fix: configure git auth for GHES in incremental patch fetch (#19685)

Author: Copilot

actions/setup/js/generate_git_patch.cjs

@@ -138,7 +138,26 @@ async function generateGitPatch(branchName, baseBranch, options = {}) {
           // We must explicitly fetch origin/branchName and fail if it doesn't exist.
 
           debugLog(`Strategy 1 (incremental): Fetching origin/${branchName}`);
+          // Configure git authentication using GITHUB_TOKEN and GITHUB_SERVER_URL.
+          // This ensures the fetch works on GitHub Enterprise Server (GHES) where
+          // the default credential helper may not be configured for the enterprise endpoint.
+          // SECURITY: The header is set immediately before the fetch and removed in a finally
+          // block to minimize the window during which the token is stored on disk. This is
+          // important because clean_git_credentials.sh runs before the agent starts — any
+          // credential written after that cleanup must be removed immediately after use so the
+          // agent cannot read the token from .git/config.
+          const githubToken = process.env.GITHUB_TOKEN;
+          const githubServerUrl = process.env.GITHUB_SERVER_URL || "https://github.com";
+          const extraHeaderKey = `http.${githubServerUrl}/.extraheader`;
+          let authHeaderSet = false;
           try {
+            if (githubToken) {
+              const tokenBase64 = Buffer.from(`x-access-token:${githubToken}`).toString("base64");
+              execGitSync(["config", "--local", extraHeaderKey, `Authorization: basic ${tokenBase64}`], { cwd });
+              authHeaderSet = true;
+              debugLog(`Strategy 1 (incremental): Configured git auth for ${githubServerUrl}`);
+            }
+
             // Explicitly fetch origin/branchName to ensure we have the latest
             // Use "--" to prevent branch names starting with "-" from being interpreted as options
             execGitSync(["fetch", "origin", "--", `${branchName}:refs/remotes/origin/${branchName}`], { cwd });
@@ -154,6 +173,21 @@ async function generateGitPatch(branchName, baseBranch, options = {}) {
               error: errorMessage,
               patchPath: patchPath,
             };
+          } finally {
+            // SECURITY: Always remove the token from git config immediately after the fetch,
+            // regardless of success or failure. This prevents the agent from reading the
+            // credential out of .git/config for the remainder of its session.
+            if (authHeaderSet) {
+              try {
+                execGitSync(["config", "--local", "--unset-all", extraHeaderKey], { cwd });
+                debugLog(`Strategy 1 (incremental): Removed git auth header`);
+              } catch {
+                // Non-fatal: the header may already be absent or the repo state changed.
+                // However, a persistent failure here may leave the credential in .git/config
+                // for the remainder of the agent session and should be investigated.
+                debugLog(`Strategy 1 (incremental): Warning - failed to remove git auth header`);
+              }
+            }
           }
         } else {
           // FULL MODE (for create_pull_request):

actions/setup/js/git_patch_integration.test.cjs

@@ -610,6 +610,90 @@ describe("git patch integration tests", () => {
       }
     });
 
+    /**
+     * Sets GITHUB_WORKSPACE, DEFAULT_BRANCH, GITHUB_TOKEN, and GITHUB_SERVER_URL for
+     * a test, then restores the original values (or deletes them if they were unset).
+     * Returns a restore function to call in `finally`.
+     */
+    function setTestEnv(workspaceDir) {
+      const saved = {
+        GITHUB_WORKSPACE: process.env.GITHUB_WORKSPACE,
+        DEFAULT_BRANCH: process.env.DEFAULT_BRANCH,
+        GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+        GITHUB_SERVER_URL: process.env.GITHUB_SERVER_URL,
+      };
+      process.env.GITHUB_WORKSPACE = workspaceDir;
+      process.env.DEFAULT_BRANCH = "main";
+      process.env.GITHUB_TOKEN = "ghs_test_token_for_cleanup_verification";
+      process.env.GITHUB_SERVER_URL = "https://github.example.com";
+      return () => {
+        for (const [key, value] of Object.entries(saved)) {
+          if (value === undefined) {
+            delete process.env[key];
+          } else {
+            process.env[key] = value;
+          }
+        }
+      };
+    }
+
+    it("should remove auth extraheader from git config after a successful fetch", async () => {
+      // Set up a feature branch, push a first commit, then add a second commit so
+      // incremental mode has something new to patch.
+      execGit(["checkout", "-b", "auth-cleanup-success"], { cwd: workingRepo });
+      fs.writeFileSync(path.join(workingRepo, "auth.txt"), "auth test\n");
+      execGit(["add", "auth.txt"], { cwd: workingRepo });
+      execGit(["commit", "-m", "Auth cleanup base commit"], { cwd: workingRepo });
+      execGit(["push", "-u", "origin", "auth-cleanup-success"], { cwd: workingRepo });
+
+      // Add a second commit that will become the incremental patch
+      fs.writeFileSync(path.join(workingRepo, "auth2.txt"), "auth test 2\n");
+      execGit(["add", "auth2.txt"], { cwd: workingRepo });
+      execGit(["commit", "-m", "Auth cleanup new commit"], { cwd: workingRepo });
+
+      // Delete the tracking ref so generateGitPatch has to re-fetch
+      execGit(["update-ref", "-d", "refs/remotes/origin/auth-cleanup-success"], { cwd: workingRepo });
+
+      const restore = setTestEnv(workingRepo);
+      try {
+        const result = await generateGitPatch("auth-cleanup-success", "main", { mode: "incremental" });
+
+        expect(result.success).toBe(true);
+
+        // Verify the extraheader was removed from git config
+        const configCheck = spawnSync("git", ["config", "--local", "--get", "http.https://github.example.com/.extraheader"], { cwd: workingRepo, encoding: "utf8" });
+        // exit status 1 means the key does not exist — that is what we want
+        expect(configCheck.status).toBe(1);
+      } finally {
+        restore();
+      }
+    });
+
+    it("should remove auth extraheader from git config even when fetch fails", async () => {
+      // Create a local-only branch (fetch will fail because it's not on origin)
+      execGit(["checkout", "-b", "auth-cleanup-failure"], { cwd: workingRepo });
+      fs.writeFileSync(path.join(workingRepo, "auth-fail.txt"), "auth fail test\n");
+      execGit(["add", "auth-fail.txt"], { cwd: workingRepo });
+      execGit(["commit", "-m", "Auth cleanup failure test commit"], { cwd: workingRepo });
+      // Do NOT push — so the fetch fails
+
+      const restore = setTestEnv(workingRepo);
+      try {
+        const result = await generateGitPatch("auth-cleanup-failure", "main", { mode: "incremental" });
+
+        // The fetch must fail since origin/auth-cleanup-failure doesn't exist
+        expect(result.success).toBe(false);
+        expect(result.error).toContain("Cannot generate incremental patch");
+
+        // Verify the extraheader was removed even though the fetch failed
+        const configCheck = spawnSync("git", ["config", "--local", "--get", "http.https://github.example.com/.extraheader"], { cwd: workingRepo, encoding: "utf8" });
+        // exit status 1 means the key does not exist — that is what we want
+        expect(configCheck.status).toBe(1);
+      } finally {
+        restore();
+      }
+    });
+
     it("should include all commits in full mode even when origin/branch exists", async () => {
       // Create a feature branch with first commit
       execGit(["checkout", "-b", "full-mode-branch"], { cwd: workingRepo });