Only rewrite repo URL for public repos cloned over SSH

Fixes the following issues in the current implementation:
* HTTP git remotes are rewritten to invalid URL https://http://<...>
* Private repos with SSH git remotes are converted to HTTPS URLs for the
  validate-origin check. This requires username/PAT auth on GitHub instead
  of just checking the remote via SSH

Author: dminnear-rh

Makefile

@@ -7,7 +7,7 @@ endif
 # Set this to true if you want to skip any origin validation
 DISABLE_VALIDATE_ORIGIN ?= false
 ifeq ($(DISABLE_VALIDATE_ORIGIN),true)
-  VALIDATE_ORIGIN := 
+  VALIDATE_ORIGIN :=
 else
   VALIDATE_ORIGIN := validate-origin
 endif
@@ -31,9 +31,8 @@ TARGET_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 #default to the branch remote
 TARGET_ORIGIN ?= $(shell git config branch.$(TARGET_BRANCH).remote)
 
-# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL
-# This is because we expect to use tokens for repo authentication as opposed to SSH keys
-TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%')
+# The URL for the configured origin (could be HTTP/HTTPS/SSH)
+TARGET_REPO_RAW := $(shell git ls-remote --get-url --symref $(TARGET_ORIGIN))
 
 UUID_FILE ?= ~/.config/validated-patterns/pattern-uuid
 UUID_HELM_OPTS ?=
@@ -50,13 +49,22 @@ TOKEN_SECRET ?=
 TOKEN_NAMESPACE ?=
 
 ifeq ($(TOKEN_SECRET),)
-  HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS)
+  # SSH agents are not created for public repos (repos with no secret token) by the patterns operator so we convert to HTTPS
+  TARGET_REPO := $(shell echo "$(TARGET_REPO_RAW)" | sed 's/^git@\(.*\):\(.*\)/https:\/\/\1\/\2/')
+  SECRET_OPTS :=
 else
-  # When we are working with a private repository we do not escape the git URL as it might be using an ssh secret which does not use https://
-  TARGET_CLEAN_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN))
-  HELM_OPTS=-f values-global.yaml --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE) --set main.git.repoURL="$(TARGET_CLEAN_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS)
+  TARGET_REPO := $(TARGET_REPO_RAW)
+  SECRET_OPTS := --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE)
 endif
 
+HELM_OPTS := -f values-global.yaml \
+             --set main.git.repoURL="$(TARGET_REPO)" \
+             --set main.git.revision=$(TARGET_BRANCH) \
+             $(SECRET_OPTS) \
+             $(TARGET_SITE_OPT) \
+             $(UUID_HELM_OPTS) \
+             $(EXTRA_HELM_OPTS)
+
 # Helm does the right thing and fetches all the tags and detects the newest one
 PATTERN_INSTALL_CHART ?= oci://quay.io/hybridcloudpatterns/pattern-install
 
@@ -138,8 +146,6 @@ token-kubeconfig: ## Create a local ~/.kube/config with password (not usually ne
 
 ##@ Validation Tasks
 
-# We only check the remote ssh git branch's existance if we're not running inside a container
-# as getting ssh auth working inside a container seems a bit brittle
 # If the main repoUpstreamURL field is set, then we need to check against
 # that and not target_repo
 .PHONY: validate-origin