Prior Search
What happened?
When wf_tf_deploy runs against a consumer whose terragrunt.hcl resolves a commit hash on a private GitHub repo other than the one pf wf git-checkout cloned, the deploy fails at terragrunt config evaluation with fatal: could not read Username for 'https://github.com'.
pf wf git-checkout writes credentials into the cloned repo's local git config (per the original bash script's "local so they survive cross-container emptyDir mounts" rationale, preserved by dcfa7211). Those credentials don't apply to a git ls-remote against a different URL.
pf util get-commit-hash shells out to git ls-remote <repo> <ref> and currently has no mechanism for accepting credentials — neither flags nor environment variables. $GIT_USERNAME and $GIT_PASSWORD are present in the runner environment but unused.
Adding -u/--username and -p/--password flags to pf util get-commit-hash, building https://<user>:<pass>@<host>/<path> before the git ls-remote call, resolves it. Same shape as 36018714 ("fix: wf_dockerfile_build private repo auth").
Steps to Reproduce
- Set up
wf_tf_deploy in a consumer repo with $GIT_USERNAME / $GIT_PASSWORD mounted into the workflow pod from a Kubernetes secret.
- In the consumer's
terragrunt.hcl, add a local that resolves a commit hash on a private GitHub repo other than the one wf_tf_deploy is checking out:
locals {
image_tag = run_cmd("--terragrunt-quiet",
"pf", "util", "get-commit-hash",
"--ref=main",
"--repo=https://github.com/<org>/<other-private-repo>")
}
- Submit the workflow.
- Observe failure during the
deploy step at terragrunt config evaluation, before terraform apply runs.
Relevant log output
Failed to resolve git reference 'main' in 'https://github.com/<org>/<other-private-repo>'
Command: git ls-remote --exit-code https://github.com/<org>/<other-private-repo> main
fatal: could not read Username for 'https://github.com': No such device or address
ERROR Error: Error in function call
on terragrunt.hcl line N, in locals:
N: image_tag = run_cmd("--terragrunt-quiet", "pf", "util", "get-commit-hash", "--ref=main",
"--repo=https://github.com/<org>/<other-private-repo>")
Prior Search
What happened?
When
wf_tf_deployruns against a consumer whoseterragrunt.hclresolves a commit hash on a private GitHub repo other than the onepf wf git-checkoutcloned, the deploy fails atterragrunt config evaluation with fatal: could not read Username for 'https://github.com'.pf wf git-checkoutwrites credentials into the cloned repo's local git config (per the original bash script's "local so they survive cross-container emptyDir mounts" rationale, preserved bydcfa7211). Those credentials don't apply to agit ls-remoteagainst a different URL.pf util get-commit-hashshells out togit ls-remote <repo> <ref>and currently has no mechanism for accepting credentials — neither flags nor environment variables.$GIT_USERNAMEand$GIT_PASSWORDare present in the runner environment but unused.Adding
-u/--usernameand-p/--passwordflags topf util get-commit-hash, buildinghttps://<user>:<pass>@<host>/<path>before thegit ls-remotecall, resolves it. Same shape as36018714("fix: wf_dockerfile_build private repo auth").Steps to Reproduce
wf_tf_deployin a consumer repo with$GIT_USERNAME/$GIT_PASSWORDmounted into the workflow pod from a Kubernetes secret.terragrunt.hcl, add a local that resolves a commit hash on a private GitHub repo other than the onewf_tf_deployis checking out:deploystep at terragrunt config evaluation, beforeterraform applyruns.Relevant log output