fix(projects): use SCM credentials during Git sync #24

Open
opened 2026-05-31 08:29:43 +00:00 by simon · 0 comments
Owner

CT-Ops can now create CT-Automation projects with an attached scm_credential_id for private SSH repositories, but CT-Automation's project sync path appears to validate and persist the SCM credential without using it for Git operations.\n\nEvidence from local source inspection:\n- src/ct_automation/domain/projects.py accepts and validates scm_credential_id on projects.\n- resolve_git_ref() calls git ls-remote with only the repository URL/ref.\n- sync_project() calls resolve_git_ref(project["repository_url"], ref) and does not materialize the project SCM credential.\n- src/ct_automation/worker/execution.py _checkout_project() calls git clone without SCM credential materialization.\n\nImpact: private repository setup can store an SCM key, but discovery/checkout will still fail for repositories that require that key.\n\nSuggested fix: when a project has scm_credential_id, decrypt/materialize the SCM credential into a temporary 0600 key file, set GIT_SSH_COMMAND with strict known_hosts handling from credential metadata, use it for ls-remote/clone/fetch operations, and remove the temp material immediately after the Git command. Add tests proving private-key projects invoke Git with the generated SSH command and never expose key material in errors/audit metadata.

CT-Ops can now create CT-Automation projects with an attached scm_credential_id for private SSH repositories, but CT-Automation's project sync path appears to validate and persist the SCM credential without using it for Git operations.\n\nEvidence from local source inspection:\n- src/ct_automation/domain/projects.py accepts and validates scm_credential_id on projects.\n- resolve_git_ref() calls git ls-remote with only the repository URL/ref.\n- sync_project() calls resolve_git_ref(project["repository_url"], ref) and does not materialize the project SCM credential.\n- src/ct_automation/worker/execution.py _checkout_project() calls git clone without SCM credential materialization.\n\nImpact: private repository setup can store an SCM key, but discovery/checkout will still fail for repositories that require that key.\n\nSuggested fix: when a project has scm_credential_id, decrypt/materialize the SCM credential into a temporary 0600 key file, set GIT_SSH_COMMAND with strict known_hosts handling from credential metadata, use it for ls-remote/clone/fetch operations, and remove the temp material immediately after the Git command. Add tests proving private-key projects invoke Git with the generated SSH command and never expose key material in errors/audit metadata.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carrtech/CT-Automation#24
No description provided.