#Git clone of private repos fails

Anyone knows why running this code in my Go module for private repo fails:

func (m *MyModule) Clone(ctx context.Context) *dagger.Directory {
    return dag.Git("https://github.com/my-org/private-repo").Branch("main").Tree()
}

...when running this command:

dagger call clone terminal

Error output

✘ .clone: Directory! 3.3s ERROR
┇ git(url: "https://github.com/my-org/private-repo") › git remote metadata ›
✘ git ls-remote --symref https://github.com/my-org/private-repo 0.3s ERROR
remote: Invalid username or token. Password authentication is not supported for Git operations.
fatal: Authentication failed for 'https://github.com/my-org/private-repo/'

?

Everything works when using Dagger built-ins against the same repo/branch:

dagger core git --url https://github.com/my-org/private-repo branch --name main tree terminal

(Also when cloning the repo using same url normally.) Really weird.

Platform: MacOS Tahoe
SDK: Go
Dagger version: dagger v0.19.8 (image://registry.dagger.io/engine:v0.19.8) darwin/arm64/v8

Have you tried with ssh authentication ? you can pass your host ssh socket as a parameter using the *dagger.Socket type

from https://docs.dagger.io/cookbook/filesystems/?sdk=Go+(SSH)#clone-a-remote-git-repository-into-a-container

package main

import (
    "context"
    "dagger/my-module/internal/dagger"
)

// Demonstrates an SSH-based clone requiring a user-supplied SSHAuthSocket.
type MyModule struct{}

func (m *MyModule) CloneWithSsh(ctx context.Context, repository string, ref string, sock *dagger.Socket) *dagger.Container {
    d := dag.Git(repository, dagger.GitOpts{SSHAuthSocket: sock}).Ref(ref).Tree()

    return dag.Container().
        From("alpine:latest").
        WithDirectory("/src", d).
        WithWorkdir("/src")
}

dagger call \
  clone-with-ssh --repository=git@github.com:dagger/dagger.git --ref=196f232a4d6b2d1d3db5f5e040cf20b6a76a76c5 --sock=$SSH_AUTH_SOCK \
  terminal

yeah it works if pass token/ssh sock explicitly

i guess it doesn't have access to my osxkeychain inside buildkit env and core git does that clientside

i think it would be nice if dagger call did that as well before sending graphql to the server

Thanks for looking into it, @summer depot !

this is correct and it's intended. Otherwise, someone might exfiltrate your private repos if you're using a third party module that uses the git call.

I thought we unlocked the forward of the git-credential helper just for the parent module ? 👀

wouldn't this mean calling dagger -m $module could also result in leaking secrets?

i'll have to check again, it was Justin's implementation, but I think so yes. If a user calls a top-level module (remote or local), then, in this pattern, it's his responsibility (apparently doesn't work for the user, so i might be wrong, but I was 95% sure)

strange.. doesn't seem to be working for me 🤔