fix

Author: brendan-kellam

packages/backend/src/git.ts

@@ -1,48 +1,59 @@
 import { CheckRepoActions, GitConfigScope, simpleGit, SimpleGitProgressEvent } from 'simple-git';
+import { mkdir } from 'node:fs/promises';
 
 type onProgressFn = (event: SimpleGitProgressEvent) => void;
 
-export const cloneRepository = async (cloneURL: string, path: string, onProgress?: onProgressFn) => {
-    const git = simpleGit({
-        progress: onProgress,
-    });
+export const cloneRepository = async (
+    remoteUrl: URL,
+    path: string,
+    onProgress?: onProgressFn
+) => {
     try {
-        await git.clone(
-            cloneURL,
-            path,
-            [
-                "--bare",
-            ]
-        );
+        const git = simpleGit({
+            progress: onProgress,
+        });
+
+        await mkdir(path, { recursive: true });
 
         await git.cwd({
             path,
-        }).addConfig("remote.origin.fetch", "+refs/heads/*:refs/heads/*");
+        }).init(/*bare = */ true);
+
+        await git.cwd({
+            path
+        }).fetch([
+            remoteUrl.toString(),
+            // See https://git-scm.com/book/en/v2/Git-Internals-The-Refspec
+            "+refs/heads/*:refs/heads/*",
+            "--progress",
+        ]);
     } catch (error: unknown) {
         if (error instanceof Error) {
             throw new Error(`Failed to clone repository: ${error.message}`);
         } else {
             throw new Error(`Failed to clone repository: ${error}`);
         }
     }
-}
-
+};
 
-export const fetchRepository = async (path: string, onProgress?: onProgressFn) => {
+export const fetchRepository = async (
+    remoteUrl: URL,
+    path: string,
+    onProgress?: onProgressFn
+) => {
     const git = simpleGit({
         progress: onProgress,
     });
 
     try {
         await git.cwd({
             path: path,
-        }).fetch(
-            "origin",
-            [
-                "--prune",
-                "--progress"
-            ]
-        );
+        }).fetch([
+            remoteUrl.toString(),
+            "+refs/heads/*:refs/heads/*",
+            "--prune",
+            "--progress"
+        ]);
     } catch (error: unknown) {
         if (error instanceof Error) {
             throw new Error(`Failed to fetch repository ${path}: ${error.message}`);

packages/backend/src/repoManager.ts

@@ -237,12 +237,32 @@ export class RepoManager implements IRepoManager {
             await promises.rm(repoPath, { recursive: true, force: true });
         }
 
+        const credentials = await this.getCloneCredentialsForRepo(repo, this.db);
+        const remoteUrl = new URL(repo.cloneUrl);
+        if (credentials) {
+            // @note: URL has a weird behavior where if you set the password but
+            // _not_ the username, the ":" delimiter will still be present in the
+            // URL (e.g., https://:password@example.com). To get around this, if
+            // we only have a password, we set the username to the password.
+            // @see: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBArgJwDYwLwzAUwO4wKoBKAMgBQBEAFlFAA4QBcA9I5gB4CGAtjUpgHShOZADQBKANwAoREj412ECNhAIAJmhhl5i5WrJTQkELz5IQAcxIy+UEAGUoCAJZhLo0UA
+            if (!credentials.username) {
+                remoteUrl.username = credentials.password;
+            } else {
+                remoteUrl.username = credentials.username;
+                remoteUrl.password = credentials.password;
+            }
+        }
+
         if (existsSync(repoPath) && !isReadOnly) {
             logger.info(`Fetching ${repo.displayName}...`);
 
-            const { durationMs } = await measure(() => fetchRepository(repoPath, ({ method, stage, progress }) => {
-                logger.debug(`git.${method} ${stage} stage ${progress}% complete for ${repo.displayName}`)
-            }));
+            const { durationMs } = await measure(() => fetchRepository(
+                remoteUrl,
+                repoPath,
+                ({ method, stage, progress }) => {
+                    logger.debug(`git.${method} ${stage} stage ${progress}% complete for ${repo.displayName}`)
+                }
+            ));
             const fetchDuration_s = durationMs / 1000;
 
             process.stdout.write('\n');
@@ -251,25 +271,14 @@ export class RepoManager implements IRepoManager {
         } else if (!isReadOnly) {
             logger.info(`Cloning ${repo.displayName}...`);
 
-            const auth = await this.getCloneCredentialsForRepo(repo, this.db);
-            const cloneUrl = new URL(repo.cloneUrl);
-            if (auth) {
-                // @note: URL has a weird behavior where if you set the password but
-                // _not_ the username, the ":" delimiter will still be present in the
-                // URL (e.g., https://:password@example.com). To get around this, if
-                // we only have a password, we set the username to the password.
-                // @see: https://www.typescriptlang.org/play/?#code/MYewdgzgLgBArgJwDYwLwzAUwO4wKoBKAMgBQBEAFlFAA4QBcA9I5gB4CGAtjUpgHShOZADQBKANwAoREj412ECNhAIAJmhhl5i5WrJTQkELz5IQAcxIy+UEAGUoCAJZhLo0UA
-                if (!auth.username) {
-                    cloneUrl.username = auth.password;
-                } else {
-                    cloneUrl.username = auth.username;
-                    cloneUrl.password = auth.password;
+            // Use the new secure cloning method that doesn't store credentials in .git/config
+            const { durationMs } = await measure(() => cloneRepository(
+                remoteUrl,
+                repoPath,
+                ({ method, stage, progress }) => {
+                    logger.debug(`git.${method} ${stage} stage ${progress}% complete for ${repo.displayName}`)
                 }
-            }
-
-            const { durationMs } = await measure(() => cloneRepository(cloneUrl.toString(), repoPath, ({ method, stage, progress }) => {
-                logger.debug(`git.${method} ${stage} stage ${progress}% complete for ${repo.displayName}`)
-            }));
+            ));
             const cloneDuration_s = durationMs / 1000;
 
             process.stdout.write('\n');
@@ -540,7 +549,7 @@ export class RepoManager implements IRepoManager {
 
     public async validateIndexedReposHaveShards() {
         logger.info('Validating indexed repos have shards...');
-        
+
         const indexedRepos = await this.db.repo.findMany({
             where: {
                 repoIndexingStatus: RepoIndexingStatus.INDEXED
@@ -556,7 +565,7 @@ export class RepoManager implements IRepoManager {
         const reposToReindex: number[] = [];
         for (const repo of indexedRepos) {
             const shardPrefix = getShardPrefix(repo.orgId, repo.id);
-            
+
             // TODO: this doesn't take into account if a repo has multiple shards and only some of them are missing. To support that, this logic
             // would need to know how many total shards are expected for this repo
             let hasShards = false;

packages/web/src/app/[domain]/browse/[...path]/components/codePreviewPanel.tsx

@@ -45,6 +45,7 @@ export const CodePreviewPanel = async ({ path, repoName, revisionName, domain }:
                         displayName: repoInfoResponse.displayName,
                         webUrl: repoInfoResponse.webUrl,
                     }}
+                    branchDisplayName={revisionName}
                 />
                 {(fileSourceResponse.webUrl && codeHostInfo) && (
                     <a

packages/web/src/app/[domain]/browse/[...path]/components/treePreviewPanel.tsx

@@ -40,6 +40,7 @@ export const TreePreviewPanel = async ({ path, repoName, revisionName, domain }:
                     }}
                     pathType="tree"
                     isFileIconVisible={false}
+                    branchDisplayName={revisionName}
                 />
             </div>
             <Separator />