Cut new release for Git 2.40 rc0 (#1124)

GCM release for Git 2.40 release candidate 0.

Author: ldennington

.github/workflows/lint-docs.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
-      - uses: DavidAnson/markdownlint-cli2-action@d57f8bd57670b9c1deedf71219dd494614ff3335
+      - uses: DavidAnson/markdownlint-cli2-action@5b7c9f74fec47e6b15667b2cc23c63dff11e449e
         with:
           globs: |
             "**/*.md"

.github/workflows/release.yml

@@ -384,7 +384,7 @@ jobs:
     - name: Upload artifacts
       uses: actions/upload-artifact@v3
       with:
-        name: tmp.linux-build
+        name: linux-build
         path: |
           linux-build
 
@@ -399,7 +399,11 @@ jobs:
     - name: Download artifacts
       uses: actions/download-artifact@v3
       with:
-        name: tmp.linux-build
+        name: linux-build
+    
+    - name: Remove symbols
+      run: |
+        rm tar/*symbols*
 
     - uses: azure/login@v1
       with:
@@ -423,6 +427,12 @@ jobs:
       run: |
         python .github/run_esrp_signing.py deb $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
         python .github/run_esrp_signing.py tar $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
+    
+    - name: Re-name tarball signature file
+      shell: bash
+      run: |
+        signaturepath=$(find signed/*.tar.gz)
+        mv "$signaturepath" "${signaturepath%.tar.gz}.asc"
 
     - name: Upload signed tarball and Debian package
       uses: actions/upload-artifact@v3
@@ -624,19 +634,27 @@ jobs:
           - os: ubuntu-latest
             artifact: linux-sign
             command: git-credential-manager
+            description: debian
+          - os: ubuntu-latest
+            artifact: linux-build
+            command: git-credential-manager
+            description: tarball
           - os: macos-latest
             artifact: osx-x64-sign
             command: git-credential-manager
+            description: osx-x64
           - os: windows-latest
             artifact: win-sign
             # Even when a standalone GCM version is installed, GitHub actions
             # runners still only recognize the version bundled with Git for
             # Windows due to its placement on the PATH. For this reason, we use
             # the full path to our installation to validate the Windows version.
             command: "$PROGRAMFILES (x86)/Git Credential Manager/git-credential-manager.exe"
+            description: windows
           - os: ubuntu-latest
             artifact: dotnet-tool-sign
             command: git-credential-manager
+            description: dotnet-tool
     runs-on: ${{ matrix.component.os }}
     needs: [ osx-sign, win-sign, linux-sign, dotnet-tool-sign ]
     steps:
@@ -654,7 +672,7 @@ jobs:
           name: ${{ matrix.component.artifact }}
 
       - name: Install Windows
-        if: contains(matrix.component.os, 'windows')
+        if: contains(matrix.component.description, 'windows')
         shell: pwsh
         run: |
           $exePaths = Get-ChildItem -Path ./signed/*.exe | %{$_.FullName}
@@ -663,22 +681,30 @@ jobs:
             Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART"
           }
 
-      - name: Install Linux
-        if: contains(matrix.component.os, 'ubuntu') && contains(matrix.component.artifact, 'linux')
+      - name: Install Linux (Debian package)
+        if: contains(matrix.component.description, 'debian')
         run: |
           debpath=$(find ./*.deb)
           sudo apt install $debpath
           "${{ matrix.component.command }}" configure
+      
+      - name: Install Linux (tarball)
+        if: contains(matrix.component.description, 'tarball')
+        run: |
+          # Ensure we find only the source tarball, not the symbols
+          tarpath=$(find ./tar -name '*[[:digit:]].tar.gz')
+          tar -xvf $tarpath -C /usr/local/bin
+          "${{ matrix.component.command }}" configure
 
       - name: Install macOS
-        if: contains(matrix.component.os, 'macos')
+        if: contains(matrix.component.description, 'osx-x64')
         run: |
           # Only validate x64, given arm64 agents are not available
           pkgpath=$(find ./*.pkg)
           sudo installer -pkg $pkgpath -target /
       
       - name: Install .NET tool
-        if: contains(matrix.component.os, 'ubuntu') && contains(matrix.component.artifact, 'dotnet-tool')
+        if: contains(matrix.component.description, 'dotnet-tool')
         run: |
           nupkgpath=$(find ./*.nupkg)
           dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager
@@ -787,6 +813,7 @@ jobs:
               uploadDirectoryToRelease('osx-payload-and-symbols'),
 
               // Upload Linux artifacts
+              uploadDirectoryToRelease('linux-build/tar'),
               uploadDirectoryToRelease('linux-sign'),
 
               // Upload .NET tool package
@@ -795,5 +822,5 @@ jobs:
 
       - name: Publish .NET tool to nuget.org
         run: |
-          dotnet nuget push dotnet-tool-sign/signed/*.nupkg \
+          dotnet nuget push dotnet-tool-sign/*.nupkg \
             --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json

docs/README.md

@@ -12,6 +12,7 @@ The following are links to GCM user support documentation:
 - [Host provider specification][gcm-host-provider]
 - [Azure Repos OAuth tokens][gcm-azure-tokens]
 - [GitLab support][gcm-gitlab]
+- [Generic OAuth support][gcm-oauth]
 
 [gcm-azure-tokens]: azrepos-users-and-tokens.md
 [gcm-config]: configuration.md
@@ -23,4 +24,5 @@ The following are links to GCM user support documentation:
 [gcm-gitlab]: gitlab.md
 [gcm-host-provider]: hostprovider.md
 [gcm-net-config]: netconfig.md
-[gcm-usage]: usage.md
+[gcm-oauth]: generic-oauth.md
+[gcm-usage]: usage.md

docs/configuration.md

@@ -442,7 +442,7 @@ _(unset)_|Windows: `wincredman`, macOS: `keychain`, Linux: _(none)_|-
 `keychain`|macOS Keychain.|macOS
 `secretservice`|[freedesktop.org Secret Service API][freedesktop-ss] via [libsecret][libsecret] (requires a graphical interface to unlock secret collections).|Linux
 `gpg`|Use GPG to store encrypted files that are compatible with the [pass][pass] (requires GPG and `pass` to initialize the store).|macOS, Linux
-`cache`|Git's built-in [credential cache][credential-cache].|Windows, macOS, Linux
+`cache`|Git's built-in [credential cache][credential-cache].|macOS, Linux
 `plaintext`|Store credentials in plaintext files (**UNSECURE**). Customize the plaintext store location with [`credential.plaintextStorePath`][credential-plaintextstorepath].|Windows, macOS, Linux
 
 #### Example

docs/generic-oauth.md

@@ -0,0 +1,116 @@
+# Generic Host Provider OAuth
+
+Many Git hosts use the popular standard OAuth2 or OpenID Connect (OIDC)
+authentication mechanisms to secure repositories they host.
+Git Credential Manager supports any generic OAuth2-based Git host by simply
+setting some configuration.
+
+## Registering an OAuth application
+
+In order to use GCM with a Git host that supports OAuth you must first have
+registered an OAuth application with your host. The instructions on how to do
+this can be found with your Git host provider's documentation.
+
+When registering a new application, you should make sure to set an HTTP-based
+redirect URL that points to `localhost`; for example:
+
+```text
+http://localhost
+http://localhost:<port>
+http://127.0.0.1
+http://127.0.0.1:<port>
+```
+
+Note that you cannot use an HTTPS redirect URL. GCM does not require a specific
+port number be used; if your Git host requires you to specify a port number in
+the redirect URL then GCM will use that. Otherwise an available port will be
+selected at the point authentication starts.
+
+You must ensure that all scopes required to read and write to Git repositories
+have been granted for the application or else credentials that are generated
+will cause errors when pushing or fetching using Git.
+
+As part of the registration process you should also be given a Client ID and,
+optionally, a Client Secret. You will need both of these to configure GCM.
+
+## Configure GCM
+
+In order to configure GCM to use OAuth with your Git host you need to set the
+following values in your Git configuration:
+
+- Client ID
+- Client Secret (optional)
+- Redirect URL
+- Scopes (optional)
+- OAuth Endpoints
+  - Authorization Endpoint
+  - Token Endpoint
+  - Device Code Authorization Endpoint (optional)
+
+OAuth endpoints can be found by consulting your Git host's OAuth app development
+documentation. The URLs can be either absolute or relative to the host name;
+for example: `https://example.com/oauth/authorize` or `/oauth/authorize`.
+
+In order to set these values, you can run the following commands, where `<HOST>`
+is the hostname of your Git host:
+
+```shell
+git config --global credential.<HOST>.oauthClientId <ClientID>
+git config --global credential.<HOST>.oauthClientSecret <ClientSecret>
+git config --global credential.<HOST>.oauthRedirectUri <RedirectURL>
+git config --global credential.<HOST>.oauthAuthorizeEndpoint <AuthEndpoint>
+git config --global credential.<HOST>.oauthTokenEndpoint <TokenEndpoint>
+git config --global credential.<HOST>.oauthScopes <Scopes>
+git config --global credential.<HOST>.oauthDeviceEndpoint <DeviceEndpoint>
+```
+
+**Example commands:**
+
+- `git config --global credential.https://example.com.oauthClientId C33F2751FB76`
+
+- `git config --global credential.https://example.com.oauthScopes "code:write profile:read"`
+
+**Example Git configuration**
+
+```ini
+[credential "https://example.com"]
+    oauthClientId = 9d886e36-5771-4f2b-8c8b-420c68ad5baa
+    oauthClientSecret = 4BC5BD4704EAE28FD832
+    oauthRedirectUri = "http://127.0.0.1"
+    oauthAuthorizeEndpoint = "/login/oauth/authorize"
+    oauthTokenEndpoint = "/login/oauth/token"
+    oauthDeviceEndpoint = "/login/oauth/device"
+    oauthScopes = "code:write profile:read"
+    oauthDefaultUserName = "OAUTH"
+    oauthUseClientAuthHeader = false
+```
+
+### Additional configuration
+
+Depending on the specific implementation of OAuth with your Git host you may
+also need to specify additional behavior.
+
+#### Token user name
+
+If your Git host requires that you specify a username to use with OAuth tokens
+you can either include the username in the Git remote URL, or specify a default
+option via Git configuration.
+
+Example Git remote with username: `https://[email protected]/repo.git`.
+In order to use special characters you need to URL encode the values; for
+example `@` becomes `%40`.
+
+By default GCM uses the value `OAUTH-USER` unless specified in the remote URL,
+or overriden using the `credential.<HOST>.oauthDefaultUserName` configuration.
+
+#### Include client authentication in headers
+
+If your Git host's OAuth implementation has specific requirements about whether
+the client ID and secret should or should not be included in an `Authorization`
+header during OAuth requests, you can control this using the following setting:
+
+```shell
+git config --global credential.<HOST>.oauthUseClientAuthHeader <true|false>
+```
+
+The default behavior is to include these values; i.e., `true`.

docs/gitlab.md

@@ -2,21 +2,21 @@
 
 Git Credential Manager supports [gitlab.com][gitlab] out the box.
 
-## Using on a another instance
+## Using on another instance
 
 To use on another instance, eg. `https://gitlab.example.com` requires setup and
 configuration:
 
 1. [Create an OAuth application][gitlab-oauth]. This can be at the user, group
 or instance level. Specify a name and use a redirect URI of `http://127.0.0.1/`.
-_Unselect_ the 'Confidential' option. Set the 'write_repository' and
-'read_repository' scopes.
+_Unselect_ the 'Confidential' option. Set the 'read_repository' and
+'write_repository' scopes.
 1. Copy the application ID and configure
-`git config --global credential.https://gitlab.example.com.GitLabDevClientId <APPLICATION_ID>`
+`git config --global credential.https://gitlab.example.com.gitLabDevClientId <APPLICATION_ID>`
 1. Copy the application secret and configure
-`git config --global credential.https://gitlab.example.com.GitLabDevClientSecret
+`git config --global credential.https://gitlab.example.com.gitLabDevClientSecret
 <APPLICATION_SECRET>`
-1. Configure authentication modes to include 'browser'
+1. Optional if you want to force browser auth:
 `git config --global credential.https://gitlab.example.com.gitLabAuthModes browser`
 1. For good measure, configure
 `git config --global credential.https://gitlab.example.com.provider gitlab`.
@@ -27,8 +27,8 @@ This may be necessary to recognise the domain as a GitLab instance.
 ### Clearing config
 
 ```console
-    git config --global --unset-all credential.https://gitlab.example.com.GitLabDevClientId
-    git config --global --unset-all credential.https://gitlab.example.com.GitLabDevClientSecret
+    git config --global --unset-all credential.https://gitlab.example.com.gitLabDevClientId
+    git config --global --unset-all credential.https://gitlab.example.com.gitLabDevClientSecret
     git config --global --unset-all credential.https://gitlab.example.com.provider
 ```
 
@@ -39,23 +39,23 @@ instances, provided by community member [hickford](https://github.com/hickford/)
 
 ```console
 # https://gitlab.freedesktop.org/
-git config --global credential.https://gitlab.freedesktop.org.gitlabdevclientid 6503d8c5a27187628440d44e0352833a2b49bce540c546c22a3378c8f5b74d45
-git config --global credential.https://gitlab.freedesktop.org.gitlabdevclientsecret 2ae9343a034ff1baadaef1e7ce3197776b00746a02ddf0323bb34aca8bff6dc1
+git config --global credential.https://gitlab.freedesktop.org.gitLabDevClientId 6503d8c5a27187628440d44e0352833a2b49bce540c546c22a3378c8f5b74d45
+git config --global credential.https://gitlab.freedesktop.org.gitLabDevClientSecret 2ae9343a034ff1baadaef1e7ce3197776b00746a02ddf0323bb34aca8bff6dc1
 # https://gitlab.gnome.org/
-git config --global credential.https://gitlab.gnome.org.gitlabdevclientid adf21361d32eddc87bf6baf8366f242dfe07a7d4335b46e8e101303364ccc470
-git config --global credential.https://gitlab.gnome.org.gitlabdevclientsecret cdca4678f64e5b0be9febc0d5e7aab0d81d27696d7adb1cf8022ccefd0a58fc0
+git config --global credential.https://gitlab.gnome.org.gitLabDevClientId adf21361d32eddc87bf6baf8366f242dfe07a7d4335b46e8e101303364ccc470
+git config --global credential.https://gitlab.gnome.org.gitLabDevClientSecret cdca4678f64e5b0be9febc0d5e7aab0d81d27696d7adb1cf8022ccefd0a58fc0
 # https://invent.kde.org/
-git config --global credential.https://invent.kde.org.gitlabdevclientid cd7cb4342c7cd83d8c2fcc22c87320f88d0bde14984432ffca07ee24d0bf0699
-git config --global credential.https://invent.kde.org.gitlabdevclientsecret 9cc8440b280c792ac429b3615ae1c8e0702e6b2479056f899d314f05afd94211
+git config --global credential.https://invent.kde.org.gitLabDevClientId cd7cb4342c7cd83d8c2fcc22c87320f88d0bde14984432ffca07ee24d0bf0699
+git config --global credential.https://invent.kde.org.gitLabDevClientSecret 9cc8440b280c792ac429b3615ae1c8e0702e6b2479056f899d314f05afd94211
 # https://salsa.debian.org/
-git config --global credential.https://salsa.debian.org.gitlabdevclientid 213f5fd32c6a14a0328048c0a77cc12c19138cc165ab957fb83d0add74656f89
-git config --global credential.https://salsa.debian.org.gitlabdevclientsecret 3616b974b59451ecf553f951cb7b8e6e3c91c6d84dd3247dcb0183dac93c2a26
+git config --global credential.https://salsa.debian.org.gitLabDevClientId 213f5fd32c6a14a0328048c0a77cc12c19138cc165ab957fb83d0add74656f89
+git config --global credential.https://salsa.debian.org.gitLabDevClientSecret 3616b974b59451ecf553f951cb7b8e6e3c91c6d84dd3247dcb0183dac93c2a26
 # https://gitlab.haskell.org/
-git config --global credential.https://gitlab.haskell.org.gitlabdevclientid 57de5eaab72b3dc447fca8c19cea39527a08e82da5377c2d10a8ebb30b08fa5f
-git config --global credential.https://gitlab.haskell.org.gitlabdevclientsecret 5170a480da8fb7341e0daac94223d4fff549c702efb2f8873d950bb2b88e434f
+git config --global credential.https://gitlab.haskell.org.gitLabDevClientId 57de5eaab72b3dc447fca8c19cea39527a08e82da5377c2d10a8ebb30b08fa5f
+git config --global credential.https://gitlab.haskell.org.gitLabDevClientSecret 5170a480da8fb7341e0daac94223d4fff549c702efb2f8873d950bb2b88e434f
 # https://code.videolan.org/
-git config --global credential.https://code.videolan.org.gitlabdevclientid f35c379241cc20bf9dffecb47990491b62757db4fb96080cddf2461eacb40375
-git config --global credential.https://code.videolan.org.gitlabdevclientsecret 631558ec973c5ef65b78db9f41103f8247dc68d979c86f051c0fe4389e1995e8
+git config --global credential.https://code.videolan.org.gitLabDevClientId f35c379241cc20bf9dffecb47990491b62757db4fb96080cddf2461eacb40375
+git config --global credential.https://code.videolan.org.gitLabDevClientSecret 631558ec973c5ef65b78db9f41103f8247dc68d979c86f051c0fe4389e1995e8
 ```
 
 See also [issue #677](https://github.com/GitCredentialManager/git-credential-manager/issues/677).
@@ -74,7 +74,7 @@ If you have a preferred authentication mode, you can specify
 [credential.gitLabAuthModes][config-gitlab-auth-modes]:
 
 ```console
-git config --global credential.gitlabauthmodes browser
+git config --global credential.gitLabAuthModes browser
 ```
 
 ## Caveats

docs/rename.md

@@ -3,7 +3,7 @@
 In November 2021, _"Git Credential Manager Core"_ was [renamed][rename-pr] to
 simply _"Git Credential Manager"_, dropping the "Core" moniker. We announced the
 new name in a [GitHub blog post][rename-blog], along with the new home for the
-project in it's own [organization][gcm-org].
+project in its own [organization][gcm-org].
 
 ![Git Credential Manager Core renamed](img/gcmcore-rename.png)
 
@@ -133,7 +133,7 @@ Look out for entries that include `git-credential-manager-core` or
 or `manager` respectively.
 
 > **Note:** When updating the Git configuration file in your home directory
-> (`$HOME/.gitconfig` or `%USERPROFILE\.gitconfig%`) you should ensure there are
+> (`$HOME/.gitconfig` or `%USERPROFILE%\.gitconfig`) you should ensure there are
 > is an additional blank entry for `credential.helper` before the GCM entry.
 >
 > **Mac/Linux**

src/linux/Packaging.Linux/build.sh

@@ -44,6 +44,7 @@ fi
 
 OUTDIR="$INSTALLER_OUT/$CONFIGURATION"
 PAYLOAD="$OUTDIR/payload"
+SYMBOLS="$OUTDIR/payload.sym"
 
 # Lay out payload
 "$INSTALLER_SRC/layout.sh" --configuration="$CONFIGURATION" || exit 1
@@ -78,7 +79,7 @@ if [ $INSTALL_FROM_SOURCE = true ]; then
     echo "Install complete."
 else
     # Pack
-    "$INSTALLER_SRC/pack.sh" --configuration="$CONFIGURATION" --payload="$PAYLOAD" --version="$VERSION" || exit 1
+    "$INSTALLER_SRC/pack.sh" --configuration="$CONFIGURATION" --payload="$PAYLOAD" --symbols="$SYMBOLS" --version="$VERSION" || exit 1
 fi
 
 echo "Build of Packaging.Linux complete."