Recursively clean git credentials from all checkouts in workspace and /tmp/

[Copilot]

clean_git_credentials.sh only cleaned the single .git/config at the workspace root, leaving credentials intact in any additional git checkouts (submodules, tool-created clones, etc.) under $GITHUB_WORKSPACE or /tmp/.

Changes

• Recursive discovery: uses find "${WORKSPACE}" /tmp -maxdepth 10 -path "*/.git/config" instead of targeting a single hardcoded path
• Deduplication: pipes through sort -u to avoid double-processing when workspace lives inside /tmp/
• Refactored into function: credential-cleaning logic extracted into clean_git_config() and called once per discovered config
• Integration tests: added clean_git_credentials_test.sh with 7 test cases covering credential removal, URL cleaning, recursive discovery, and /tmp/ scanning

# Before: single target
GIT_CONFIG_PATH="${WORKSPACE}/.git/config"

# After: all checkouts in workspace + /tmp/
find "${WORKSPACE}" /tmp -maxdepth 10 -name "config" -path "*/.git/config" | sort -u

Original prompt

Update the sh script that clears out the git credentials to recursively find git checkouts and clean then. In the workspace and in /tmp/

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Ensure clean_git_credentials.sh discovers every .git/config under the workspace and /tmp/, deduplicates the list, and reuses the helper while cleaning each file.

Generated by Changeset Generator

---

---

✨ PR Review Safe Output Test - Run 22211157844

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🧪 Smoke Project is now testing project operations...

[github-actions]

🧪 Smoke Temporary ID is now testing temporary ID functionality...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke macOS ARM64 is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 DEVELOPING STORY: Smoke macOS ARM64 reports failed. Our correspondents are investigating the incident...

[pelikhan]

@copilot add integration test

[github-actions]

✅ Smoke Project completed successfully. All project operations validated.

[github-actions]

🤖 Smoke test results for @pelikhan and @Copilot:

Test
GitHub MCP	✅
Safe Inputs GH CLI	✅
Serena MCP	❌
Playwright	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ⚠️ PARTIAL PASS (10/11) — Serena MCP unavailable

📰 BREAKING: Report filed by Smoke Copilot for issue #17086

[github-actions]

This PR improves security by recursively cleaning git credentials from all checkouts. The refactoring into clean_git_config() is clean. Minor suggestion: document the maxdepth 10 rationale.

📰 BREAKING: Report filed by Smoke Copilot for issue #17086

[github-actions]

Nice refactor extracting this into a reusable clean_git_config() function — makes the recursive logic much cleaner to follow.

[github-actions]

-maxdepth 10 is a reasonable guard against deep nesting, but consider documenting why 10 was chosen — or using a named constant like MAX_DEPTH=10 for clarity.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke test (Codex) results
Merged PR titles: Add ecosystem domains for clojure, elixir, kotlin, scala, zig; Enforce no-secrets check on engine.env in addition to top-level env
GitHub MCP ✅
Serena MCP ✅
Playwright ✅
File write + cat ✅
Build ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex for issue #17086

[Copilot]

@copilot add integration test

Added clean_git_credentials_test.sh in 64ba040 with 7 test cases covering:

• No-op when no .git/config exists
• Removes [credential] section
• Removes http.extraheader
• Strips credentials from authenticated remote URLs
• Recursively cleans nested repos inside the workspace
• Cleans repos found in /tmp
• Config file validity after cleaning

All 13 assertions pass.

[github-actions]

Smoke Test Results — Run §22211157844

Core tests (#1–#10): ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ — all passed

PR review tests (#11–#17): ✅ ✅ ✅ ⚠️ ✅ ✅ ⚠️

• Fix orphan removal on "gh aw remove" #11 Update PR body ✅ | Weekly Research Report: AI Workflow Automation Landscape and Strategic Opportunities - August 2025 #12 Review comments ✅ | Add codex test action #13 Submit review ✅
• codex naming #14 Resolve thread ⚠️ (PRRT_ IDs unavailable via REST) | Revise caution note in README (#674) #15 Add reviewer ✅
• Update default model in Codex engine to o4-mini and adjust test expectations #16 Push to branch ✅ | Enhance timestamp and token usage extraction for Codex format in logs #17 Close PR ⚠️ (no safe PR to close)

Overall: PARTIAL — all non-skipped tests passed.

💥 [THE END] — Illustrated by Smoke Claude for issue #17086

[github-actions]

💥 Automated smoke test review - all systems nominal! The recursive credential cleaning approach looks solid. Good improvements to the clean_git_credentials.sh script.

💥 [THE END] — Illustrated by Smoke Claude for issue #17086

[Copilot]

Pull request overview

Updates the git-credential cleanup helper to recursively sanitize credentials across all git checkouts under the workspace and /tmp, and adds shell-based integration tests for the new behavior.

Changes:

• Refactors clean_git_credentials.sh to discover and clean multiple .git/config files (workspace + /tmp) via a per-config helper.
• Adds clean_git_credentials_test.sh with integration-style test cases for section removal, header removal, URL sanitization, and recursive discovery.
• Includes unrelated additions: a workflow allowlist domain tweak and a smoke-test run marker file, plus a changeset entry.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
actions/setup/sh/clean_git_credentials.sh	Recursively finds .git/config files in workspace and /tmp and sanitizes each one.
actions/setup/sh/clean_git_credentials_test.sh	Adds integration tests for credential removal and recursive discovery behavior.
.github/workflows/smoke-test-tools.lock.yml	Adds downloads.gradle-dn.com to the awf allow-domains list.
.smoke-test-22211157844	Adds a smoke-test run marker file at repo root.
.changeset/patch-clean-git-credentials-recursive.md	Declares a patch changeset for the recursive credential cleaning update.

Comments suppressed due to low confidence (1)

actions/setup/sh/clean_git_credentials_test.sh:54

• Test 1 assumes there are no .git/config files anywhere, but clean_git_credentials.sh now scans /tmp as well as the workspace. On many environments /tmp may already contain git checkouts, which will make the script print cleaning output (and not the "No .git/config" message), causing this test to be flaky. Consider adding an env var to clean_git_credentials.sh to override/disable /tmp scanning for tests (e.g., configurable scan roots), or relax this assertion to only validate workspace behavior.

# ── Test 1: No .git/config anywhere (no-op, exit 0) ─────────────────────────
echo "Test 1: No .git/config files → exit 0 with informational message"
EMPTY_WS=$(mktemp -d)
OUTPUT=$(GITHUB_WORKSPACE="${EMPTY_WS}" bash "${CLEAN_SCRIPT}" 2>&1)
EXIT_CODE=$?
rmdir "${EMPTY_WS}"
assert "exits 0 when no .git/config found" "[ ${EXIT_CODE} -eq 0 ]"
assert "prints informational message" "echo '${OUTPUT}' | grep -q 'No .git/config'"
echo ""

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

TMP_REPO=$(mktemp -d) is not guaranteed to create the directory under /tmp (e.g., on macOS it often uses $TMPDIR). Since the script explicitly scans /tmp, this test can fail depending on the platform. Create the temp repo explicitly under /tmp (portable pattern: mktemp -d /tmp/gh-aw-clean-creds.XXXXXX).

This issue also appears on line 46 of the same file.

[Copilot]

If $GITHUB_WORKSPACE is under /tmp, find "${WORKSPACE}" /tmp ... will traverse the workspace twice (once via ${WORKSPACE}, once as a subtree of /tmp). sort -u dedupes results but doesn’t avoid the extra traversal. Consider conditionally pruning ${WORKSPACE} from the /tmp walk (or only scanning /tmp when it’s not a parent of ${WORKSPACE}), and also add -type f so only regular files are passed to git config.

See below for a potential fix:

WORKSPACE_ABS="$(cd "${WORKSPACE}" && pwd -P)"

# Collect all .git/config files to clean from workspace and /tmp/
CLEANED=0
while IFS= read -r git_config; do
  clean_git_config "${git_config}"
  CLEANED=$((CLEANED + 1))
done < <(find "${WORKSPACE_ABS}" /tmp -maxdepth 10 \( -path "${WORKSPACE_ABS}" -prune -o -type f -name "config" -path "*/.git/config" -print \) 2>/dev/null | sort -u)

[Copilot]

This file appears to be an ephemeral artifact from a specific smoke test run and isn’t referenced elsewhere in the repo. It will accumulate over time and add noise to the repository history; please remove it from the PR (or add an explicit convention + .gitignore entry if these files are intended to be tracked).

[Copilot]

This PR is scoped to recursively cleaning git credentials, but this workflow change adds downloads.gradle-dn.com to the firewall allowlist. If this domain addition is required, please call it out in the PR description (or split it into a separate PR) so the security-impacting change is reviewed in the right context.