feat: Support helm --username and --password (#347)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Zadkiel AHARONIAN <hello@zadkiel.fr>

Author: Copilot

.github/workflows/release.yml

@@ -27,7 +27,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        helm: ['2.17.0', '3.4.2', '3.7.1']
+        helm: ['2.17.0', '3.4.2', '3.7.1', '3.18.5']
     env:
       FIXTURES_GIT_REPO: ${{ format('{0}/{1}', github.server_url, github.event.pull_request.head.repo.full_name || github.repository) }}
       FIXTURES_GIT_REF: ${{ github.head_ref || github.ref_name }}

README.md

@@ -98,6 +98,23 @@ As this plugin uses `git` CLI to clone repos. You can configure private access i
 
 - **using ssh**: Start a [ssh-agent daemon](https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/#adding-your-ssh-key-to-the-ssh-agent)
 - **using https**: Use a [credentials helper](https://git-scm.com/docs/gitcredentials)
+- **using helm credentials**: Use `helm repo add --username user --password pass` to provide credentials
+
+#### Helm Credentials Support
+
+> **Note:** This feature requires Helm v3.14.0 or later.
+
+This plugin supports Helm's built-in credential passing mechanism. When you use `helm repo add` with `--username` and `--password` flags, the plugin automatically configures git to use these credentials:
+
+```bash
+# Add a repository with credentials
+helm repo add my-repo --username myuser --password mypass git+https://github.com/company/charts@charts?ref=main
+
+# The credentials are automatically used for git operations
+helm fetch my-repo/my-chart
+```
+
+**Note**: When both Helm credentials and existing git authentication (SSH keys, credential helpers) are available, Helm credentials take precedence for the current operation.
 
 ### Note on SSH relative paths
 

helm-git-plugin.sh

@@ -44,6 +44,12 @@ readonly git_quiet
 # Set default value for TMPDIR
 export TMPDIR="${TMPDIR:-/tmp}"
 
+# Initialize git credential variables
+git_username="${HELM_PLUGIN_USERNAME:-}"
+git_password="${HELM_PLUGIN_PASSWORD:-}"
+unset HELM_PLUGIN_USERNAME
+unset HELM_PLUGIN_PASSWORD
+
 # Cache repos or charts depending on the cache path existing in the environment variables
 cache_repos_enabled=0
 if [ -n "${HELM_GIT_REPO_CACHE:-}" ]; then
@@ -90,19 +96,36 @@ warning() {
 
 ## Functions
 
+# git_cmd(git_arguments...)
+# Execute git command with credential helper if credentials are available
+git_cmd() {
+  _ret=0
+  if [ -n "${git_username:-}" ]; then
+    trace "[git, username:${git_username}] $*"
+    # shellcheck disable=SC2016
+    GIT_TERMINAL_PROMPT=0 GIT_USERNAME="${git_username}" GIT_PASSWORD="${git_password}" git -c credential.helper='!f() { echo "username=${GIT_USERNAME}"; echo "password=${GIT_PASSWORD}"; }; f' "$@"
+    _ret=$?
+  else
+    trace "[git] $*"
+    GIT_TERMINAL_PROMPT=0 git "$@"
+    _ret=$?
+  fi
+  return $_ret
+}
+
 # git_try(git_repo)
 git_try() {
   _git_repo=$1
 
-  GIT_TERMINAL_PROMPT=0 git ls-remote "$_git_repo" --refs >"${git_output}" 2>&1 || return 1
+  git_cmd ls-remote "$_git_repo" --refs >"${git_output}" 2>&1 || return 1
 }
 
 #git_get_default_branch(git_repo_path)
 git_get_default_branch() {
   _git_repo="${1?Missing git_repo as first parameter}"
 
   # Fetch default branch from remote
-  _git_symref=$(GIT_TERMINAL_PROMPT=0  git ls-remote --symref "${_git_repo}" origin HEAD 2>"${git_output}") || return
+  _git_symref=$(git_cmd ls-remote --symref "${_git_repo}" origin HEAD 2>"${git_output}") || return
   echo "$_git_symref" | awk '/^ref:/ {sub(/refs\/heads\//, "", $2); print $2}' || return
 }
 
@@ -112,7 +135,7 @@ git_fetch_ref() {
   _git_ref="${2?Mising git_ref as second parameter}"
 
   # Fetches any kind of ref to its right place, tags, annotated tags, branches and commit refs
-  GIT_DIR="${_git_repo_path}" git fetch -u --depth=1 origin "refs/*/${_git_ref}:refs/*/${_git_ref}" "${_git_ref}" >"${git_output}" 2>&1
+  GIT_DIR="${_git_repo_path}" git_cmd fetch -u --depth=1 origin "refs/*/${_git_ref}:refs/*/${_git_ref}" "${_git_ref}" >"${git_output}" 2>&1
 }
 
 #git_cache_intercept(git_repo, git_ref)
@@ -132,14 +155,14 @@ git_cache_intercept() {
     {
       mkdir -p "${repo_path}" &&
         cd "${repo_path}" &&
-        git init --bare ${git_quiet} >"${git_output}" 2>&1 &&
-        git remote add origin "${_git_repo}" >"${git_output}" 2>&1
+        git_cmd init --bare ${git_quiet} >"${git_output}" 2>&1 &&
+        git_cmd remote add origin "${_git_repo}" >"${git_output}" 2>&1
     } >&2 || debug "Could not setup ${_git_repo}" && return 1
   else
     debug "${_git_repo} exists in cache"
   fi
   debug "Making sure we have the requested ref #${_git_ref}"
-  if [ -z "$(GIT_DIR="${repo_path}" git tag -l "${_git_ref}" 2>"${git_output}")" ]; then
+  if [ -z "$(GIT_DIR="${repo_path}" git_cmd tag -l "${_git_ref}" 2>"${git_output}")" ]; then
     debug "Did not find ${_git_ref} in our cache for ${_git_repo}, fetching...."
     # This fetches properly tags, annotated tags, branches and commits that match the name and leave them at the right place
     git_fetch_ref "${repo_path}" "${_git_ref}" ||
@@ -168,18 +191,18 @@ git_checkout() {
 
   {
     cd "$_target_path"
-    git init ${git_quiet} >"${git_output}" 2>&1
-    git config pull.ff only >"${git_output}" 2>&1
-    git remote add origin "$_git_repo" >"${git_output}" 2>&1
+    git_cmd init ${git_quiet} >"${git_output}" 2>&1
+    git_cmd config pull.ff only >"${git_output}" 2>&1
+    git_cmd remote add origin "$_git_repo" >"${git_output}" 2>&1
   }
   if [ "$_sparse" = "1" ] && [ -n "$_git_path" ]; then
-    git config core.sparseCheckout true >"${git_output}" 2>&1
+    git_cmd config core.sparseCheckout true >"${git_output}" 2>&1
     mkdir -p .git/info
     echo "$_git_path/*" >.git/info/sparse-checkout
   fi
   git_fetch_ref "${PWD}/.git" "${_git_ref}" ||
     error "Unable to fetch remote. Check your Git url."
-  git checkout ${git_quiet} "${_git_ref}" >"${git_output}" 2>&1 ||
+  git_cmd checkout ${git_quiet} "${_git_ref}" >"${git_output}" 2>&1 ||
     error "Unable to checkout ref. Check your Git ref ($_git_ref) and path ($_git_path)."
   # shellcheck disable=SC2010,SC2012
   if [ "$(ls -A | grep -v '^.git$' -c)" = "0" ]; then
@@ -408,7 +431,7 @@ main() {
   fi
 
   # Setup exit trap
-  # shellcheck disable=SC2317,SC2329 
+  # shellcheck disable=SC2317,SC2329
   exit_trap() {
     [ "$cleanup" = 1 ] || return 0
     rm -rf "$git_root_path" "${helm_home_target_path:-}"

tests/07-credentials.bats

@@ -0,0 +1,167 @@
+#!/usr/bin/env bats
+
+load 'test-helper'
+
+setup_file() {
+    if ! helm_supports_credentials; then
+        echo "# Skipping credential tests - Helm version < 3.14.0 does not support credential passing" >&2
+    fi
+}
+
+@test "should setup git credentials when HELM_PLUGIN_USERNAME and HELM_PLUGIN_PASSWORD are set" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="testuser"
+    export HELM_PLUGIN_PASSWORD="testpass"
+
+    # Source the plugin and check that credentials are stored
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "git_username=${git_username}" && echo "git_password=${git_password}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=testuser"* ]]
+    [[ "$output" == *"git_password=testpass"* ]]
+
+    # Check that the original HELM_PLUGIN_* variables are unset for security
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "HELM_PLUGIN_USERNAME=${HELM_PLUGIN_USERNAME:-unset}" && echo "HELM_PLUGIN_PASSWORD=${HELM_PLUGIN_PASSWORD:-unset}"'
+    [ $status = 0 ]
+    [[ "$output" == *"HELM_PLUGIN_USERNAME=unset"* ]]
+    [[ "$output" == *"HELM_PLUGIN_PASSWORD=unset"* ]]
+
+    # Check that the internal git_* variables are NOT exported to child processes
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && bash -c "echo git_username=\${git_username:-unset}; echo git_password=\${git_password:-unset}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=unset"* ]]
+    [[ "$output" == *"git_password=unset"* ]]
+}
+
+@test "should not setup git credentials when HELM_PLUGIN_USERNAME is missing" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    unset HELM_PLUGIN_USERNAME
+    export HELM_PLUGIN_PASSWORD="testpass"
+
+    # Source the plugin and verify git_username is empty
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "git_username=${git_username:-empty}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=empty"* ]]
+}
+
+@test "should setup git credentials with username only (empty password allowed)" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="testuser"
+    unset HELM_PLUGIN_PASSWORD
+
+    # Source the plugin and verify credentials are set (username without password is allowed)
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "git_username=${git_username}" && echo "git_password=${git_password:-empty}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=testuser"* ]]
+    [[ "$output" == *"git_password=empty"* ]]
+}
+
+@test "should not setup git credentials when both are missing" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    unset HELM_PLUGIN_USERNAME
+    unset HELM_PLUGIN_PASSWORD
+
+    # Source the plugin and verify both are empty
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "git_username=${git_username:-empty}" && echo "git_password=${git_password:-empty}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=empty"* ]]
+    [[ "$output" == *"git_password=empty"* ]]
+}
+
+@test "helm_git main should use credentials with username and password" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="testuser"
+    export HELM_PLUGIN_PASSWORD="testpass"
+    export HELM_GIT_TRACE=1
+
+    # Test that git_cmd uses credentials by checking trace output
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && git_cmd --version 2>&1'
+
+    # Check that the trace message about using credentials appears
+    [[ "$output" == *"[git, username:testuser] --version"* ]]
+    [[ "$output" == *"git version"* ]]
+}
+
+@test "git credential helper should work with environment variables" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="testuser"
+    export HELM_PLUGIN_PASSWORD="testpass"
+
+    # Test the credential helper by simulating what git_cmd does
+    run bash -c 'GIT_USERNAME="testuser" GIT_PASSWORD="testpass" bash <<EOF
+echo "username=\${GIT_USERNAME}"
+echo "password=\${GIT_PASSWORD}"
+EOF'
+    [ $status = 0 ]
+    [[ "$output" == *"username=testuser"* ]]
+    [[ "$output" == *"password=testpass"* ]]
+}
+
+@test "should handle credentials with special characters" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="user@domain.com"
+    export HELM_PLUGIN_PASSWORD="pass/with/special&chars"
+
+    # Source the plugin and verify credentials with special characters are stored
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && echo "git_username=${git_username}" && echo "git_password=${git_password}"'
+    [ $status = 0 ]
+    [[ "$output" == *"git_username=user@domain.com"* ]]
+    [[ "$output" == *"git_password=pass/with/special&chars"* ]]
+
+    # Test that the credential helper can handle special characters
+    run bash -c 'GIT_USERNAME="user@domain.com" GIT_PASSWORD="pass/with/special&chars" bash <<EOF
+echo "username=\${GIT_USERNAME}"
+echo "password=\${GIT_PASSWORD}"
+EOF'
+    [ $status = 0 ]
+    [[ "$output" == *"username=user@domain.com"* ]]
+    [[ "$output" == *"password=pass/with/special&chars"* ]]
+}
+
+@test "git_cmd should use credentials when available" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    export HELM_PLUGIN_USERNAME="testuser"
+    export HELM_PLUGIN_PASSWORD="testpass"
+
+    # Test git_cmd function with credentials
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && git_cmd --version'
+    [ $status = 0 ]
+    [[ "$output" == *"git version"* ]]
+}
+
+@test "git_cmd should work normally when no credentials" {
+    if ! helm_supports_credentials; then
+        skip "Helm version < 3.14.0 does not support credential passing"
+    fi
+
+    unset HELM_PLUGIN_USERNAME
+    unset HELM_PLUGIN_PASSWORD
+
+    # Test git_cmd function without credentials
+    run bash -c 'source "${HELM_GIT_DIRNAME}/helm-git-plugin.sh" && git_cmd --version'
+    [ $status = 0 ]
+    [[ "$output" == *"git version"* ]]
+}

tests/test-helper.bash

@@ -54,3 +54,14 @@ set_chart_cache_strategy() {
     HELM_GIT_CHART_CACHE_STRATEGY="$1"
     export HELM_GIT_CHART_CACHE_STRATEGY
 }
+
+# Check if Helm version supports credential passing (>= 3.14.0)
+helm_supports_credentials() {
+    v=$($HELM_BIN version --short 2>/dev/null | sed 's/^v//' | cut -d+ -f1 | cut -d- -f1)
+    [ -n "$v" ] || return 1
+    # shellcheck disable=SC2046
+    set -- $(echo "$v" | awk -F. '{print $1,$2,($3?$3:0)}')
+    [ "$1" -gt 3 ] ||
+    { [ "$1" -eq 3 ] && [ "$2" -gt 14 ]; } ||
+    { [ "$1" -eq 3 ] && [ "$2" -eq 14 ] && [ "$3" -ge 0 ]; }
+}