unset git remote url

Author: brendan-kellam

packages/backend/src/git.ts

@@ -9,19 +9,17 @@ export const cloneRepository = async (
     onProgress?: onProgressFn
 ) => {
     try {
-        const git = simpleGit({
-            progress: onProgress,
-        });
-
         await mkdir(path, { recursive: true });
 
-        await git.cwd({
+        const git = simpleGit({
+            progress: onProgress,
+        }).cwd({
             path,
-        }).init(/*bare = */ true);
+        })
+
+        await git.init(/*bare = */ true);
 
-        await git.cwd({
-            path
-        }).fetch([
+        await git.fetch([
             remoteUrl.toString(),
             // See https://git-scm.com/book/en/v2/Git-Internals-The-Refspec
             "+refs/heads/*:refs/heads/*",
@@ -41,14 +39,14 @@ export const fetchRepository = async (
     path: string,
     onProgress?: onProgressFn
 ) => {
-    const git = simpleGit({
-        progress: onProgress,
-    });
-
     try {
-        await git.cwd({
+        const git = simpleGit({
+            progress: onProgress,
+        }).cwd({
             path: path,
-        }).fetch([
+        })
+
+        await git.fetch([
             remoteUrl.toString(),
             "+refs/heads/*:refs/heads/*",
             "--prune",
@@ -87,6 +85,28 @@ export const upsertGitConfig = async (path: string, gitConfig: Record<string, st
     }
 }
 
+/**
+ * Unsets the specified keys in the git config for the repo at the given path.
+ * If a key is not set, this is a no-op.
+ */
+export const unsetGitConfig = async (path: string, keys: string[], onProgress?: onProgressFn) => {
+    const git = simpleGit({
+        progress: onProgress,
+    }).cwd(path);
+
+    try {
+        for (const key of keys) {
+            await git.raw(['config', '--unset', key]);
+        }
+    } catch (error: unknown) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to unset git config ${path}: ${error.message}`);
+        } else {
+            throw new Error(`Failed to unset git config ${path}: ${error}`);
+        }
+    }
+}
+
 /**
  * Returns true if `path` is the _root_ of a git repository.
  */

packages/backend/src/repoManager.ts

@@ -5,7 +5,7 @@ import { Connection, PrismaClient, Repo, RepoToConnection, RepoIndexingStatus, S
 import { GithubConnectionConfig, GitlabConnectionConfig, GiteaConnectionConfig, BitbucketConnectionConfig } from '@sourcebot/schemas/v3/connection.type';
 import { AppContext, Settings, repoMetadataSchema } from "./types.js";
 import { getRepoPath, getTokenFromConfig, measure, getShardPrefix } from "./utils.js";
-import { cloneRepository, fetchRepository, upsertGitConfig } from "./git.js";
+import { cloneRepository, fetchRepository, unsetGitConfig, upsertGitConfig } from "./git.js";
 import { existsSync, readdirSync, promises } from 'fs';
 import { indexGitRepository } from "./zoekt.js";
 import { PromClient } from './promClient.js';
@@ -254,8 +254,15 @@ export class RepoManager implements IRepoManager {
         }
 
         if (existsSync(repoPath) && !isReadOnly) {
-            logger.info(`Fetching ${repo.displayName}...`);
+            // @NOTE: in #483, we changed the cloning method s.t., we _no longer_
+            // write the clone URL (which could contain a auth token) to the
+            // `remote.origin.url` entry. For the upgrade scenario, we want
+            // to unset this key since it is no longer needed, hence this line.
+            // This will no-op if the key is already unset.
+            // @see: https://github.com/sourcebot-dev/sourcebot/pull/483
+            await unsetGitConfig(repoPath, ["remote.origin.url"]);
 
+            logger.info(`Fetching ${repo.displayName}...`);
             const { durationMs } = await measure(() => fetchRepository(
                 remoteUrl,
                 repoPath,
@@ -271,7 +278,6 @@ export class RepoManager implements IRepoManager {
         } else if (!isReadOnly) {
             logger.info(`Cloning ${repo.displayName}...`);
 
-            // Use the new secure cloning method that doesn't store credentials in .git/config
             const { durationMs } = await measure(() => cloneRepository(
                 remoteUrl,
                 repoPath,