Git based commands, only use GITHUB_TOKEN when interacting with GitHu…

…b's API

This change also removes the submodules git update as this is not used anymore, therefore does not need updating with the new GetGitAuth signature.

Signed-off-by: James Rawlings <jrawlings@chainguard.dev>

pkg/advisory/data_session.go

@@ -51,10 +51,15 @@ func NewDataSession(ctx context.Context, opts DataSessionOptions) (*DataSession,
 
 	ds.githubClient = opts.GitHubClient
 
+	gitAuth, err := wgit.GetGitAuth(opts.Distro.Absolute.AdvisoriesHTTPSCloneURL())
+	if err != nil {
+		return nil, fmt.Errorf("getting git auth: %w", err)
+	}
+
 	// clone advisories repo
 	repo, err := git.PlainCloneContext(ctx, tempDir, false, &git.CloneOptions{
 		URL:  opts.Distro.Absolute.AdvisoriesHTTPSCloneURL(),
-		Auth: wgit.GetGitAuth(),
+		Auth: gitAuth,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("cloning advisories repo: %w", err)
@@ -168,9 +173,14 @@ func (ds DataSession) Modified() bool {
 // Push pushes the changes made during the session to the remote advisories
 // repository.
 func (ds DataSession) Push(ctx context.Context) error {
-	err := ds.repo.PushContext(ctx, &git.PushOptions{
+	gitAuth, err := wgit.GetGitAuth(ds.distro.Absolute.AdvisoriesHTTPSCloneURL())
+	if err != nil {
+		return fmt.Errorf("getting git auth: %w", err)
+	}
+
+	err = ds.repo.PushContext(ctx, &git.PushOptions{
 		RemoteURL: ds.distro.Absolute.AdvisoriesHTTPSCloneURL(),
-		Auth:      wgit.GetGitAuth(),
+		Auth:      gitAuth,
 	})
 	if err != nil {
 		return fmt.Errorf("pushing changes: %w", err)

pkg/git/git.go

@@ -2,12 +2,15 @@ package git
 
 import (
 	"fmt"
+	"log/slog"
 	"net/url"
 	"os"
 	"os/exec"
 	"strings"
 	"time"
 
+	"github.com/chainguard-dev/clog"
+
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-git/go-git/v5/plumbing/storer"
@@ -19,20 +22,33 @@ import (
 	gitHttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 )
 
-func GetGitAuth() *gitHttp.BasicAuth {
+func GetGitAuth(gitURL string) (*gitHttp.BasicAuth, error) {
+	logger := clog.NewLogger(slog.Default()) // TODO: plumb through context, everywhere
+
+	parsedURL, err := ParseGitURL(gitURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse git URL %q: %w", gitURL, err)
+	}
+
+	// Only use GITHUB_TOKEN for github.com URLs
+	if parsedURL.Host != "github.com" {
+		logger.Warnf("host %q is not github.com, not using GITHUB_TOKEN for authentication", parsedURL.Host)
+		return nil, nil
+	}
+
 	gitToken := os.Getenv("GITHUB_TOKEN")
 
 	if gitToken == "" {
 		// If the token is empty, there's no way we can return a usable authentication
 		// anyway. Whereas if we return nil, and don't auth, we have a chance at
 		// succeeding with access of a public repo.
-		return nil
+		return &gitHttp.BasicAuth{}, nil
 	}
 
 	return &gitHttp.BasicAuth{
 		Username: "abc123",
 		Password: gitToken,
-	}
+	}, nil
 }
 
 type URL struct {
@@ -182,7 +198,10 @@ func TempClone(gitURL, hash string, useAuth bool) (repoDir string, err error) {
 
 	var auth transport.AuthMethod
 	if useAuth {
-		auth = GetGitAuth()
+		auth, err = GetGitAuth(gitURL)
+		if err != nil {
+			return dir, fmt.Errorf("unable to get git auth: %w", err)
+		}
 	}
 
 	repo, err := git.PlainClone(dir, false, &git.CloneOptions{

pkg/git/tag.go

@@ -51,11 +51,16 @@ func PushTag(dir, tagName string) error {
 	}
 	remoteURL := fmt.Sprintf("https://github.com/%s/%s.git", gitURL.Organisation, gitURL.Name)
 
+	gitAuth, err := GetGitAuth(remoteURL)
+	if err != nil {
+		return fmt.Errorf("failed to get git auth: %w", err)
+	}
+
 	po := &git.PushOptions{
 		RemoteName: "origin",
 		RemoteURL:  remoteURL,
 		RefSpecs:   []config.RefSpec{config.RefSpec(fmt.Sprintf("refs/tags/%s:refs/tags/%s", tagName, tagName))},
-		Auth:       GetGitAuth(),
+		Auth:       gitAuth,
 	}
 
 	err = r.Push(po)

pkg/update/deps/cleanup.go

@@ -40,13 +40,18 @@ func gitCheckout(p *config.Pipeline, dir string, mutations map[string]string) er
 		return err
 	}
 
+	gitAuth, err := wgit.GetGitAuth(repoValue)
+	if err != nil {
+		return fmt.Errorf("failed to get git auth: %w", err)
+	}
+
 	cloneOpts := &git.CloneOptions{
 		URL:               repoValue,
 		ReferenceName:     plumbing.ReferenceName(fmt.Sprintf("refs/tags/%s", evaluatedTag)),
 		Progress:          os.Stdout,
 		RecurseSubmodules: git.NoRecurseSubmodules,
 		Depth:             1,
-		Auth:              wgit.GetGitAuth(),
+		Auth:              gitAuth,
 	}
 
 	log.Printf("cloning sources from %s tag %s into a temporary directory '%s', this may take a while", repoValue, dir, evaluatedTag)

pkg/update/package.go

@@ -53,11 +53,16 @@ func (o *PackageOptions) UpdatePackageCmd(ctx context.Context) error {
 		defer os.Remove(tempDir)
 	}
 
+	gitAuth, err := wolfigit.GetGitAuth(o.TargetRepo)
+	if err != nil {
+		return fmt.Errorf("failed to get git auth: %w", err)
+	}
+
 	cloneOpts := &git.CloneOptions{
 		URL:               o.TargetRepo,
 		Progress:          os.Stdout,
 		RecurseSubmodules: git.NoRecurseSubmodules,
-		Auth:              wolfigit.GetGitAuth(),
+		Auth:              gitAuth,
 		Depth:             1,
 	}
 
@@ -119,12 +124,18 @@ func (o *PackageOptions) updateAdvisories(ctx context.Context, repo *git.Reposit
 	if err != nil {
 		return err
 	}
+
+	gitAuth, err := wolfigit.GetGitAuth(gitURL.RawURL)
+	if err != nil {
+		return fmt.Errorf("failed to get git auth: %w", err)
+	}
+
 	// checkout repo into tmp dir so we know we are working on a clean HEAD
 	cloneOpts := &git.CloneOptions{
 		URL:               gitURL.RawURL,
 		RecurseSubmodules: git.NoRecurseSubmodules,
 		ShallowSubmodules: true,
-		Auth:              wolfigit.GetGitAuth(),
+		Auth:              gitAuth,
 		Tags:              git.AllTags,
 		Depth:             20,
 	}