antonio-mello-ai opened a new pull request, #63471: URL: https://github.com/apache/airflow/pull/63471
## Description Git does not send credentials for public repositories because the server never responds with a 401 challenge. This causes Airflow's DAG bundle git fetches to hit **anonymous rate limits** even when valid credentials are configured in the connection. ### Root cause Git's HTTPS behavior: it always tries anonymous access first and only sends credentials if the server responds with 401. Public repos don't issue 401, so credentials embedded in the URL are never sent. ### Fix When an HTTP/HTTPS connection has an `auth_token`, set `GIT_CONFIG_*` environment variables to inject an `http.extraHeader` with a `Basic` auth token: ``` GIT_CONFIG_COUNT=1 GIT_CONFIG_KEY_0=http.extraHeader GIT_CONFIG_VALUE_0=Authorization: Basic <base64(username:password)> ``` This forces git to send the `Authorization` header on every request (git >= 2.31), allowing authenticated rate limits to apply even for public repositories. Also updated `_fetch_bare_repo` in `GitDagBundle` to pass **all** hook env vars via `custom_environment(**self.hook.env)` instead of only `GIT_SSH_COMMAND`. This ensures the auth header is used during both clone and fetch operations. ### Changes - `GitHook._set_http_auth_env()`: New method that encodes credentials and sets `GIT_CONFIG_*` env vars. - `GitHook._process_git_auth_url()`: Calls `_set_http_auth_env()` when HTTPS/HTTP + auth_token. - `GitDagBundle._fetch_bare_repo()`: Passes all env vars (SSH + HTTP auth) instead of only SSH. ### Backward compatibility - URL-embedded credentials are **kept** for backward compatibility (they still work for private repos via 401 challenge). - SSH connections are not affected (no `GIT_CONFIG_*` vars are set for SSH URLs). - The `GIT_CONFIG_*` env vars require git >= 2.31 (March 2021). ### Tests - 4 new tests: HTTPS auth sets header, HTTP auth sets header, no auth skips header, SSH skips header. - All 17 hook tests + 80 bundle tests pass. Closes #54829 Co-Authored-By: Claude Opus 4.6 <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
