auth: copy all options slices to avoid override on reuse

.github/workflows/actions.yaml

@@ -28,8 +28,6 @@ jobs:
         uses: ./actions/kubeconform
       - name: Setup envtest
         uses: ./actions/envtest
-        with:
-          version: c7e1dc9b5302d649d5531e19168dd7ea0013736d # remove this when https://github.com/kubernetes-sigs/controller-runtime/issues/2720 is fixed
       - name: Setup helm
         uses: ./actions/helm
       - name: Setup kubectl

actions/envtest/action.yml

@@ -19,13 +19,13 @@ runs:
     - name: Setup Go
       uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
       with:
-        go-version: 1.20.x
+        go-version: 1.25.x
         cache: false
     - name: Use specified version to install
       if: inputs.envtest_version != ''
       shell: bash
       run: |
-        echo "VERSION=${{ inputs.version }}" >> "$GITHUB_ENV"
+        echo "VERSION=${{ inputs.envtest_version }}" >> "$GITHUB_ENV"
     - name: Determine version to install
       if: inputs.envtest_version == ''
       shell: bash

auth/azure/token_credential.go

@@ -19,6 +19,7 @@ package azure
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
@@ -43,7 +44,7 @@ func NewTokenCredential(ctx context.Context, opts ...auth.Option) azcore.TokenCr
 // the behavior of all providers around this so the usage of this
 // library can be consistent regardless of the provider.
 func (t *tokenCredential) GetToken(_ context.Context, tokenOpts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	opts := t.opts
+	opts := slices.Clone(t.opts)
 	if tokenOpts.Scopes != nil {
 		opts = append(opts, auth.WithScopes(tokenOpts.Scopes...))
 	}

auth/registry.go

@@ -19,6 +19,7 @@ package auth
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
@@ -95,7 +96,7 @@ func GetArtifactRegistryCredentials(ctx context.Context, provider ArtifactRegist
 	if err != nil {
 		return nil, err
 	}
-	accessTokenOpts = append(opts, accessTokenOpts...)
+	accessTokenOpts = append(slices.Clone(opts), accessTokenOpts...)
 	accessToken, err := GetAccessToken(ctx, provider, accessTokenOpts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get access token for artifact registry: %w", err)

auth/utils/git.go

@@ -19,6 +19,7 @@ package utils
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/azure"
@@ -37,7 +38,7 @@ type GitCredentials struct {
 func GetGitCredentials(ctx context.Context, providerName string, opts ...auth.Option) (*GitCredentials, error) {
 	switch providerName {
 	case azure.ProviderName:
-		opts = append(opts, auth.WithScopes(azure.ScopeDevOps))
+		opts = append(slices.Clone(opts), auth.WithScopes(azure.ScopeDevOps))
 		token, err := auth.GetAccessToken(ctx, azure.Provider{}, opts...)
 		if err != nil {
 			return nil, err

auth/utils/restconfig.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
@@ -90,6 +91,7 @@ func GetRESTConfig(ctx context.Context,
 	}
 
 	// Configure options.
+	opts = slices.Clone(opts)
 	if c, ok := cm.Data[meta.KubeConfigKeyCluster]; ok {
 		opts = append(opts, auth.WithClusterResource(c))
 	}