Add jit access endpoint support in the cli

cmd/dependabot/internal/cmd/update.go

@@ -329,6 +329,7 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 	// doesn't already exist. This way the user doesn't run out of calls from being anonymous.
 	hasLocalToken := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN") != ""
 	hasLocalAzureToken := os.Getenv("LOCAL_AZURE_ACCESS_TOKEN") != ""
+	hasGitHubJitAccessEndpoint := os.Getenv("GITHUB_JITACCESS_TOKEN_ENDPOINT") != ""
 
 	var isGitSourceInCreds bool
 	for _, cred := range input.Credentials {
@@ -359,6 +360,17 @@ func processInput(input *model.Input, flags *UpdateFlags) {
 			"username": "x-access-token",
 			"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
 		})
+
+		if hasGitHubJitAccessEndpoint {
+			log.Println("Adding jit_access type for GitHub credentials")
+			input.Credentials = append(input.Credentials, model.Credential{
+				"type":            "jit_access",
+				"host":            host,
+				"credential-type": "git_source",
+				"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
+			})
+		}
+
 		if len(input.Job.CredentialsMetadata) > 0 {
 			// Add the metadata since the next section will be skipped.
 			input.Job.CredentialsMetadata = append(input.Job.CredentialsMetadata, map[string]any{

cmd/dependabot/internal/cmd/update_test.go

@@ -17,6 +17,7 @@ func Test_processInput(t *testing.T) {
 	t.Cleanup(func() {
 		os.Unsetenv("LOCAL_GITHUB_ACCESS_TOKEN")
 		os.Unsetenv("LOCAL_AZURE_ACCESS_TOKEN")
+		os.Unsetenv("GITHUB_JITACCESS_TOKEN_ENDPOINT")
 	})
 	t.Run("initializes some fields", func(t *testing.T) {
 		os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "")
@@ -203,6 +204,50 @@ func Test_processInput(t *testing.T) {
 
 		assertStringArraysEqual(t, expectedGitCredentalsMetadataHosts, actualCredentialsMetadataHosts)
 	})
+
+	t.Run("Add Jit Access credentials when endpoint is present", func(t *testing.T) {
+		var input model.Input
+		os.Setenv("LOCAL_GITHUB_ACCESS_TOKEN", "token")
+		host := "github.example.com"
+		input.Job.Source.Hostname = &host
+		os.Setenv("GITHUB_JITACCESS_TOKEN_ENDPOINT", "host/jit_access")
+
+		processInput(&input, nil)
+
+		if len(input.Credentials) != 2 {
+			t.Fatal("expected two credential types to be added")
+		}
+		if !reflect.DeepEqual(input.Credentials[0], model.Credential{
+			"type":     "git_source",
+			"host":     host,
+			"username": "x-access-token",
+			"password": "$LOCAL_GITHUB_ACCESS_TOKEN",
+		}) {
+			t.Error("expected git_source credentials to be added")
+		}
+		if !reflect.DeepEqual(input.Credentials[1], model.Credential{
+			"type":            "jit_access",
+			"host":            host,
+			"credential-type": "git_source",
+			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
+		}) {
+			t.Error("expected jit_access credentials to be added")
+		}
+		if !reflect.DeepEqual(input.Job.CredentialsMetadata[0], model.Credential{
+			"type": "git_source",
+			"host": host,
+		}) {
+			t.Error("expected git_source credentials metadata to be added")
+		}
+		if !reflect.DeepEqual(input.Job.CredentialsMetadata[1], model.Credential{
+			"type":            "jit_access",
+			"credential-type": "git_source",
+			"host":            host,
+			"endpoint":        "$GITHUB_JITACCESS_TOKEN_ENDPOINT",
+		}) {
+			t.Error("expected jit_access credentials metadata to be added")
+		}
+	})
 }
 
 func assertStringArraysEqual(t *testing.T, expected, actual []string) {