vcpkg/docs/users/authentication.md

# Authentication for Source Code

**The latest version of this documentation is available on [GitHub](https://github.com/Microsoft/vcpkg/tree/master/docs/users/authentication.md).**

Registries and `vcpkg_from_git()` directly use the git command line tools to fetch remote resources. Some of these resources may be protected from anonymous access and need authentication or credentials.

The strategies below all seek to achieve the same fundamental goal: `git clone https://....` should succeed without interaction. This enables vcpkg to be separated from the specifics of your authentication scheme, ensuring forwards compatibility with any additional security improvements in the future.

## Pre-seed git credentials

You can pre-seed git credentials via `git credential approve`:

Powershell:
```powershell
"url=https://github.com`npath=Microsoft/vcpkg`nusername=unused`npassword=$MY_PAT`n" | git credential approve
```
Bash:
```sh
echo "url=https://github.com"$'\n'"path=Microsoft/vcpkg"$'\n'"username=unused"$'\n'"password=$MY_PAT"$'\n' | git credential approve
```

## Bearer auth

For systems which need bearer auth, you can use `git config`:

**Note: you must make these config changes with `--global`**
```
git config --global --unset-all http.<uri>.extraheader
git config --global http.<uri>.extraheader "AUTHORIZATION: bearer <System_AccessToken>"
```
The `<uri>` can be filled in with a variety of options, documented in https://git-scm.com/docs/git-config#Documentation/git-config.txt-httplturlgt. For example, `https://dev.azure.com/MYORG/`.

(Original Source: https://github.com/Microsoft/azure-pipelines-agent/issues/1601#issuecomment-394511048).

**Note for Azure DevOps users:** You may need to enable access via Job authorization scope https://docs.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml#job-authorization-scope. You may also need to "reference" the repo in your yaml via:

```yaml
resources: 
  repositories:
    - repository: <FRIENDLYNAME>
      type: git
      name: <ORG>/<REPO>
      tag: tags/<TAG>

...

jobs:
 - job: Build
   uses:
     repositories: [<FRIENDLYNAME>]
```

## Pass credentials in an environment variable (not recommended)

Using `VCPKG_KEEP_ENV_VARS` or `VCPKG_ENV_PASSTHROUGH_UNTRACKED`, we can smuggle credential info via another var like `MY_TOKEN_VAR`.
```sh
export VCPKG_KEEP_ENV_VARS=MY_TOKEN_VAR
export MY_TOKEN_VAR=abc123
```
This can then be used in your private ports:
```cmake
# some/private/portfile.cmake
set(MY_TOKEN_VAR "")
if(DEFINED ENV{MY_TOKEN_VAR})
    set(MY_TOKEN_VAR "$ENV{MY_TOKEN_VAR}@")
endif()
vcpkg_from_git(
    URLS "https://${MY_TOKEN_VAR}host.com/normal/url/path"
    ...
)
```
```cmake
# some/other/private/portfile.cmake
vcpkg_from_github(
    AUTHORIZATION_TOKEN "$ENV{MY_TOKEN_VAR}"
)
```

For private ports, we recommend using `vcpkg_from_git()` instead of `vcpkg_from_github()` and the pre-seeding method above.

## Pass Jenkins gitUsernamePassword credentials

The simplest and most secure option to Git authentication to GitHub from Jenkins is using [GitHub App](https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc) and the following:
```groovy
withCredentials([gitUsernamePassword(credentialsId: 'jenkins-github-app')]) {
  withEnv(['VCPKG_KEEP_ENV_VARS=GIT_ASKPASS']) {
    bat 'cmake'
  }
}
```
This sets the GIT_ASKPASS with a path to helper script which responds with git credentials query and instructs `vcpkg` to keep this environment variable. The password is a [GitHub App token](https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/) with 1 hour lifetime.
[docs] Add authentication.md (#20990) * [docs] Add docs/users/authentication.md * edits * Add link to README.md * Address CR comments * Fixup Co-authored-by: Robert Schumacher <ras0219@outlook.com> 2021-11-16 01:33:53 +08:00			`# Authentication for Source Code`

			`The latest version of this documentation is available on [GitHub](https://github.com/Microsoft/vcpkg/tree/master/docs/users/authentication.md).`

			Registries and `vcpkg_from_git()` directly use the git command line tools to fetch remote resources. Some of these resources may be protected from anonymous access and need authentication or credentials.

			The strategies below all seek to achieve the same fundamental goal: `git clone https://....` should succeed without interaction. This enables vcpkg to be separated from the specifics of your authentication scheme, ensuring forwards compatibility with any additional security improvements in the future.

			`## Pre-seed git credentials`

			You can pre-seed git credentials via `git credential approve`:

			`Powershell:`
			```powershell
			"url=https://github.com`npath=Microsoft/vcpkg`nusername=unused`npassword=$MY_PAT`n" \| git credential approve
			```
			`Bash:`
			```sh
			`echo "url=https://github.com"$'\n'"path=Microsoft/vcpkg"$'\n'"username=unused"$'\n'"password=$MY_PAT"$'\n' \| git credential approve`
			```

			`## Bearer auth`

			For systems which need bearer auth, you can use `git config`:

			Note: you must make these config changes with `--global`
			```
			`git config --global --unset-all http.<uri>.extraheader`
			`git config --global http.<uri>.extraheader "AUTHORIZATION: bearer <System_AccessToken>"`
			```
			The `<uri>` can be filled in with a variety of options, documented in https://git-scm.com/docs/git-config#Documentation/git-config.txt-httplturlgt. For example, `https://dev.azure.com/MYORG/`.

			`(Original Source: https://github.com/Microsoft/azure-pipelines-agent/issues/1601#issuecomment-394511048).`

			`Note for Azure DevOps users: You may need to enable access via Job authorization scope https://docs.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml#job-authorization-scope. You may also need to "reference" the repo in your yaml via:`

			```yaml
			`resources:`
			`repositories:`
			`- repository: <FRIENDLYNAME>`
			`type: git`
			`name: <ORG>/<REPO>`
			`tag: tags/<TAG>`

			`...`

			`jobs:`
			`- job: Build`
			`uses:`
			`repositories: [<FRIENDLYNAME>]`
			```

			`## Pass credentials in an environment variable (not recommended)`

			Using `VCPKG_KEEP_ENV_VARS` or `VCPKG_ENV_PASSTHROUGH_UNTRACKED`, we can smuggle credential info via another var like `MY_TOKEN_VAR`.
			```sh
			`export VCPKG_KEEP_ENV_VARS=MY_TOKEN_VAR`
			`export MY_TOKEN_VAR=abc123`
			```
			`This can then be used in your private ports:`
			```cmake
			`# some/private/portfile.cmake`
			`set(MY_TOKEN_VAR "")`
			`if(DEFINED ENV{MY_TOKEN_VAR})`
			`set(MY_TOKEN_VAR "$ENV{MY_TOKEN_VAR}@")`
			`endif()`
			`vcpkg_from_git(`
			`URLS "https://${MY_TOKEN_VAR}host.com/normal/url/path"`
			`...`
			`)`
			```
			```cmake
			`# some/other/private/portfile.cmake`
			`vcpkg_from_github(`
			`AUTHORIZATION_TOKEN "$ENV{MY_TOKEN_VAR}"`
			`)`
			```

			For private ports, we recommend using `vcpkg_from_git()` instead of `vcpkg_from_github()` and the pre-seeding method above.
[authentication.md] Add Jenkins section (#23226) 2022-02-25 07:09:06 +08:00
			`## Pass Jenkins gitUsernamePassword credentials`

			`The simplest and most secure option to Git authentication to GitHub from Jenkins is using [GitHub App](https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc) and the following:`
			```groovy
			`withCredentials([gitUsernamePassword(credentialsId: 'jenkins-github-app')]) {`
			`withEnv(['VCPKG_KEEP_ENV_VARS=GIT_ASKPASS']) {`
			`bat 'cmake'`
			`}`
			`}`
			```
			This sets the GIT_ASKPASS with a path to helper script which responds with git credentials query and instructs `vcpkg` to keep this environment variable. The password is a [GitHub App token](https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/) with 1 hour lifetime.