From 333591753e4bd871aab27dde1a3d059f1a0d96df Mon Sep 17 00:00:00 2001
From: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>
Date: Thu, 23 Jan 2025 15:44:32 +0100
Subject: [PATCH] Only use git credential helper when needed

---
 lib/{gitpassword.sh => gitlab-token-helper.sh} |  0
 lib/update-bridgehead.sh                       | 13 ++++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)
 rename lib/{gitpassword.sh => gitlab-token-helper.sh} (100%)

diff --git a/lib/gitpassword.sh b/lib/gitlab-token-helper.sh
similarity index 100%
rename from lib/gitpassword.sh
rename to lib/gitlab-token-helper.sh
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 7aa88f4..ae09716 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -58,11 +58,18 @@ if [ $? -eq 0 ]; then
   # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
   CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
   git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+  # Set the git credential helper
+  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
 else
   log "WARN" "Secret Sync failed"
+  # Remove the git credential helper
+  git -C /etc/bridgehead config --unset credential.helper
 fi
 
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
+# Let's remove it to avoid confusion. This line can be removed at some point the future when we
+# believe that it was removed on all/most production servers.
+git -C /srv/docker/bridgehead config --unset credential.helper
 
 CHANGES=""
 
@@ -74,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
-  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
-    log "INFO" "Configuring repo to use bridgehead git credential helper."
-    git -C $DIR config credential.helper "$CREDHELPER"
-  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"