fix(cli): resolve reference ambiguity during extension checkout#28422
fix(cli): resolve reference ambiguity during extension checkout#28422DavidAPierce wants to merge 2 commits into
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves the reliability and security of the Git extension checkout process in the CLI. By resolving references to their concrete commit SHAs and adding integrity checks, it mitigates potential issues where Git might incorrectly prioritize local branches over fetched content and ensures that pinned dependencies are correctly verified. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
📊 PR Size: size/M
|
|
Size Change: +765 B (0%) Total Size: 35.2 MB
ℹ️ View Unchanged
|
There was a problem hiding this comment.
Code Review
This pull request enhances the security of the Git repository cloning process by resolving the target SHA before checkout and verifying that the checked-out commit matches the expected target SHA and any pinned reference. The reviewer suggested using strict inequality instead of 'startsWith' for the SHA verification to ensure exact matching, which I agree is a more robust approach.
Note: Security Review is unavailable for this PR.
Summary
Improve the robustness of the extension clone and checkout implementation by resolving references to their concrete commit SHAs and verifying checkout integrity.
Details
During extension installation or update from a Git repository, the CLI clones the source and fetches the requested reference, which writes the target commit SHA to the
.git/FETCH_HEADpseudo-ref. Previously, the code performedgit checkout FETCH_HEAD.However, if a repository's default branch is literally named
FETCH_HEAD, Git's reference resolution during acheckoutcommand prioritizes the local branch over the pseudo-ref. This can cause the checkout to stay on the local branch instead of switching to the fetched commit.This PR refactors the checkout process to resolve the reference name unambiguously:
FETCH_HEAD) to its absolute, unambiguous commit SHA usinggit rev-parse FETCH_HEAD(asrev-parseprioritizes the.git/pseudo-refs).git checkout <sha>), forcing an unambiguous detached HEAD state on the correct target commit.git rev-parse HEAD) matches the resolved target SHA to ensure checkout integrity.Related Issues
None.
How to Validate
Run the unit tests targeting the modified git extension code:
Verify build and lint compliance:
Pre-Merge Checklist