Release GCM 2.6 (#1712)

**Changes:**

- Drop no longer needed workflows (#1659)
- Documentation fixes (#1664, #1697)
- Configurable GPG store path via Git config (#1698)
- Fix Visual Studio build problems and update dependencies (#1711)
- Support sending X5C with certificate auth (#1666)

Author: Matthew John Cheetham

.github/workflows/codeql-analysis.yml

@@ -25,7 +25,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Setup .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 

.github/workflows/continuous-integration.yml

@@ -19,7 +19,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Setup .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -59,7 +59,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Setup .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -100,7 +100,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Setup .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 

.github/workflows/release-homebrew.yaml

@@ -35,7 +35,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -150,7 +150,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -177,7 +177,7 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Sign payload files with Azure Code Signing
-      uses: azure/trusted-signing-action@v0.3.20
+      uses: azure/trusted-signing-action@v0.4.0
       with:
         endpoint: https://wus2.codesigning.azure.net/
         trusted-signing-account-name: git-fundamentals-signing
@@ -190,7 +190,7 @@ jobs:
 
     # The Azure Code Signing action overrides the .NET version, so we reset it.
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -204,7 +204,7 @@ jobs:
          -Destination $env:GITHUB_WORKSPACE\installers
 
     - name: Sign installers with Azure Code Signing
-      uses: azure/trusted-signing-action@v0.3.20
+      uses: azure/trusted-signing-action@v0.4.0
       with:
         endpoint: https://wus2.codesigning.azure.net/
         trusted-signing-account-name: git-fundamentals-signing
@@ -236,7 +236,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -314,7 +314,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -387,7 +387,7 @@ jobs:
         path: signed
 
     - name: Set up .NET
-      uses: actions/[email protected].0
+      uses: actions/[email protected].1
       with:
         dotnet-version: 8.0.x
 
@@ -491,7 +491,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up .NET
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
         with:
           dotnet-version: 8.0.x
 
@@ -561,7 +561,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up .NET
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
         with:
           dotnet-version: 8.0.x
 

.github/workflows/release.yml

@@ -28,7 +28,7 @@
 
   <ItemGroup Condition = "'$(TargetFramework)' == 'net472'">
     <PackageReference Include="System.Text.Json">
-      <Version>7.0.2</Version>
+      <Version>8.0.4</Version>
     </PackageReference>
   </ItemGroup>
 

Directory.Build.props

@@ -6,7 +6,7 @@
   <Import Project="$(RepoPath)build\GCM.tasks" />
 
   <!-- Use version specified in VERSION file -->
-  <Target Name="GetVersion" BeforeTargets="BeforeBuild">
+  <Target Name="GetVersion" BeforeTargets="BeforeBuild;GenerateWindowsAppManifest">
     <GetVersion VersionFile="$(RepoPath)VERSION">
       <Output TaskParameter="Version" PropertyName="Version" />
       <Output TaskParameter="AssemblyVersion" PropertyName="AssemblyVersion" />
@@ -21,6 +21,7 @@
 
   <!-- Generate the manifest file before we set the win32 manifest properties -->
   <Target Name="GenerateWindowsAppManifest"
+		  AfterTargets="GetVersion"
           BeforeTargets="SetWin32ManifestProperties"
           Condition="'$(GenerateWindowsAppManifest)' != 'false'"
           Inputs="$(FileVersion);$(AssemblyName)"

Directory.Build.targets

@@ -1,8 +1,32 @@
-# Security
+Thanks for helping make GitHub safe for everyone.
 
-If you discover a security issue in this repo, please submit it through the
-[GitHub Security Bug Bounty][hackerone-github]
+## Security
 
-Thanks for helping make GitHub products safe for everyone.
+GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
+
+Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 
+
+## Reporting Security Issues
+
+If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to opensource-security[@]github.com.
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+  * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Policy
+
+See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor)
 
-[hackerone-github]: https://hackerone.com/github

SECURITY.md

@@ -1 +1 @@
-2.5.1.0
+2.6.0.0

VERSION

@@ -108,6 +108,7 @@ Type|Git Configuration|Environment Variable
 -|-|-
 Client Secret|[`credential.azreposServicePrincipalSecret`][gcm-sp-secret-config]|[`GCM_AZREPOS_SP_SECRET`][gcm-sp-secret-env]
 Certificate|[`credential.azreposServicePrincipalCertificateThumbprint`][gcm-sp-cert-config]|[`GCM_AZREPOS_SP_CERT_THUMBPRINT`][gcm-sp-cert-env]
+Send X5C|[`credential.azreposServicePrincipalCertificateSendX5C`][gcm-sp-cert-x5c-config]|[`GCM_AZREPOS_SP_CERT_SEND_X5C`][gcm-sp-cert-x5c-env]
 
 The value for these options should be the client secret or the thumbrint of the
 certificate that is associated with the Service Principal.
@@ -126,4 +127,6 @@ current user or the local machine.
 [gcm-sp-secret-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalsecret
 [gcm-sp-secret-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_SECRET
 [gcm-sp-cert-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatethumbprint
+[gcm-sp-cert-x5c-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatesendx5c
 [gcm-sp-cert-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_THUMBPRINT
+[gcm-sp-cert-x5c-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_SEND_X5C

docs/azrepos-misp.md

@@ -633,6 +633,24 @@ git config --global credential.dpapiStorePath D:\credentials
 
 ---
 
+### credential.gpgPassStorePath
+
+Specify a custom directory to store GPG-encrypted [pass][pass]-compatible credential files
+in when [`credential.credentialStore`][credential-credentialstore] is set to `gpg`.
+
+Defaults to the value `~/.password-store` or `%USERPROFILE%\.password-store`.
+
+#### Example
+
+```shell
+git config --global credential.gpgPassStorePath /mnt/external-drive/.password-store
+```
+
+**Note:** Location of the password store used by [pass][pass] can be overridden by the
+`PASSWORD_STORE_DIR` environment variable, see the [man page][pass-man] for details.
+
+---
+
 ### credential.msauthFlow
 
 Specify which authentication flow should be used when performing Microsoft
@@ -858,6 +876,7 @@ You must also set at least one authentication mechanism if you set this value:
 
 - [credential.azreposServicePrincipalSecret][credential-azrepos-sp-secret]
 - [credential.azreposServicePrincipalCertificateThumbprint][credential-azrepos-sp-cert-thumbprint]
+- [credential.azreposServicePrincipalCertificateSendX5C][credential-azrepos-sp-cert-x5c]
 
 For more information about service principals, see the Azure DevOps
 [documentation][azrepos-sp-mid].
@@ -904,6 +923,25 @@ git config --global credential.azreposServicePrincipalCertificateThumbprint "9b6
 
 ---
 
+### credential.azreposServicePrincipalCertificateSendX5C
+
+When using a certificate for [service principal][service-principal] authentication, this configuration
+specifies whether the X5C claim should be should be sent to the STS. Sending the x5c
+enables application developers to achieve easy certificate rollover in Azure AD:
+this method will send the public certificate to Azure AD along with the token request,
+so that Azure AD can use it to validate the subject name based on a trusted issuer
+policy. This saves the application admin from the need to explicitly manage the
+certificate rollover. For details see [https://aka.ms/msal-net-sni](https://aka.ms/msal-net-sni).
+
+#### Example
+
+```shell
+git config --global credential.azreposServicePrincipalCertificateSendX5C true
+```
+**Also see: [GCM_AZREPOS_SP_CERT_SEND_X5C][gcm-azrepos-sp-cert-x5c]**
+
+---
+
 ### trace2.normalTarget
 
 Turns on Trace2 Normal Format tracing - see [Git's Trace2 Normal Format
@@ -1022,6 +1060,7 @@ Defaults to disabled.
 [provider-migrate]: migration.md#gcm_authority
 [cache-options]: https://git-scm.com/docs/git-credential-cache#_options
 [pass]: https://www.passwordstore.org/
+[pass-man]: https://git.zx2c4.com/password-store/about/
 [trace2-normal-docs]: https://git-scm.com/docs/api-trace2#_the_normal_format_target
 [trace2-normal-env]: environment.md#GIT_TRACE2
 [trace2-event-docs]: https://git-scm.com/docs/api-trace2#_the_event_format_target
@@ -1034,6 +1073,8 @@ Defaults to disabled.
 [credential-azrepos-sp]: #credentialazreposserviceprincipal
 [credential-azrepos-sp-secret]: #credentialazreposserviceprincipalsecret
 [credential-azrepos-sp-cert-thumbprint]: #credentialazreposserviceprincipalcertificatethumbprint
+[credential-azrepos-sp-cert-x5c]: #credentialazreposserviceprincipalcertificatesendx5c
 [gcm-azrepos-service-principal]: environment.md#GCM_AZREPOS_SERVICE_PRINCIPAL
 [gcm-azrepos-sp-secret]: environment.md#GCM_AZREPOS_SP_SECRET
 [gcm-azrepos-sp-cert-thumbprint]: environment.md#GCM_AZREPOS_SP_CERT_THUMBPRINT
+[gcm-azrepos-sp-cert-x5c]: environment.md#GCM_AZREPOS_SP_CERT_SEND_X5C