87 lines
4.0 KiB
JavaScript
87 lines
4.0 KiB
JavaScript
"use strict";
|
|
// =============================================================================
|
|
// Pure git API — no ToolContext coupling.
|
|
// Requires a GitPushConfig with Gitea credentials for authenticated push.
|
|
// =============================================================================
|
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
if (k2 === undefined) k2 = k;
|
|
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
}
|
|
Object.defineProperty(o, k2, desc);
|
|
}) : (function(o, m, k, k2) {
|
|
if (k2 === undefined) k2 = k;
|
|
o[k2] = m[k];
|
|
}));
|
|
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
}) : function(o, v) {
|
|
o["default"] = v;
|
|
});
|
|
var __importStar = (this && this.__importStar) || (function () {
|
|
var ownKeys = function(o) {
|
|
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
var ar = [];
|
|
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
return ar;
|
|
};
|
|
return ownKeys(o);
|
|
};
|
|
return function (mod) {
|
|
if (mod && mod.__esModule) return mod;
|
|
var result = {};
|
|
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
__setModuleDefault(result, mod);
|
|
return result;
|
|
};
|
|
})();
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.gitCommitAndPush = gitCommitAndPush;
|
|
const cp = __importStar(require("child_process"));
|
|
const util = __importStar(require("util"));
|
|
const security_1 = require("./security");
|
|
const execAsync = util.promisify(cp.exec);
|
|
async function gitCommitAndPush(workspaceRoot, message, cfg) {
|
|
const cwd = workspaceRoot;
|
|
const { apiUrl, apiToken, username } = cfg;
|
|
try {
|
|
// Check remote URL before committing — block pushes to protected repos
|
|
let remoteCheck = '';
|
|
try {
|
|
remoteCheck = (await execAsync('git remote get-url origin', { cwd })).stdout.trim();
|
|
}
|
|
catch { /* no remote yet */ }
|
|
for (const protectedRepo of security_1.PROTECTED_GITEA_REPOS) {
|
|
const repoPath = protectedRepo.replace('mark/', '');
|
|
if (remoteCheck.includes(`/${repoPath}`) || remoteCheck.includes(`/${repoPath}.git`)) {
|
|
return {
|
|
error: `SECURITY: This workspace is linked to a protected Vibn platform repo (${protectedRepo}). ` +
|
|
`Agents cannot push to platform repos. Only user project repos are writable.`,
|
|
};
|
|
}
|
|
}
|
|
await execAsync('git add -A', { cwd });
|
|
await execAsync(`git commit -m "${message.replace(/"/g, '\\"')}"`, { cwd });
|
|
// Strip any existing credentials from remote URL and re-inject cleanly
|
|
let remoteUrl = '';
|
|
try {
|
|
remoteUrl = (await execAsync('git remote get-url origin', { cwd })).stdout.trim();
|
|
}
|
|
catch { /* no remote */ }
|
|
const cleanUrl = remoteUrl.replace(/https:\/\/[^@]+@/, 'https://');
|
|
const baseUrl = cleanUrl || apiUrl;
|
|
const authedUrl = baseUrl.replace('https://', `https://${username}:${apiToken}@`);
|
|
await execAsync(`git remote set-url origin "${authedUrl}"`, { cwd }).catch(async () => {
|
|
await execAsync(`git remote add origin "${authedUrl}"`, { cwd });
|
|
});
|
|
const branch = (await execAsync('git rev-parse --abbrev-ref HEAD', { cwd })).stdout.trim();
|
|
await execAsync(`git push -u origin "${branch}"`, { cwd, timeout: 60000 });
|
|
return { success: true, message, branch };
|
|
}
|
|
catch (err) {
|
|
const cleaned = (err.message || '').replace(new RegExp(apiToken, 'g'), '***');
|
|
return { error: `Git operation failed: ${cleaned}` };
|
|
}
|
|
}
|