From e32933676801708bef177ec7c099e8d5b53d9848 Mon Sep 17 00:00:00 2001 From: Jeremy Dubreil Date: Tue, 23 Jun 2026 11:51:41 +0000 Subject: [PATCH] fix(LINK-4383): mount checkout at host path so container git can authenticate --- src/util.ts | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/src/util.ts b/src/util.ts index 6e5d2d28..a17a40b3 100644 --- a/src/util.ts +++ b/src/util.ts @@ -131,6 +131,44 @@ export async function getModifiedFiles(): Promise { } } +// gitWorkspaceDockerArgs - mount the checkout and expose GitHub credentials to +// git inside the container. +// +// The scanner runs `git remote show origin` to determine the repository's +// default branch, which needs working GitHub credentials. actions/checkout wires +// these by writing an `http..extraheader` AUTHORIZATION entry into a config +// file under RUNNER_TEMP and referencing it from the repo's .git/config with an +// `includeIf.gitdir:/.git` entry. To make that resolve inside +// the container we: +// - mount the checkout at its original host path so the gitdir condition matches +// - mount RUNNER_TEMP so the referenced credentials file is reachable +// - point WORKSPACE at the host path and mark it a safe directory (the image's +// built-in `/app/${WORKSPACE}` safe.directory no longer applies) +function gitWorkspaceDockerArgs(): string[] { + const workspace = process.cwd() + const args = ['-v', `${workspace}:${workspace}`] + + const runnerTemp = process.env.RUNNER_TEMP + if (runnerTemp && existsSync(runnerTemp)) { + args.push('-v', `${runnerTemp}:${runnerTemp}`) + } else { + info('RUNNER_TEMP not set — git credentials may be unavailable inside the container') + } + + args.push( + '-e', + `WORKSPACE=${workspace}`, + '-e', + 'GIT_CONFIG_COUNT=1', + '-e', + 'GIT_CONFIG_KEY_0=safe.directory', + '-e', + `GIT_CONFIG_VALUE_0=${workspace}` + ) + + return args +} + // runCodesecScan - Docker-based scanner using codesec:latest image // // Parameters: @@ -163,13 +201,10 @@ export async function runCodesecScan( 'run', '--name', containerName, - '-v', - `${process.cwd()}:/app/src`, + ...gitWorkspaceDockerArgs(), '--env-file', envFile, '-e', - `WORKSPACE=src`, - '-e', `LW_ACCOUNT=${lwAccount}`, '-e', `LW_API_KEY=${lwApiKey}`, @@ -254,15 +289,12 @@ export async function runCodesecCompare(): Promise { 'run', '--name', containerName, - '-v', - `${process.cwd()}:/app/src`, + ...gitWorkspaceDockerArgs(), '-v', `${path.join(process.cwd(), 'scan-results')}:/app/scan-results`, '--env-file', envFile, '-e', - `WORKSPACE=src`, - '-e', `LW_ACCOUNT=${lwAccount}`, '-e', `LW_API_KEY=${lwApiKey}`,