#http git cloning of remote repos for azure repos

Trying to do this without using hardcoded name:token in the string.

https://learn.microsoft.com/en-us/azure/devops/repos/git/set-up-credential-managers?view=azure-devops

dagger functions -m dev.azure.com/MYORG/MYREPO/_git/daggerverse.git/tf-yolo@main
✔ connect 0.4s
✘ initialize 0.5s
! failed to get configured module: failed to get module ref kind: input: moduleSource resolve: failed to resolve git src to commit: failed to load cache key: failed to fetch remote https://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git: git error: exit status 128
  ✘ resolving module ref 0.5s
  ! failed to get configured module: failed to get module ref kind: input: moduleSource resolve: failed to resolve git src to commit: failed to load cache key: failed to fetch remote https://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git: git error: exit status 128
    ✘ moduleSource(refString: "dev.azure.com/MYORG/MYREPO/_git/daggerverse.git/tf-yolo@main"): ModuleSource! 0.4s
    ! failed to resolve git src to commit: failed to load cache key: failed to fetch remote https://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git: git error: exit status 128
      ✘ cache request: git://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git#main 0.4s
      ! failed to fetch remote https://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git: git error: exit status 128

Error: failed to get configured module: failed to get module ref kind: input: moduleSource resolve: failed to resolve git src to commit: failed to load cache key: failed to fetch remote https://dev.azure.com/MYORG/MYREPO/_git/daggerverse.git: git error: exit status 128
stderr:
fatal: could not read Username for 'https://dev.azure.com': terminal prompts disabled

So i've tried variations. The credential provider does support an oauth workflow so if that's possible let me know

Tried some other variations with https and no go today. Only ssh seems to work fine. I did another tool (remember trunk) and it used the git-credential manager oauth browser workflow so I'm assuming that's where dagger isn't asking for confirmation

Bump <@&946480760016207902> , just to make sure this was seen if the best way

we only support ssh today

we are looking at PAT support in https://github.com/dagger/dagger/issues/7990

Currently on it

@forest tundra I added a comment to discussion just want to make sure it's seen. For me I can't really trial out more helper functions with folks without https support. I plan on trying an alternative today with https header being added and will report back if that gives me a temporary workaround.

Hey Sheldon, thanks for the ping, just replied 🙏 To me, the current ongoing implementation relying on the credential-manager is 100% on-par with your use-case 👼

So I tried adding httpheader auth and still get prompted for password. Any idea if i can solve it this way?

git config --global "credential.https://dev.azure.com.useHttpPath" true
git config --global http.https://dev.azure.com.extraheader "${HEADER_VALUE}"
git config --global http.https://myuser@dev.azure.com.extraheader "${HEADER_VALUE}"

dagger functions -m https://dev.azure.com/myorg/devex/_git/daggerverse.git/tf-yolo@main
dagger functions -m https://myuser@dev.azure.com/myorg/devex/_git/daggerverse.git/tf-yolo@main

I got another tool (trunk to work seamlessly with it)

Tried more variations and no luck @forest tundra , many different ways but no matter with .git or without and with header keeps expecting either password or username. I tried with debug and not additional useful info came out btw.

It won't work. I am currently working on the PAT support / credential support right now 👼 . Will ping you when ready, you'll be part of the first to experience / review it 🙏

@forest tundra awesome!
I have to support http and ssh both so until then i have to hold off some of the small automation I'd try cause most of company doesn't use ssh. Is this something months out or a relatively soon thing?

I had to build dockerized wrapper around something dagger and kept thinking dagger would be good here 😆

Actively working on it, we're busy this week but will resuem next one 🙏

First draft next week

in the meantime, can you tell me if I should be able to provide a token as input like this and when I hard code the https://user:token@path it shouldn't show up in terminal exposed? That's a work around as well I can use for one of my tasks since I want to clone and do all this inside the blackbox of dagger anyway.

prior issue I ran into

egads! Discord finally supports nicely formatted links. When did this happen! Biggest annoyance with it solved 🙂

Hi, is the PAT support implemented already? How can it be used with Azure DevOps?

Hey yes, it relies on the git credential support

https://docs.dagger.io/api/remote-modules/#authentication-methods

I know this doc… it works locally on my device but not in a pipeline running on Azure DevOps.

Situation is:
I have a dagger module stored in a private repo. I use this module as a dependency in my software component. It’s part of the dagger.json. I run “dagger update” in the pipeline. But for any reason it keeps failing in the pipeline with an authentication error. It works with “dagger -m https://$systemtoken@dev.azure.com/….” when I just call a function.

I use the system PAT which has access to the other git repo

Oh, so dagger develop fails with the PAT ? Is that what you're saying, when it's a dependency ? What version of dagger are you using ?

And, when you do the same thing locally, does that fail too ? I suppose, given what you're writing, that your azure pipeline does have a PAT properly configured too ? https://github.com/dagger/dagger/issues/8989

Yes, it’s configured as a dependency. Using the latest dagger version on the build agent.
I assume it’s the credential helper. Locally git uses the mac keychain so dagger picks it up and everything works. On the build agent there is none defined. So the PAT is not available for dagger. I tried with adding headers via GIT config, but if I understood it right, this is ignored by dagger.
New day, new ideas :). I will investigate today. Will give an update later.

Mmmh, git has a standard: git credential, which you can rely on by doing git credential fill.

You can do: echo -e "protocol=https\nhost=dev.azure.com\n" | git credential fill to see if you have a match -- both locally and remote

That's what the engine does on your host when querying the PAT

Can you please try: https://github.com/dagger/dagger/issues/8989#issuecomment-2486541713 and / or https://github.com/dagger/dagger/issues/8989#issuecomment-2486856080 ?

And sorry if you already tried but I didn't understand ahah 😇 Basically, if it's a git credential setup -- the command we do is literally equivalent to the echo -e "protocol=https\nhost=****\n" | git credential fill so if you can retrieve / debug on your CI the password / token and check if it has the correct permissions that would be amazing 🙏

Ok, it was the missing git credential manager. I have found a solution with the following script in my Azure DevOps pipeline:

git config --global credential.helper store 'store --file=~/.git-credentials'
echo "https://someorga:$SYSTEM_ACCESSTOKEN@dev.azure.com" > ~/.git-credentials

Don’t know if there is a nicer solution as I am not that familiar with the git credential manager.

@tropic roost dagger should work out of the box with the default configured git authentication mechanism. If you can do a git clone https://$repo within your azure devops pipeline, dagger should just work

so whatever git credentials config you make, it shouldn't be anything specific particularly to Dagger

Hi @craggy marlin , it was not an issue with Dagger. Dagger worked as expected after I have configured the GIT credential manager on the Azure DevOps build agent.
Maybe the docs from dagger can be enhanced to point that out. Especially if you use the Azure DevOps hosted agents, there is no GIT credential manager configured by default. This was not obvious to me.

@forest tundra any comments on this, or what to update in the docs?