From 99bc88e1397ff808a01dbbfcfa3d07e7f4b85ad6 Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Fri, 19 Feb 2021 00:22:02 -0800
Subject: [PATCH] git: set token only for main remote access

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 5bf64293f85a078ae21b5a1777ac7a6a81f39444)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 source/git/gitsource.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/source/git/gitsource.go b/source/git/gitsource.go
index 7cef7646..3d1bfe21 100644
--- a/source/git/gitsource.go
+++ b/source/git/gitsource.go
@@ -231,7 +231,7 @@ func (gs *gitSourceHandler) getAuthToken(ctx context.Context, g session.Group) e
 			if s.token {
 				dt = []byte("basic " + base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("x-access-token:%s", dt))))
 			}
-			gs.auth = []string{"-c", "http.extraheader=Authorization: " + string(dt)}
+			gs.auth = []string{"-c", "http." + tokenScope(gs.src.Remote) + ".extraheader=Authorization: " + string(dt)}
 			break
 		}
 		return nil
@@ -631,3 +631,14 @@ func argsNoDepth(args []string) []string {
 	}
 	return out
 }
+
+func tokenScope(remote string) string {
+	// generally we can only use the token for fetching main remote but in case of github.com we do best effort
+	// to try reuse same token for all github.com remotes. This is the same behavior actions/checkout uses
+	for _, pfx := range []string{"https://github.com/", "https://www.github.com/"} {
+		if strings.HasPrefix(remote, pfx) {
+			return pfx
+		}
+	}
+	return remote
+}