From 3c4d13be5a9e2dfd9e5dd203fca15619556ee060 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Tue, 23 Sep 2025 12:26:02 +0200 Subject: [PATCH 1/2] GitHub tokenb based git auth --- build_docs.pl | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/build_docs.pl b/build_docs.pl index 41bf827149da2..f71fba97b639e 100755 --- a/build_docs.pl +++ b/build_docs.pl @@ -265,7 +265,7 @@ sub _guess_repo_name { #=================================== sub build_all { #=================================== - $Opts->{target_repo} = 'git@github.com:elastic/built-docs.git' unless ( $Opts->{target_repo} ); + $Opts->{target_repo} = 'https://github.com/elastic/built-docs.git' unless ( $Opts->{target_repo} ); my ( $repos_dir, $temp_dir, $reference_dir ) = init_dirs(); @@ -694,9 +694,16 @@ sub init_target_repo { #=================================== my ( $repos_dir, $temp_dir, $reference_dir ) = @_; + my $target_url = $Opts->{target_repo}; + # Add OAuth2 authentication for HTTPS GitHub URLs + # OAuth2 format: https://oauth2:token@github.com/owner/repo.git + if ( $ENV{GITHUB_TOKEN} && $target_url =~ m|^https://github\.com/| ) { + $target_url =~ s|^https://|https://oauth2:$ENV{GITHUB_TOKEN}@|; + } + my $target_repo = ES::TargetRepo->new( git_dir => $repos_dir->subdir('target_repo.git'), - url => $Opts->{target_repo}, + url => $target_url, reference => $reference_dir, destination => dir( "$temp_dir/target_repo" ), branch => $Opts->{target_branch} || 'master', @@ -737,9 +744,13 @@ sub init_repos { next if $name eq 'docs'; my $url = $conf->{$name}; - # We always use ssh-style urls regardless of conf.yaml so we can use - # our ssh key for the cloning. - $url =~ s|https://([^/]+)/|git\@$1:|; + # Convert HTTPS URLs to use OAuth2 authentication with GITHUB_TOKEN if available + # OAuth2 format: https://oauth2:token@github.com/owner/repo.git + if ( $ENV{GITHUB_TOKEN} && $url =~ m|^https://github\.com/| ) { + $url =~ s|^https://|https://oauth2:$ENV{GITHUB_TOKEN}@|; + } + # Keep SSH URLs as-is for backward compatibility + # $url =~ s|https://([^/]+)/|git\@$1:|; my $repo = ES::Repo->new( name => $name, git_dir => $repos_dir->subdir("$name.git"), @@ -793,7 +804,7 @@ sub init_repos { #=================================== sub preview { #=================================== - $Opts->{target_repo} = 'git@github.com:elastic/built-docs.git' unless ( $Opts->{target_repo} ); + $Opts->{target_repo} = 'https://github.com/elastic/built-docs.git' unless ( $Opts->{target_repo} ); my $nginx_config = file('/tmp/nginx.conf'); write_nginx_preview_config( $nginx_config ); @@ -887,6 +898,19 @@ sub init_env { print "Found ssh auth\n"; } + # Configure git to use GITHUB_TOKEN for OAuth2 HTTPS authentication if available + if ( $ENV{GITHUB_TOKEN} ) { + print "Configuring git to use GITHUB_TOKEN for OAuth2 authentication\n"; + # Set up git credential helper to use the token + run qw(git config --global credential.helper store); + # Create a credential file with the OAuth2 token + my $credential_file = $ENV{HOME} . '/.git-credentials'; + open(my $fh, '>', $credential_file) or die "Couldn't create credential file: $!"; + print $fh "https://oauth2:$ENV{GITHUB_TOKEN}@github.com\n"; + close($fh); + chmod(0600, $credential_file); + } + if ( $Opts->{preview} ) { # `--preview` is run in k8s it doesn't *want* a tty # so it should avoid doing housekeeping below. @@ -1121,6 +1145,13 @@ sub usage { --target_branch Branch to which to commit docs --user Specify which GitHub user to use, if not your own + Environment Variables: + GITHUB_TOKEN GitHub personal access token for OAuth2 HTTPS authentication. + When set, the script will use HTTPS URLs with OAuth2 + authentication (oauth2:token format) instead of SSH for + GitHub repositories and configure git to use the token + for authentication. + General Opts: --asciidoctor Emit a happy message. --conf Use your own configuration file, defaults to the From a4ed9d0dd439f243a4812f457f00abbc861d1d88 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Tue, 23 Sep 2025 12:27:40 +0200 Subject: [PATCH 2/2] Remove credentialstore logic --- build_docs.pl | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/build_docs.pl b/build_docs.pl index f71fba97b639e..0cceabd4fce4c 100755 --- a/build_docs.pl +++ b/build_docs.pl @@ -898,17 +898,9 @@ sub init_env { print "Found ssh auth\n"; } - # Configure git to use GITHUB_TOKEN for OAuth2 HTTPS authentication if available + # GITHUB_TOKEN is embedded directly in URLs, so no additional git configuration needed if ( $ENV{GITHUB_TOKEN} ) { - print "Configuring git to use GITHUB_TOKEN for OAuth2 authentication\n"; - # Set up git credential helper to use the token - run qw(git config --global credential.helper store); - # Create a credential file with the OAuth2 token - my $credential_file = $ENV{HOME} . '/.git-credentials'; - open(my $fh, '>', $credential_file) or die "Couldn't create credential file: $!"; - print $fh "https://oauth2:$ENV{GITHUB_TOKEN}@github.com\n"; - close($fh); - chmod(0600, $credential_file); + print "Using GITHUB_TOKEN for OAuth2 authentication via embedded URLs\n"; } if ( $Opts->{preview} ) {