Skip to content

feat(terragrunt): add GitHub authentication support #7359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
olblak merged 3 commits into from
Jan 2, 2026
Merged

feat(terragrunt): add GitHub authentication support #7359

olblak merged 3 commits into from
Jan 2, 2026

Conversation

@eugenestarchenko
Copy link
Contributor

@eugenestarchenko eugenestarchenko commented Dec 31, 2025
edited
Loading

Problem

Terragrunt autodiscovery had no support for authenticating to private GitHub repositories. While other autodiscovery plugins (githubaction, etc.) support GitHub tokens, terragrunt plugin would fail when encountering private repos.

Solution

Added generic authentication support that works with any Git provider:

Configuration

autodiscovery:
  crawlers:
    terragrunt:
      rootdir: "infrastructure"
      token: "ghp_xxxxxxxxxxxx"  # must be explicitly set

Token Resolution

Token must be explicitly set for private repositories. No auto-detection.

Template functions can be used to read from environment:
token: "{{ requiredEnv "GITHUB_TOKEN" }}"
token: "{{ requiredEnv "GITLAB_TOKEN" }}"

Implementation

  • Uses simple Token *string field (flat, provider-agnostic)
  • No external dependencies (removed github/token package)
  • Injects authentication into generated SCM configurations
  • Only adds password field when token is set (doesn't break public repos)

Testing

Added TestGetToken with test coverage for:

  • Nil token (no authentication)
  • Empty token (no authentication)
  • GitHub token (uses specific token)
  • GitLab token (uses specific token)

@eugenestarchenko
feat(terragrunt): add GitHub authentication support
ae9d201 
Added support for GitHub token authentication when accessing private
repositories during autodiscovery.

Implementation:
- New 'github.token' configuration option in Spec
- Auto-detection from UPDATECLI_GITHUB_TOKEN or GITHUB_TOKEN env vars
- Uses official github/token package for token resolution
- Injects authentication into generated SCM configurations

Token precedence (highest to lowest):
1. Spec configuration (github.token)
2. UPDATECLI_GITHUB_TOKEN environment variable
3. GITHUB_TOKEN environment variable

Added comprehensive tests for token precedence logic.

This brings terragrunt autodiscovery in line with other plugins
(githubaction, etc.) for handling private repository access.
@olblak
Copy link
Member

olblak commented Dec 31, 2025

Thanks for the pull request, this is an issue that I noticed while working on #7238
Definitely interested

olblak
olblak reviewed Jan 1, 2026
View reviewed changes
olblak
olblak reviewed Jan 1, 2026
View reviewed changes
@eugenestarchenko
Copy link
Contributor Author

eugenestarchenko commented Jan 1, 2026

I've refactored the implementation based on your feedback

@olblak
Copy link
Member

olblak commented Jan 2, 2026

Thanks for the pull request, I am planning to push a new release early next week

@olblak olblak added enhancement New feature or request autodiscovery All things related to the autodiscovery feature resource-terragrunt labels Jan 2, 2026
@olblak olblak enabled auto-merge (squash) January 2, 2026 18:19
@olblak olblak merged commit b346eb5 into updatecli:main Jan 2, 2026
5 checks passed
eugenestarchenko added a commit to eugenestarchenko/updatecli that referenced this pull request Jan 12, 2026
@eugenestarchenko
fix(terragrunt): add missing username for token authentication
c656475 
  Fix token-only authentication by providing username default for go-git.

  PR updatecli#7359 added token support but token-only auth fails because go-git
  requires non-empty username for HTTP BasicAuth. This fix adds:

  - Username *string field to Spec with oauth2 default
  - getUsername() method matching GitHub SCM plugin behavior
  - Updated manifest template to include username field
  - Test coverage for getUsername()

  Fixes token authentication added in updatecli#7359
@eugenestarchenko eugenestarchenko mentioned this pull request Jan 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olblak olblak olblak approved these changes

Assignees

No one assigned

Labels

autodiscovery All things related to the autodiscovery feature enhancement New feature or request resource-terragrunt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eugenestarchenko @olblak