#API design question for `Git` 🧵

Noticed that we have entirely different ways of configuring auth for ssh vs pat. For ssh, we just pass top level args to dag.Git, but for pat/header auth we have a dag.Git.withAuthToken

Ideally we shouldn't be doing it like this, it should be consistent. We can easily fix this though, and make it consistent (and deprecate whichever we don't choose).

However! Not quite sure which one to go for. I'm really ambivalent honestly, though maybe args make the most amount of sense?

cc @steel kelp @hexed vector @olive quest

I remember discussing this ages back at some point (like a year +), but since I'm back in reworking + improving the git api (in the context of https://github.com/dagger/dagger/pull/9730), figured we should fix this one too

I remember being partial to the separate methods for auth instead of constructor.

mm, it is a bit neater to chain that way.
i think the only argument i have against it is that it maybe makes sense to group a private url right next to a token for it? instead of splitting them up into two separate calls.
but yeah, i don't particularly think it matters that much. i can't see why you'd want to change it more than once, so it would always appear after dag.Git anyways.

okay one reason I'm now leaning towards the constructor: there are now two ways to make a GitRepository - through Query.git and Directory.asGit

imo it doesn't make a huge amount of sense to be able to configure auth on a git repo that's come from the local directory

or imagine a function taking a GitRepostory - that object should be ready to use, it shouldn't be possible to pass in a semi created state, where the auth isn't correctly setup yet

fyi @marble quartz, we were talking about this recently

Catching up...

never managed to get any consensus on this - but decided to start implementing my preferred approach here: https://github.com/dagger/dagger/pull/10248
i'd really like to sort this design before adding too much more functionality to the git api, since it potentially impacts how we do things like remote fetching (https://github.com/dagger/dagger/issues/10200, cc @livid shadow)

Hey @nimble lantern , I just now seeing this thread. Thank you for the tag. I think it makes sense to have the auth in the constructor at the top level. That can propagate to all downstream calls. It will be a breaking change for me but that's not a big deal right now.

(fyi, we'd just deprecate for now, we won't remove it immediately)

The problem is, git auth is not tied to the folder. Instead it happens in the OS. So if I want to do remote git ops in a local directory, I have to auth. Feels clunky to do myself when dagger already has the auth context

you can't do remote ops on a local dir

that's how it works now - i'd like to preserve that property

Sorry, when I say "remote ops", I mean stuff like git fetch --tags or git pull they need auth

but how are you getting it to do that? you're mounting it as a directory?

yes

ah as in https://github.com/dagger/dagger/issues/9858

exactly! I was trying to find it. Thanks! I'm multi-tasking, while in a meeting 😄

i'm reasonably sure we won't be able to do this sadly, directories don't have associated secrets, only containers do

ideally, i'd like to solve this by just having the Git API itself able to do this itself

so you don't need to fetch additional things - you could import remotes, and do it through there

unless, we had Container.WithGitRef directly

then we could do pass through

not entirely sure, but yes, agreed these problems are kind of related.

even thinking about https://github.com/dagger/dagger/issues/10200 for "credential inheritance", we can't just always inherit credentials from the parent.
it's very easy to imagine a case where you have a public remote and a private remote (i've worked places with this setup), and you could very reasonably need different sets of creds for this.

@nimble lantern I don't understand what the "two options" were at the beginning of this thread. You mentioned PAT support and Git.withAuthToken, is that actually part of the API today?

yes, you can do this

https://github.com/dagger/dagger/blob/main/docs/docs-graphql/schema.graphqls#L2459-L2463

But I don't understand how it can work, since Git() creates the GitRepository, what does the withAuthToken apply to?

the problem is that there is a disparity between how you pass ssh auth and http auth params.
http auth is passed only via with
ssh auth is passed only via the constructor

to the whole repository

and the operations it does

I see, it relies on dag.Git being lazy

But this is distinct from native PAT support where dag.Git() on its own loads the full git configuration from the host and applies it implicitly right?

I was just confused since you pass the URL to dag.Git() but the auth credentials for that URL afterwards. Opposite pattern from dag.Container()

I guess consistency has never been our thing (to my eternal frustration)

yeah 😦 atm, we couldn't make dag.Git not lazy, but if we move things to the constructor we potentially could one day

By the way Container.withRegistryAuth also doesn't make sense for distinct reasons

mm, but isn't that one also used for writing?

actually. would make much more sense to have From and Publish take credentials

and deprecate withRegistryAuth in the same vein imo

Yes. That was the original spec. At some point liberties were taken in the implementation

Sometimes I wish I didn't care about consistency, I would be less stressed, and less annoying to others

sure, but i get that the api isn't perfect, but i'm trying to get things better now, i have some cycles to do this

i can just leave it alone, but that's not really helpful to anyone

I think constructor as you suggested is good

I just wanted to make sure you didn't take inspiration from Container.withRegistryAuth in your quest for consistency

happy to rework that one as a separate pr?

That would be amazing, it's been on my list for ages but I keep not getting around to it

neat okay! it's on the list now

with https://github.com/dagger/dagger/pull/10183, we should be able to actually deprecate+remote much more easily

sorry, busy day. I'll catch up and get back to you with an example of what I'm trying to do. It's possible that I'm doing something that's not recommended.

Caught up. I didn't quite follow the latter part of the discussion. But this is my requirement.

• It's a vanilla CI module that's contextual to the repo.
• After build, test, publish, I want to tag the git repo.
• I need auth. Dagger itself already has auth for my repo (because it cloned it) but I can't use it.
• Today I'm authenticating like this - https://github.com/dagger/dagger/issues/9858

I'm not opposed to keep doing that. Lmk if I'm making things difficult for myself 🙂

okay, so i think what you're doing here is a separate issue - I'm a bit confused as to how we'll solve it honestly, but I put some ideas in that issue

if we do dag.Git().Remote() then here's my proposal for auth inheritance: https://github.com/dagger/dagger/issues/10200#issuecomment-2827058496

with all that, i think we can tidy up and remove WithAuthToken as suggested above:
https://github.com/dagger/dagger/pull/10248 is now ready for review 🎉

replied!