml
            - name: revision
              value: main
            # my-secret-token should be created in the namespace where the
            # pipelinerun is created and contain a GitHub personal access
            # token in the token key of the secret.
            - name: gitToken
              value: github-token
            - name: gitTokenKey
              value: token
        params: 
          - name: url
            value: https://github.com/tektoncd/catalog
          - name: deleteExisting
            value: "true"

      The value from the secret (from gitToken and gitTokenKey) are valid and correctly passed to the git clone command the resolver will do.
      The following command is what gets executed (token redacted). It fails as it seems git doesn't take into account http.ExtraHeader.

      env GIT_TERMINAL_PROMPT=false GIT_AUTH_HEADER="Authorization=Basic XXXXXX" git -C /tmp/foo --config-env http.extraHeader=GIT_AUTH_HEADER clone https://github.com/vdemeester/private-tasks.git /tmp/foo --depth=1 --no-checkout

      It should succeed and it used to succeed before we switch from go-git to doing the git clone ourselves.

      Upstream issue: https://github.com/tektoncd/pipeline/issues/8940

        1. image-2025-08-07-19-40-34-096.png
          image-2025-08-07-19-40-34-096.png
          103 kB

              rh-ee-athorp Andrew Thorp
              vdemeest Vincent Demeester
              Sri Vignesh Selvan Sri Vignesh Selvan
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: