Community
Participate
Working Groups
Created attachment 287075 [details] The test to reproduce the bug I couldn't get jgit to work with private repositories on GitHub if we use builtin LFS and use HTTPS to authenticate (username + token). Steps to reproduce: 0. Native git shouldn't be installed (use only builtin LFS). Don't use ssh to authenticate (we will use https). 1. Create any empty private (it's free now) repository in GitHub. You can check "Add a README file" checkbox when create a new repository. Copy URL for the newly created empty private repository. 3. Open attached LfsPrivateRepoTest, modify URI, USERNAME, ACCESS_TOKEN to your values. 4. Run the test. It will fail even on push step. If you want to re-run the test, delete repository from github and repeat steps 1-4. I investigated, why jgit's built in LFS doesn't work and found these issues: 1. Builtin LFS doesn't authenticate uploads and downloads if we don't use SSH. According to: https://github.com/git-lfs/git-lfs/blob/main/docs/api/authentication.md "The Git LFS API uses HTTP Basic Authentication to authorize requests." Native git gets credentials from git credentials helper and caches them in memory. In jgit we can reuse CredentialsProvider used in some cases. For checkout/reset operations (or if we use low-level api directly) we need a way to provide credentials explicitly (because jgit can want to download absent LFS-tracked files). 2. If we fix mentioned above issue, we find that we still can't push to github because of pre-receive hook. Due to my investigation, it's because of absence of "verify" action in jgit. According to:https://github.com/git-lfs/git-lfs/blob/main/docs/api/basic-transfers.md "The Batch API can optionally return a verify action object in addition to an upload action object. If given, The Batch API expects a POST to the href after a successful upload." If we add verify action to jgit, push is successful. 3. If we add LFS-tracked file in both branches and use git.push().setPushAll() to push all those changes, we fail to push because only a file from the first branch is uploaded to LFS server and second file isn't uploaded, so we don't pass validation. Adding walk.reset() in PrePushHook fixes this issue. Attached patch fixes mentioned above issues. But I'm not sure if it's good from architectural point of view. I would appreciate if you will help me to improve the patch if it's needed. If it's good enough, I can proceed with submitting it to Gerrit.
Created attachment 287076 [details] The patch to fix BuiltinLFS for private repositories
Ah, looks like we already have a bug that describes #1 from my issues list: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535814. But it's still not fixed...
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/185407
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/185408
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/185409
Blocks use of Gitlab LFS services: Git LFS client communicates with the GitLab server over HTTPS. It uses HTTP Basic Authentication to authorize client requests. After the request is authorized, Git LFS client receives instructions from where to fetch or where to push the large file. https://docs.gitlab.com/ee/topics/git/lfs/#how-it-works Pretty sizeable client group affected.
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/199791
