Use workspace trust in git subsystem

xe-nul · xe-nul · commit dc31bd620b37 · 2026-04-16T17:25:21.000+03:00
Replace default gitoxide's model of trust (directory ownership) with our own one. Closes #15594
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/helix-term/src/commands.rs b/helix-term/src/commands.rs
@@ -3541,16 +3541,18 @@ fn changed_file_picker(cx: &mut Context) {
     .with_preview(|_editor, meta| Some((meta.path().into(), None)));
     let injector = picker.injector();
 
-    cx.editor
-        .diff_providers
-        .clone()
-        .for_each_changed_file(cwd, move |change| match change {
+    let insecure = cx.editor.config().insecure;
+    cx.editor.diff_providers.clone().for_each_changed_file(
+        cwd,
+        insecure,
+        move |change| match change {
             Ok(change) => injector.push(change).is_ok(),
             Err(err) => {
                 status::report_blocking(err);
                 true
             }
-        });
+        },
+    );
     cx.push_layer(Box::new(overlaid(picker)));
 }
 
diff --git a/helix-vcs/Cargo.toml b/helix-vcs/Cargo.toml
@@ -12,6 +12,7 @@ homepage.workspace = true
 [dependencies]
 helix-core = { path = "../helix-core" }
 helix-event = { path = "../helix-event" }
+helix-loader = { path = "../helix-loader" }
 
 tokio = { version = "1", features = ["rt", "rt-multi-thread", "time", "sync", "parking_lot", "macros"] }
 parking_lot.workspace = true
diff --git a/helix-vcs/src/git.rs b/helix-vcs/src/git.rs
@@ -1,6 +1,8 @@
 use anyhow::{bail, Context, Result};
 use arc_swap::ArcSwap;
 use gix::filter::plumbing::driver::apply::Delay;
+use helix_loader::find_workspace_in;
+use helix_loader::workspace_trust::{quick_query_workspace, TrustStatus};
 use std::io::Read;
 use std::path::Path;
 use std::sync::Arc;
@@ -27,15 +29,15 @@ fn get_repo_dir(file: &Path) -> Result<&Path> {
     file.parent().context("file has no parent directory")
 }
 
-pub fn get_diff_base(file: &Path) -> Result<Vec<u8>> {
+pub fn get_diff_base(file: &Path, insecure: bool) -> Result<Vec<u8>> {
     debug_assert!(!file.exists() || file.is_file());
     debug_assert!(file.is_absolute());
     let file = gix::path::realpath(file).context("resolve symlinks")?;
 
     // TODO cache repository lookup
 
     let repo_dir = get_repo_dir(&file)?;
-    let repo = open_repo(repo_dir)
+    let repo = open_repo(repo_dir, insecure)
         .context("failed to open git repo")?
         .to_thread_local();
     let head = repo.head_commit()?;
@@ -59,13 +61,13 @@ pub fn get_diff_base(file: &Path) -> Result<Vec<u8>> {
     }
 }
 
-pub fn get_current_head_name(file: &Path) -> Result<Arc<ArcSwap<Box<str>>>> {
+pub fn get_current_head_name(file: &Path, insecure: bool) -> Result<Arc<ArcSwap<Box<str>>>> {
     debug_assert!(!file.exists() || file.is_file());
     debug_assert!(file.is_absolute());
     let file = gix::path::realpath(file).context("resolve symlinks")?;
 
     let repo_dir = get_repo_dir(&file)?;
-    let repo = open_repo(repo_dir)
+    let repo = open_repo(repo_dir, insecure)
         .context("failed to open git repo")?
         .to_thread_local();
     let head_ref = repo.head_ref()?;
@@ -79,13 +81,17 @@ pub fn get_current_head_name(file: &Path) -> Result<Arc<ArcSwap<Box<str>>>> {
     Ok(Arc::new(ArcSwap::from_pointee(name.into_boxed_str())))
 }
 
-pub fn for_each_changed_file(cwd: &Path, f: impl Fn(Result<FileChange>) -> bool) -> Result<()> {
-    status(&open_repo(cwd)?.to_thread_local(), f)
+pub fn for_each_changed_file(
+    cwd: &Path,
+    insecure: bool,
+    f: impl Fn(Result<FileChange>) -> bool,
+) -> Result<()> {
+    status(&open_repo(cwd, insecure)?.to_thread_local(), f)
 }
 
-fn open_repo(path: &Path) -> Result<ThreadSafeRepository> {
+fn open_repo(path: &Path, insecure: bool) -> Result<ThreadSafeRepository> {
     // custom open options
-    let mut git_open_opts_map = gix::sec::trust::Mapping::<gix::open::Options>::default();
+    let git_open_opts_map = gix::sec::trust::Mapping::<gix::open::Options>::default();
 
     // On windows various configuration options are bundled as part of the installations
     // This path depends on the install location of git and therefore requires some overhead to lookup
@@ -99,30 +105,24 @@ fn open_repo(path: &Path) -> Result<ThreadSafeRepository> {
         includes: true,
         git_binary: cfg!(windows),
     };
-    // change options for config permissions without touching anything else
-    git_open_opts_map.reduced = git_open_opts_map
-        .reduced
-        .permissions(gix::open::Permissions {
+
+    let opts = if let TrustStatus::Trusted = quick_query_workspace(insecure) {
+        git_open_opts_map.full.permissions(gix::open::Permissions {
             config,
-            ..gix::open::Permissions::default_for_level(gix::sec::Trust::Reduced)
-        });
-    git_open_opts_map.full = git_open_opts_map.full.permissions(gix::open::Permissions {
-        config,
-        ..gix::open::Permissions::default_for_level(gix::sec::Trust::Full)
-    });
-
-    let open_options = gix::discover::upwards::Options {
-        dot_git_only: true,
-        ..Default::default()
+            ..gix::open::Permissions::default_for_level(gix::sec::Trust::Full)
+        })
+    } else {
+        git_open_opts_map
+            .reduced
+            .permissions(gix::open::Permissions {
+                config,
+                ..gix::open::Permissions::default_for_level(gix::sec::Trust::Reduced)
+            })
     };
 
-    let res = ThreadSafeRepository::discover_with_environment_overrides_opts(
-        path,
-        open_options,
-        git_open_opts_map,
-    )?;
+    let (workspace, _) = find_workspace_in(path);
 
-    Ok(res)
+    Ok(ThreadSafeRepository::open_opts(workspace, opts)?)
 }
 
 /// Emulates the result of running `git status` from the command line.
diff --git a/helix-vcs/src/git/test.rs b/helix-vcs/src/git/test.rs
@@ -54,7 +54,7 @@ fn missing_file() {
     let file = temp_git.path().join("file.txt");
     File::create(&file).unwrap().write_all(b"foo").unwrap();
 
-    assert!(git::get_diff_base(&file).is_err());
+    assert!(git::get_diff_base(&file, true).is_err());
 }
 
 #[test]
@@ -64,7 +64,10 @@ fn unmodified_file() {
     let contents = b"foo".as_slice();
     File::create(&file).unwrap().write_all(contents).unwrap();
     create_commit(temp_git.path(), true);
-    assert_eq!(git::get_diff_base(&file).unwrap(), Vec::from(contents));
+    assert_eq!(
+        git::get_diff_base(&file, true).unwrap(),
+        Vec::from(contents)
+    );
 }
 
 #[test]
@@ -76,7 +79,10 @@ fn modified_file() {
     create_commit(temp_git.path(), true);
     File::create(&file).unwrap().write_all(b"bar").unwrap();
 
-    assert_eq!(git::get_diff_base(&file).unwrap(), Vec::from(contents));
+    assert_eq!(
+        git::get_diff_base(&file, true).unwrap(),
+        Vec::from(contents)
+    );
 }
 
 /// Test that `get_file_head` does not return content for a directory.
@@ -95,7 +101,7 @@ fn directory() {
 
     std::fs::remove_dir_all(&dir).unwrap();
     File::create(&dir).unwrap().write_all(b"bar").unwrap();
-    assert!(git::get_diff_base(&dir).is_err());
+    assert!(git::get_diff_base(&dir, true).is_err());
 }
 
 /// Test that `get_diff_base` resolves symlinks so that the same diff base is
@@ -122,8 +128,8 @@ fn symlink() {
     symlink("file.txt", &file_link).unwrap();
     create_commit(temp_git.path(), true);
 
-    assert_eq!(git::get_diff_base(&file_link).unwrap(), contents);
-    assert_eq!(git::get_diff_base(&file).unwrap(), contents);
+    assert_eq!(git::get_diff_base(&file_link, true).unwrap(), contents);
+    assert_eq!(git::get_diff_base(&file, true).unwrap(), contents);
 }
 
 /// Test that `get_diff_base` returns content when the file is a symlink to
@@ -147,6 +153,6 @@ fn symlink_to_git_repo() {
     let file_link = temp_dir.path().join("file_link.txt");
     symlink(&file, &file_link).unwrap();
 
-    assert_eq!(git::get_diff_base(&file_link).unwrap(), contents);
-    assert_eq!(git::get_diff_base(&file).unwrap(), contents);
+    assert_eq!(git::get_diff_base(&file_link, true).unwrap(), contents);
+    assert_eq!(git::get_diff_base(&file, true).unwrap(), contents);
 }
diff --git a/helix-vcs/src/lib.rs b/helix-vcs/src/lib.rs
@@ -30,10 +30,10 @@ pub struct DiffProviderRegistry {
 impl DiffProviderRegistry {
     /// Get the given file from the VCS. This provides the unedited document as a "base"
     /// for a diff to be created.
-    pub fn get_diff_base(&self, file: &Path) -> Option<Vec<u8>> {
+    pub fn get_diff_base(&self, file: &Path, insecure: bool) -> Option<Vec<u8>> {
         self.providers
             .iter()
-            .find_map(|provider| match provider.get_diff_base(file) {
+            .find_map(|provider| match provider.get_diff_base(file, insecure) {
                 Ok(res) => Some(res),
                 Err(err) => {
                     log::debug!("{err:#?}");
@@ -44,31 +44,36 @@ impl DiffProviderRegistry {
     }
 
     /// Get the current name of the current [HEAD](https://stackoverflow.com/questions/2304087/what-is-head-in-git).
-    pub fn get_current_head_name(&self, file: &Path) -> Option<Arc<ArcSwap<Box<str>>>> {
-        self.providers
-            .iter()
-            .find_map(|provider| match provider.get_current_head_name(file) {
+    pub fn get_current_head_name(
+        &self,
+        file: &Path,
+        insecure: bool,
+    ) -> Option<Arc<ArcSwap<Box<str>>>> {
+        self.providers.iter().find_map(|provider| {
+            match provider.get_current_head_name(file, insecure) {
                 Ok(res) => Some(res),
                 Err(err) => {
                     log::debug!("{err:#?}");
                     log::debug!("failed to obtain current head name for {}", file.display());
                     None
                 }
-            })
+            }
+        })
     }
 
     /// Fire-and-forget changed file iteration. Runs everything in a background task. Keeps
     /// iteration until `on_change` returns `false`.
     pub fn for_each_changed_file(
         self,
         cwd: PathBuf,
+        insecure: bool,
         f: impl Fn(Result<FileChange>) -> bool + Send + 'static,
     ) {
         tokio::task::spawn_blocking(move || {
             if self
                 .providers
                 .iter()
-                .find_map(|provider| provider.for_each_changed_file(&cwd, &f).ok())
+                .find_map(|provider| provider.for_each_changed_file(&cwd, insecure, &f).ok())
                 .is_none()
             {
                 f(Err(anyhow!("no diff provider returns success")));
@@ -102,30 +107,31 @@ enum DiffProvider {
 }
 
 impl DiffProvider {
-    fn get_diff_base(&self, file: &Path) -> Result<Vec<u8>> {
+    fn get_diff_base(&self, file: &Path, insecure: bool) -> Result<Vec<u8>> {
         match self {
             #[cfg(feature = "git")]
-            Self::Git => git::get_diff_base(file),
+            Self::Git => git::get_diff_base(file, insecure),
             Self::None => bail!("No diff support compiled in"),
         }
     }
 
-    fn get_current_head_name(&self, file: &Path) -> Result<Arc<ArcSwap<Box<str>>>> {
+    fn get_current_head_name(&self, file: &Path, insecure: bool) -> Result<Arc<ArcSwap<Box<str>>>> {
         match self {
             #[cfg(feature = "git")]
-            Self::Git => git::get_current_head_name(file),
+            Self::Git => git::get_current_head_name(file, insecure),
             Self::None => bail!("No diff support compiled in"),
         }
     }
 
     fn for_each_changed_file(
         &self,
         cwd: &Path,
+        insecure: bool,
         f: impl Fn(Result<FileChange>) -> bool,
     ) -> Result<()> {
         match self {
             #[cfg(feature = "git")]
-            Self::Git => git::for_each_changed_file(cwd, f),
+            Self::Git => git::for_each_changed_file(cwd, insecure, f),
             Self::None => bail!("No diff support compiled in"),
         }
     }
diff --git a/helix-view/src/document.rs b/helix-view/src/document.rs
@@ -1297,12 +1297,13 @@ impl Document {
         self.pickup_last_saved_time();
         self.detect_indent_and_line_ending();
 
-        match provider_registry.get_diff_base(&path) {
+        let insecure = self.config.load().insecure;
+        match provider_registry.get_diff_base(&path, insecure) {
             Some(diff_base) => self.set_diff_base(diff_base),
             None => self.diff_handle = None,
         }
 
-        self.version_control_head = provider_registry.get_current_head_name(&path);
+        self.version_control_head = provider_registry.get_current_head_name(&path, insecure);
 
         Ok(())
     }
diff --git a/helix-view/src/editor.rs b/helix-view/src/editor.rs
@@ -1945,10 +1945,13 @@ impl Editor {
                 Editor::doc_diagnostics(&self.language_servers, &self.diagnostics, &doc);
             doc.replace_diagnostics(diagnostics, &[], None);
 
-            if let Some(diff_base) = self.diff_providers.get_diff_base(&path) {
+            let insecure = self.config().insecure;
+            if let Some(diff_base) = self.diff_providers.get_diff_base(&path, insecure) {
                 doc.set_diff_base(diff_base);
             }
-            doc.set_version_control_head(self.diff_providers.get_current_head_name(&path));
+            doc.set_version_control_head(
+                self.diff_providers.get_current_head_name(&path, insecure),
+            );
 
             let id = self.new_document(doc);
             self.launch_language_servers(id);

Original file line number	Diff line number	Diff line change
`@@ -1297,12 +1297,13 @@ impl Document {`
`1297`	`1297`	`self.pickup_last_saved_time();`
`1298`	`1298`	`self.detect_indent_and_line_ending();`
`1299`	`1299`
`1300`		`- match provider_registry.get_diff_base(&path) {`
	`1300`	`+ let insecure = self.config.load().insecure;`
	`1301`	`+ match provider_registry.get_diff_base(&path, insecure) {`
`1301`	`1302`	`Some(diff_base) => self.set_diff_base(diff_base),`
`1302`	`1303`	`None => self.diff_handle = None,`
`1303`	`1304`	`}`
`1304`	`1305`
`1305`		`- self.version_control_head = provider_registry.get_current_head_name(&path);`
	`1306`	`+ self.version_control_head = provider_registry.get_current_head_name(&path, insecure);`
`1306`	`1307`
`1307`	`1308`	`Ok(())`
`1308`	`1309`	`}`