Skip to content

Commit

Permalink
Release GCM 2.6 (#1712)
Browse files Browse the repository at this point in the history
**Changes:**

- Drop no longer needed workflows (#1659)
- Documentation fixes (#1664, #1697)
- Configurable GPG store path via Git config (#1698)
- Fix Visual Studio build problems and update dependencies (#1711)
- Support sending X5C with certificate auth (#1666)
  • Loading branch information
Matthew John Cheetham authored Sep 30, 2024
2 parents 90d5f89 + c16a9b7 commit 3c28096
Show file tree
Hide file tree
Showing 49 changed files with 334 additions and 210 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/continuous-integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -59,7 +59,7 @@ jobs:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -100,7 +100,7 @@ jobs:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down
25 changes: 0 additions & 25 deletions .github/workflows/release-homebrew.yaml

This file was deleted.

20 changes: 10 additions & 10 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -150,7 +150,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand All @@ -177,7 +177,7 @@ jobs:
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Sign payload files with Azure Code Signing
uses: azure/trusted-signing-action@v0.3.20
uses: azure/trusted-signing-action@v0.4.0
with:
endpoint: https://wus2.codesigning.azure.net/
trusted-signing-account-name: git-fundamentals-signing
Expand All @@ -190,7 +190,7 @@ jobs:

# The Azure Code Signing action overrides the .NET version, so we reset it.
- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand All @@ -204,7 +204,7 @@ jobs:
-Destination $env:GITHUB_WORKSPACE\installers
- name: Sign installers with Azure Code Signing
uses: azure/trusted-signing-action@v0.3.20
uses: azure/trusted-signing-action@v0.4.0
with:
endpoint: https://wus2.codesigning.azure.net/
trusted-signing-account-name: git-fundamentals-signing
Expand Down Expand Up @@ -236,7 +236,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -314,7 +314,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -387,7 +387,7 @@ jobs:
path: signed

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -491,7 +491,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down Expand Up @@ -561,7 +561,7 @@ jobs:
- uses: actions/checkout@v4

- name: Set up .NET
uses: actions/setup-dotnet@v4.0.0
uses: actions/setup-dotnet@v4.0.1
with:
dotnet-version: 8.0.x

Expand Down
2 changes: 1 addition & 1 deletion Directory.Build.props
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@

<ItemGroup Condition = "'$(TargetFramework)' == 'net472'">
<PackageReference Include="System.Text.Json">
<Version>7.0.2</Version>
<Version>8.0.4</Version>
</PackageReference>
</ItemGroup>

Expand Down
3 changes: 2 additions & 1 deletion Directory.Build.targets
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<Import Project="$(RepoPath)build\GCM.tasks" />

<!-- Use version specified in VERSION file -->
<Target Name="GetVersion" BeforeTargets="BeforeBuild">
<Target Name="GetVersion" BeforeTargets="BeforeBuild;GenerateWindowsAppManifest">
<GetVersion VersionFile="$(RepoPath)VERSION">
<Output TaskParameter="Version" PropertyName="Version" />
<Output TaskParameter="AssemblyVersion" PropertyName="AssemblyVersion" />
Expand All @@ -21,6 +21,7 @@

<!-- Generate the manifest file before we set the win32 manifest properties -->
<Target Name="GenerateWindowsAppManifest"
AfterTargets="GetVersion"
BeforeTargets="SetWin32ManifestProperties"
Condition="'$(GenerateWindowsAppManifest)' != 'false'"
Inputs="$(FileVersion);$(AssemblyName)"
Expand Down
34 changes: 29 additions & 5 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,32 @@
# Security
Thanks for helping make GitHub safe for everyone.

If you discover a security issue in this repo, please submit it through the
[GitHub Security Bug Bounty][hackerone-github]
## Security

Thanks for helping make GitHub products safe for everyone.
GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).

Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.

## Reporting Security Issues

If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure.

**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

Instead, please send an email to opensource-security[@]github.com.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

## Policy

See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor)

[hackerone-github]: https://hackerone.com/github
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.5.1.0
2.6.0.0
3 changes: 3 additions & 0 deletions docs/azrepos-misp.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ Type|Git Configuration|Environment Variable
-|-|-
Client Secret|[`credential.azreposServicePrincipalSecret`][gcm-sp-secret-config]|[`GCM_AZREPOS_SP_SECRET`][gcm-sp-secret-env]
Certificate|[`credential.azreposServicePrincipalCertificateThumbprint`][gcm-sp-cert-config]|[`GCM_AZREPOS_SP_CERT_THUMBPRINT`][gcm-sp-cert-env]
Send X5C|[`credential.azreposServicePrincipalCertificateSendX5C`][gcm-sp-cert-x5c-config]|[`GCM_AZREPOS_SP_CERT_SEND_X5C`][gcm-sp-cert-x5c-env]

The value for these options should be the client secret or the thumbrint of the
certificate that is associated with the Service Principal.
Expand All @@ -126,4 +127,6 @@ current user or the local machine.
[gcm-sp-secret-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalsecret
[gcm-sp-secret-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_SECRET
[gcm-sp-cert-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatethumbprint
[gcm-sp-cert-x5c-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatesendx5c
[gcm-sp-cert-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_THUMBPRINT
[gcm-sp-cert-x5c-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_SEND_X5C
41 changes: 41 additions & 0 deletions docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,24 @@ git config --global credential.dpapiStorePath D:\credentials

---

### credential.gpgPassStorePath

Specify a custom directory to store GPG-encrypted [pass][pass]-compatible credential files
in when [`credential.credentialStore`][credential-credentialstore] is set to `gpg`.

Defaults to the value `~/.password-store` or `%USERPROFILE%\.password-store`.

#### Example

```shell
git config --global credential.gpgPassStorePath /mnt/external-drive/.password-store
```

**Note:** Location of the password store used by [pass][pass] can be overridden by the
`PASSWORD_STORE_DIR` environment variable, see the [man page][pass-man] for details.

---

### credential.msauthFlow

Specify which authentication flow should be used when performing Microsoft
Expand Down Expand Up @@ -858,6 +876,7 @@ You must also set at least one authentication mechanism if you set this value:

- [credential.azreposServicePrincipalSecret][credential-azrepos-sp-secret]
- [credential.azreposServicePrincipalCertificateThumbprint][credential-azrepos-sp-cert-thumbprint]
- [credential.azreposServicePrincipalCertificateSendX5C][credential-azrepos-sp-cert-x5c]

For more information about service principals, see the Azure DevOps
[documentation][azrepos-sp-mid].
Expand Down Expand Up @@ -904,6 +923,25 @@ git config --global credential.azreposServicePrincipalCertificateThumbprint "9b6

---

### credential.azreposServicePrincipalCertificateSendX5C

When using a certificate for [service principal][service-principal] authentication, this configuration
specifies whether the X5C claim should be should be sent to the STS. Sending the x5c
enables application developers to achieve easy certificate rollover in Azure AD:
this method will send the public certificate to Azure AD along with the token request,
so that Azure AD can use it to validate the subject name based on a trusted issuer
policy. This saves the application admin from the need to explicitly manage the
certificate rollover. For details see [https://aka.ms/msal-net-sni](https://aka.ms/msal-net-sni).

#### Example

```shell
git config --global credential.azreposServicePrincipalCertificateSendX5C true
```
**Also see: [GCM_AZREPOS_SP_CERT_SEND_X5C][gcm-azrepos-sp-cert-x5c]**

---

### trace2.normalTarget

Turns on Trace2 Normal Format tracing - see [Git's Trace2 Normal Format
Expand Down Expand Up @@ -1022,6 +1060,7 @@ Defaults to disabled.
[provider-migrate]: migration.md#gcm_authority
[cache-options]: https://git-scm.com/docs/git-credential-cache#_options
[pass]: https://www.passwordstore.org/
[pass-man]: https://git.zx2c4.com/password-store/about/
[trace2-normal-docs]: https://git-scm.com/docs/api-trace2#_the_normal_format_target
[trace2-normal-env]: environment.md#GIT_TRACE2
[trace2-event-docs]: https://git-scm.com/docs/api-trace2#_the_event_format_target
Expand All @@ -1034,6 +1073,8 @@ Defaults to disabled.
[credential-azrepos-sp]: #credentialazreposserviceprincipal
[credential-azrepos-sp-secret]: #credentialazreposserviceprincipalsecret
[credential-azrepos-sp-cert-thumbprint]: #credentialazreposserviceprincipalcertificatethumbprint
[credential-azrepos-sp-cert-x5c]: #credentialazreposserviceprincipalcertificatesendx5c
[gcm-azrepos-service-principal]: environment.md#GCM_AZREPOS_SERVICE_PRINCIPAL
[gcm-azrepos-sp-secret]: environment.md#GCM_AZREPOS_SP_SECRET
[gcm-azrepos-sp-cert-thumbprint]: environment.md#GCM_AZREPOS_SP_CERT_THUMBPRINT
[gcm-azrepos-sp-cert-x5c]: environment.md#GCM_AZREPOS_SP_CERT_SEND_X5C
28 changes: 28 additions & 0 deletions docs/environment.md
Original file line number Diff line number Diff line change
Expand Up @@ -1039,6 +1039,32 @@ export GCM_AZREPOS_SP_CERT_THUMBPRINT="9b6555292e4ea21cbc2ebd23e66e2f91ebbe92dc"

---

### GCM_AZREPOS_SP_CERT_SEND_X5C

When using a certificate for service principal authentication, this configuration
specifies whether the X5C claim should be should be sent to the STS. Sending the x5c
enables application developers to achieve easy certificate rollover in Azure AD:
this method will send the public certificate to Azure AD along with the token request,
so that Azure AD can use it to validate the subject name based on a trusted issuer
policy. This saves the application admin from the need to explicitly manage the
certificate rollover. For details see [https://aka.ms/msal-net-sni](https://aka.ms/msal-net-sni).

#### Windows

```batch
SET GCM_AZREPOS_SP_CERT_SEND_X5C="true"
```

#### macOS/Linux

```bash
export GCM_AZREPOS_SP_CERT_SEND_X5C="true"
```

**Also see: [credential.azreposServicePrincipalCertificateSendX5C][credential-azrepos-sp-cert-x5c]**

---

### GIT_TRACE2

Turns on Trace2 Normal Format tracing - see [Git's Trace2 Normal Format
Expand Down Expand Up @@ -1184,6 +1210,8 @@ Defaults to disabled.
[gcm-azrepos-sp]: #gcm_azrepos_service_principal
[gcm-azrepos-sp-secret]: #gcm_azrepos_sp_secret
[gcm-azrepos-sp-cert-thumbprint]: #gcm_azrepos_sp_cert_thumbprint
[gcm-azrepos-sp-cert-x5c]: #gcm_azrepos_sp_cert_send_x5c
[credential-azrepos-sp]: configuration.md#credentialazreposserviceprincipal
[credential-azrepos-sp-secret]: configuration.md#credentialazreposserviceprincipalsecret
[credential-azrepos-sp-cert-thumbprint]: configuration.md#credentialazreposserviceprincipalcertificatethumbprint
[credential-azrepos-sp-cert-x5c]: configuration.md#credentialazreposserviceprincipalcertificatesendx5c
2 changes: 1 addition & 1 deletion docs/generic-oauth.md
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ In order to use special characters you need to URL encode the values; for
example `@` becomes `%40`.

By default GCM uses the value `OAUTH-USER` unless specified in the remote URL,
or overriden using the `credential.<HOST>.oauthDefaultUserName` configuration.
or overridden using the `credential.<HOST>.oauthDefaultUserName` configuration.

#### Include client authentication in headers

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,16 @@
</PropertyGroup>

<ItemGroup>
<PackageReference Include="coverlet.collector" Version="3.1.0">
<PackageReference Include="coverlet.collector" Version="6.0.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
<PackageReference Include="ReportGenerator" Version="5.1.9" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.3.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
<PackageReference Include="ReportGenerator" Version="5.3.10" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<DotNetCliToolReference Include="dotnet-xunit" Version="2.3.1" />
</ItemGroup>

Expand Down
2 changes: 1 addition & 1 deletion src/shared/Core.Tests/ApplicationTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ public async Task Application_UnconfigureAsync_EmptyAndGcmWithOthersBefore_Remov

Assert.Single(context.Git.Configuration.Global);
Assert.True(context.Git.Configuration.Global.TryGetValue(key, out var actualValues));
Assert.Equal(1, actualValues.Count);
Assert.Single(actualValues);
Assert.Equal(beforeHelper, actualValues[0]);
}

Expand Down
Loading

0 comments on commit 3c28096

Please sign in to comment.