fix(projects): use SCM credentials during Git sync #24
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
CT-Ops can now create CT-Automation projects with an attached scm_credential_id for private SSH repositories, but CT-Automation's project sync path appears to validate and persist the SCM credential without using it for Git operations.\n\nEvidence from local source inspection:\n- src/ct_automation/domain/projects.py accepts and validates scm_credential_id on projects.\n- resolve_git_ref() calls git ls-remote with only the repository URL/ref.\n- sync_project() calls resolve_git_ref(project["repository_url"], ref) and does not materialize the project SCM credential.\n- src/ct_automation/worker/execution.py _checkout_project() calls git clone without SCM credential materialization.\n\nImpact: private repository setup can store an SCM key, but discovery/checkout will still fail for repositories that require that key.\n\nSuggested fix: when a project has scm_credential_id, decrypt/materialize the SCM credential into a temporary 0600 key file, set GIT_SSH_COMMAND with strict known_hosts handling from credential metadata, use it for ls-remote/clone/fetch operations, and remove the temp material immediately after the Git command. Add tests proving private-key projects invoke Git with the generated SSH command and never expose key material in errors/audit metadata.