Skip to content

fix: do not fetch from origin/HEAD for local repo targets #734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 14, 2024
Merged

fix: do not fetch from origin/HEAD for local repo targets #734

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
93e621a
fix: do not fetch from origin/HEAD for local repo targets
behnazh-w May 11, 2024
4fc565f
chore: move the checkout code to the online mode block and fix docs
behnazh-w May 13, 2024
a19a2b0
docs: use HEAD commit instead of latest commit
behnazh-w May 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/source/pages/using.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,11 +304,6 @@ An example configuration file for utilising this feature:
Analyzing a repository on the local file system
-----------------------------------------------

.. warning::
During the analysis, Macaron can check out different commits, which can reset the index and working tree of the repository.
Therefore, any uncommitted changes in the repository need to be backed up to prevent loss (these include unstaged changes, staged changes and untracked files).
However, Macaron will not modify the history of the repository.

.. note::
We assume that the ``origin`` remote exists in the cloned repository and checkout the relevant commits from ``origin`` only.

Expand Down Expand Up @@ -378,7 +373,12 @@ With ``rest_of_args`` being the arguments to the ``analyze`` command (e.g. ``--b

The ``--local-repos-path/-lr`` flag tells Macaron to look into ``./boo/foo`` for local repositories. For more information, please see :ref:`Command Line Usage <cli-usage>`.

.. note:: If ``--local-repos-path/-lr`` is not provided, Macaron will looks inside ``<current_working_directory>/output/git_repos/local_repos/`` whenever you provide a local path to ``--repo-path/-rp``.
.. note:: If ``--local-repos-path/-lr`` is not provided, Macaron will look inside ``<current_working_directory>/output/git_repos/local_repos/`` whenever you provide a local path to ``--repo-path/-rp``.

.. warning::
Macaron by default analyzes the current state of the local repository. However, if the user provides a branch or commit hash as input, Macaron may reset the index and working tree of the repository to check out a specific commit.
Therefore, any uncommitted changes in the repository need to be backed up to prevent loss (these include unstaged changes, staged changes and untracked files).
However, Macaron will not modify the history of the repository.

-------------------------
Running the policy engine
Expand Down
22 changes: 13 additions & 9 deletions src/macaron/slsa_analyzer/git_url.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,10 @@ def check_out_repo_target(
will prune and update all references (e.g. tags, branches) to make sure that the local repository is up-to-date
with the repository specified by origin remote.

If ``branch_name`` and a commit are not provided, this function will checkout the latest commit of the
default branch (i.e. origin/HEAD).
If ``offline_mode`` is True and neither ``branch_name`` nor commit are provided, this function will not do anything
and the HEAD commit will be analyzed. If there are uncommitted local changes, the HEAD commit will
appear in the report but the repo with local changes will be analyzed. We leave it up to the user to decide
whether to commit the changes or not.

If ``branch_name`` is provided and a commit is not provided, this function will checkout that branch from origin
remote (i.e. origin/<branch_name).
Expand Down Expand Up @@ -181,13 +183,15 @@ def check_out_repo_target(
logger.error("Unable to fetch from the origin remote of the repository.")
return False

if not branch_name and not digest:
try:
git_obj.repo.git.checkout("--force", "origin/HEAD")
except GitCommandError:
logger.debug("Cannot checkout the default branch at origin/HEAD")
return False
# By default check out the commit at origin/HEAD only when offline_mode is False.
if not branch_name and not digest:
try:
git_obj.repo.git.checkout("--force", "origin/HEAD")
except GitCommandError:
logger.debug("Cannot checkout the default branch at origin/HEAD")
return False

# The following checkout operations will be done whether offline_mode is False or not.
if branch_name and not digest:
try:
git_obj.repo.git.checkout("--force", f"origin/{branch_name}")
Expand Down Expand Up @@ -229,7 +233,7 @@ def check_out_repo_target(
logger.critical("The current HEAD at %s. Expect %s.", final_head_commit.hexsha, digest)
return False

logger.info("Successfully checked out commit %s.", final_head_commit.hexsha)
logger.info("The HEAD commit is %s.", final_head_commit.hexsha)
return True


Expand Down