idk

NicolasIRAGNE · NicolasIRAGNE · commit 82b145286da5 · 2025-08-09T17:31:04.000+02:00
diff --git a/src/gitingest/clone.py b/src/gitingest/clone.py
@@ -9,11 +9,11 @@
 
 from gitingest.config import DEFAULT_TIMEOUT
 from gitingest.utils.git_utils import (
-    _add_token_to_url,
     check_repo_exists,
     checkout_partial_clone,
     create_git_repo,
     ensure_git_installed,
+    git_auth_context,
     is_github_host,
     resolve_commit,
 )
@@ -86,12 +86,7 @@ async def clone_repo(config: CloneConfig, *, token: str | None = None) -> None:
     commit = await resolve_commit(config, token=token)
     logger.debug("Resolved commit", extra={"commit": commit})
 
-    # Prepare URL with authentication if needed
-    clone_url = url
-    if token and is_github_host(url):
-        clone_url = _add_token_to_url(url, token)
-
-    # Clone the repository using GitPython
+    # Clone the repository using GitPython with proper authentication
     logger.info("Executing git clone operation", extra={"url": "<redacted>", "local_path": local_path})
     try:
         clone_kwargs = {
@@ -100,17 +95,22 @@ async def clone_repo(config: CloneConfig, *, token: str | None = None) -> None:
             "depth": 1,
         }
 
-        if partial_clone:
-            # GitPython doesn't directly support --filter and --sparse in clone
-            # We'll need to use git.Git() for the initial clone with these options
-            git_cmd = git.Git()
-            cmd_args = ["--single-branch", "--no-checkout", "--depth=1"]
+        with git_auth_context(url, token) as git_cmd:
             if partial_clone:
-                cmd_args.extend(["--filter=blob:none", "--sparse"])
-            cmd_args.extend([clone_url, local_path])
-            git_cmd.clone(*cmd_args)
-        else:
-            git.Repo.clone_from(clone_url, local_path, **clone_kwargs)
+                # GitPython doesn't directly support --filter and --sparse in clone
+                # We'll need to use git.Git() for the initial clone with these options
+                cmd_args = ["--single-branch", "--no-checkout", "--depth=1"]
+                if partial_clone:
+                    cmd_args.extend(["--filter=blob:none", "--sparse"])
+                cmd_args.extend([url, local_path])
+                git_cmd.clone(*cmd_args)
+            # For regular clones without auth, we can use git.Repo.clone_from
+            # But with auth, we need to use the configured git_cmd
+            elif token and is_github_host(url):
+                cmd_args = ["--single-branch", "--no-checkout", "--depth=1", url, local_path]
+                git_cmd.clone(*cmd_args)
+            else:
+                git.Repo.clone_from(url, local_path, **clone_kwargs)
 
         logger.info("Git clone completed successfully")
     except git.GitCommandError as exc:
diff --git a/src/gitingest/utils/git_utils.py b/src/gitingest/utils/git_utils.py
@@ -7,9 +7,10 @@
 import os
 import re
 import sys
+from contextlib import contextmanager, suppress
 from pathlib import Path
-from typing import TYPE_CHECKING, Final, Iterable
-from urllib.parse import urlparse, urlunparse
+from typing import TYPE_CHECKING, Final, Generator, Iterable
+from urllib.parse import urlparse
 
 import git
 
@@ -217,13 +218,6 @@ async def fetch_remote_branches_or_tags(url: str, *, ref_type: str, token: str |
 
     # Use GitPython to get remote references
     try:
-        git_cmd = git.Git()
-
-        # Prepare authentication if needed
-        if token and is_github_host(url):
-            auth_url = _add_token_to_url(url, token)
-            url = auth_url
-
         fetch_tags = ref_type == "tags"
         to_fetch = "tags" if fetch_tags else "heads"
 
@@ -233,8 +227,9 @@ async def fetch_remote_branches_or_tags(url: str, *, ref_type: str, token: str |
             cmd_args.append("--refs")  # Filter out peeled tag objects
         cmd_args.append(url)
 
-        # Run the command using git_cmd.ls_remote() method
-        output = git_cmd.ls_remote(*cmd_args)
+        # Run the command with proper authentication
+        with git_auth_context(url, token) as git_cmd:
+            output = git_cmd.ls_remote(*cmd_args)
 
         # Parse output
         return [
@@ -318,6 +313,60 @@ def create_git_auth_header(token: str, url: str = "https://github.com") -> str:
     return f"http.https://{hostname}/.extraheader=Authorization: Basic {basic}"
 
 
+@contextmanager
+def git_auth_context(url: str, token: str | None = None) -> Generator[git.Git]:
+    """Context manager for GitPython authentication.
+
+    Creates a Git command object configured with authentication for GitHub repositories.
+    Uses git's credential system instead of URL manipulation.
+
+    Parameters
+    ----------
+    url : str
+        The repository URL to check if authentication is needed.
+    token : str | None
+        GitHub personal access token (PAT) for accessing private repositories.
+
+    Yields
+    ------
+    Generator[git.Git]
+        Git command object configured with authentication.
+
+    """
+    git_cmd = git.Git()
+
+    if token and is_github_host(url):
+        # Configure git to use the token for this hostname
+        # This is equivalent to: git config credential.https://hostname.username x-oauth-basic
+        # and: git config credential.https://hostname.helper store
+        auth_header = create_git_auth_header(token, url)
+        key, value = auth_header.split("=", 1)
+
+        # Set the auth configuration for this git command
+        original_config = {}
+        try:
+            # Store original config if it exists
+            with suppress(git.GitCommandError):
+                original_config[key] = git_cmd.config("--get", key)
+
+            # Set the authentication
+            git_cmd.config(key, value)
+
+            yield git_cmd
+
+        finally:
+            # Restore original config
+            try:
+                if key in original_config:
+                    git_cmd.config(key, original_config[key])
+                else:
+                    git_cmd.config("--unset", key)
+            except git.GitCommandError:
+                pass  # Config cleanup failed, not critical
+    else:
+        yield git_cmd
+
+
 def validate_github_token(token: str) -> None:
     """Validate the format of a GitHub Personal Access Token.
 
@@ -419,15 +468,9 @@ async def _resolve_ref_to_sha(url: str, pattern: str, token: str | None = None)
 
     """
     try:
-        git_cmd = git.Git()
-
-        # Prepare authentication if needed
-        auth_url = url
-        if token and is_github_host(url):
-            auth_url = _add_token_to_url(url, token)
-
-        # Execute ls-remote command
-        output = git_cmd.ls_remote(auth_url, pattern)
+        # Execute ls-remote command with proper authentication
+        with git_auth_context(url, token) as git_cmd:
+            output = git_cmd.ls_remote(url, pattern)
         lines = output.splitlines()
 
         sha = _pick_commit_sha(lines)
@@ -475,37 +518,3 @@ def _pick_commit_sha(lines: Iterable[str]) -> str | None:
             first_non_peeled = sha
 
     return first_non_peeled  # branch or lightweight tag (or None)
-
-
-def _add_token_to_url(url: str, token: str) -> str:
-    """Add authentication token to GitHub URL.
-
-    Parameters
-    ----------
-    url : str
-        The original GitHub URL.
-    token : str
-        The GitHub token to add.
-
-    Returns
-    -------
-    str
-        The URL with embedded authentication.
-
-    """
-    parsed = urlparse(url)
-    # Add token as username in URL (GitHub supports this)
-    netloc = f"x-oauth-basic:{token}@{parsed.hostname}"
-    if parsed.port:
-        netloc += f":{parsed.port}"
-
-    return urlunparse(
-        (
-            parsed.scheme,
-            netloc,
-            parsed.path,
-            parsed.params,
-            parsed.query,
-            parsed.fragment,
-        ),
-    )
