Release GCM 2.6 (#1712)

**Changes:**

- Drop no longer needed workflows (#1659)
- Documentation fixes (#1664, #1697)
- Configurable GPG store path via Git config (#1698)
- Fix Visual Studio build problems and update dependencies (#1711)
- Support sending X5C with certificate auth (#1666)

.github/workflows/codeql-analysis.yml

@@ -25,7 +25,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Setup .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 

.github/workflows/continuous-integration.yml

@@ -19,7 +19,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Setup .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -59,7 +59,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Setup .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -100,7 +100,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Setup .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 

.github/workflows/release.yml

@@ -35,7 +35,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -150,7 +150,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -177,7 +177,7 @@ jobs:
  subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
  - name: Sign payload files with Azure Code Signing
- uses: azure/trusted-signing-action@v0.3.20
+ uses: azure/trusted-signing-action@v0.4.0
  with:
  endpoint: https://wus2.codesigning.azure.net/
  trusted-signing-account-name: git-fundamentals-signing
@@ -190,7 +190,7 @@ jobs:
 
  # The Azure Code Signing action overrides the .NET version, so we reset it.
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -204,7 +204,7 @@ jobs:
  -Destination $env:GITHUB_WORKSPACE\installers
 
  - name: Sign installers with Azure Code Signing
- uses: azure/trusted-signing-action@v0.3.20
+ uses: azure/trusted-signing-action@v0.4.0
  with:
  endpoint: https://wus2.codesigning.azure.net/
  trusted-signing-account-name: git-fundamentals-signing
@@ -236,7 +236,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -314,7 +314,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -387,7 +387,7 @@ jobs:
  path: signed
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -491,7 +491,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 
@@ -561,7 +561,7 @@ jobs:
  - uses: actions/checkout@v4
 
  - name: Set up .NET
- uses: actions/setup-dotnet@v4.0.0
+ uses: actions/setup-dotnet@v4.0.1
  with:
  dotnet-version: 8.0.x
 

Directory.Build.props

@@ -28,7 +28,7 @@
 
  <ItemGroup Condition = "'$(TargetFramework)' == 'net472'">
  <PackageReference Include="System.Text.Json">
- <Version>7.0.2</Version>
+ <Version>8.0.4</Version>
  </PackageReference>
  </ItemGroup>
 

Directory.Build.targets

@@ -6,7 +6,7 @@
  <Import Project="$(RepoPath)build\GCM.tasks" />
 
  <!-- Use version specified in VERSION file -->
- <Target Name="GetVersion" BeforeTargets="BeforeBuild">
+ <Target Name="GetVersion" BeforeTargets="BeforeBuild;GenerateWindowsAppManifest">
  <GetVersion VersionFile="$(RepoPath)VERSION">
  <Output TaskParameter="Version" PropertyName="Version" />
  <Output TaskParameter="AssemblyVersion" PropertyName="AssemblyVersion" />
@@ -21,6 +21,7 @@
 
  <!-- Generate the manifest file before we set the win32 manifest properties -->
  <Target Name="GenerateWindowsAppManifest"
+ AfterTargets="GetVersion"
  BeforeTargets="SetWin32ManifestProperties"
  Condition="'$(GenerateWindowsAppManifest)' != 'false'"
  Inputs="$(FileVersion);$(AssemblyName)"

SECURITY.md

@@ -1,8 +1,32 @@
-# Security
+Thanks for helping make GitHub safe for everyone.
 
-If you discover a security issue in this repo, please submit it through the
-[GitHub Security Bug Bounty][hackerone-github]
+## Security
 
-Thanks for helping make GitHub products safe for everyone.
+GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
+
+Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 
+
+## Reporting Security Issues
+
+If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to opensource-security[@]github.com.
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+ * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+ * Full paths of source file(s) related to the manifestation of the issue
+ * The location of the affected source code (tag/branch/commit or direct URL)
+ * Any special configuration required to reproduce the issue
+ * Step-by-step instructions to reproduce the issue
+ * Proof-of-concept or exploit code (if possible)
+ * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Policy
+
+See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor)
 
-[hackerone-github]: https://hackerone.com/github

VERSION

@@ -1 +1 @@
-2.5.1.0
+2.6.0.0

docs/azrepos-misp.md

@@ -108,6 +108,7 @@ Type|Git Configuration|Environment Variable
 -|-|-
 Client Secret|[`credential.azreposServicePrincipalSecret`][gcm-sp-secret-config]|[`GCM_AZREPOS_SP_SECRET`][gcm-sp-secret-env]
 Certificate|[`credential.azreposServicePrincipalCertificateThumbprint`][gcm-sp-cert-config]|[`GCM_AZREPOS_SP_CERT_THUMBPRINT`][gcm-sp-cert-env]
+Send X5C|[`credential.azreposServicePrincipalCertificateSendX5C`][gcm-sp-cert-x5c-config]|[`GCM_AZREPOS_SP_CERT_SEND_X5C`][gcm-sp-cert-x5c-env]
 
 The value for these options should be the client secret or the thumbrint of the
 certificate that is associated with the Service Principal.
@@ -126,4 +127,6 @@ current user or the local machine.
 [gcm-sp-secret-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalsecret
 [gcm-sp-secret-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_SECRET
 [gcm-sp-cert-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatethumbprint
+[gcm-sp-cert-x5c-config]: https://gh.io/gcm/config#credentialazreposserviceprincipalcertificatesendx5c
 [gcm-sp-cert-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_THUMBPRINT
+[gcm-sp-cert-x5c-env]: https://gh.io/gcm/env#GCM_AZREPOS_SP_CERT_SEND_X5C

docs/configuration.md

@@ -633,6 +633,24 @@ git config --global credential.dpapiStorePath D:\credentials
 
 ---
 
+### credential.gpgPassStorePath
+
+Specify a custom directory to store GPG-encrypted [pass][pass]-compatible credential files
+in when [`credential.credentialStore`][credential-credentialstore] is set to `gpg`.
+
+Defaults to the value `~/.password-store` or `%USERPROFILE%\.password-store`.
+
+#### Example
+
+```shell
+git config --global credential.gpgPassStorePath /mnt/external-drive/.password-store
+```
+
+**Note:** Location of the password store used by [pass][pass] can be overridden by the
+`PASSWORD_STORE_DIR` environment variable, see the [man page][pass-man] for details.
+
+---
+
 ### credential.msauthFlow
 
 Specify which authentication flow should be used when performing Microsoft
@@ -858,6 +876,7 @@ You must also set at least one authentication mechanism if you set this value:
 
 - [credential.azreposServicePrincipalSecret][credential-azrepos-sp-secret]
 - [credential.azreposServicePrincipalCertificateThumbprint][credential-azrepos-sp-cert-thumbprint]
+- [credential.azreposServicePrincipalCertificateSendX5C][credential-azrepos-sp-cert-x5c]
 
 For more information about service principals, see the Azure DevOps
 [documentation][azrepos-sp-mid].
@@ -904,6 +923,25 @@ git config --global credential.azreposServicePrincipalCertificateThumbprint "9b6
 
 ---
 
+### credential.azreposServicePrincipalCertificateSendX5C
+
+When using a certificate for [service principal][service-principal] authentication, this configuration
+specifies whether the X5C claim should be should be sent to the STS. Sending the x5c
+enables application developers to achieve easy certificate rollover in Azure AD:
+this method will send the public certificate to Azure AD along with the token request,
+so that Azure AD can use it to validate the subject name based on a trusted issuer
+policy. This saves the application admin from the need to explicitly manage the
+certificate rollover. For details see [https://aka.ms/msal-net-sni](https://aka.ms/msal-net-sni).
+
+#### Example
+
+```shell
+git config --global credential.azreposServicePrincipalCertificateSendX5C true
+```
+**Also see: [GCM_AZREPOS_SP_CERT_SEND_X5C][gcm-azrepos-sp-cert-x5c]**
+
+---
+
 ### trace2.normalTarget
 
 Turns on Trace2 Normal Format tracing - see [Git's Trace2 Normal Format
@@ -1022,6 +1060,7 @@ Defaults to disabled.
 [provider-migrate]: migration.md#gcm_authority
 [cache-options]: https://git-scm.com/docs/git-credential-cache#_options
 [pass]: https://www.passwordstore.org/
+[pass-man]: https://git.zx2c4.com/password-store/about/
 [trace2-normal-docs]: https://git-scm.com/docs/api-trace2#_the_normal_format_target
 [trace2-normal-env]: environment.md#GIT_TRACE2
 [trace2-event-docs]: https://git-scm.com/docs/api-trace2#_the_event_format_target
@@ -1034,6 +1073,8 @@ Defaults to disabled.
 [credential-azrepos-sp]: #credentialazreposserviceprincipal
 [credential-azrepos-sp-secret]: #credentialazreposserviceprincipalsecret
 [credential-azrepos-sp-cert-thumbprint]: #credentialazreposserviceprincipalcertificatethumbprint
+[credential-azrepos-sp-cert-x5c]: #credentialazreposserviceprincipalcertificatesendx5c
 [gcm-azrepos-service-principal]: environment.md#GCM_AZREPOS_SERVICE_PRINCIPAL
 [gcm-azrepos-sp-secret]: environment.md#GCM_AZREPOS_SP_SECRET
 [gcm-azrepos-sp-cert-thumbprint]: environment.md#GCM_AZREPOS_SP_CERT_THUMBPRINT
+[gcm-azrepos-sp-cert-x5c]: environment.md#GCM_AZREPOS_SP_CERT_SEND_X5C

docs/environment.md

@@ -1039,6 +1039,32 @@ export GCM_AZREPOS_SP_CERT_THUMBPRINT="9b6555292e4ea21cbc2ebd23e66e2f91ebbe92dc"
 
 ---
 
+### GCM_AZREPOS_SP_CERT_SEND_X5C
+
+When using a certificate for service principal authentication, this configuration
+specifies whether the X5C claim should be should be sent to the STS. Sending the x5c
+enables application developers to achieve easy certificate rollover in Azure AD:
+this method will send the public certificate to Azure AD along with the token request,
+so that Azure AD can use it to validate the subject name based on a trusted issuer
+policy. This saves the application admin from the need to explicitly manage the
+certificate rollover. For details see [https://aka.ms/msal-net-sni](https://aka.ms/msal-net-sni).
+
+#### Windows
+
+```batch
+SET GCM_AZREPOS_SP_CERT_SEND_X5C="true"
+```
+
+#### macOS/Linux
+
+```bash
+export GCM_AZREPOS_SP_CERT_SEND_X5C="true"
+```
+
+**Also see: [credential.azreposServicePrincipalCertificateSendX5C][credential-azrepos-sp-cert-x5c]**
+
+---
+
 ### GIT_TRACE2
 
 Turns on Trace2 Normal Format tracing - see [Git's Trace2 Normal Format
@@ -1184,6 +1210,8 @@ Defaults to disabled.
 [gcm-azrepos-sp]: #gcm_azrepos_service_principal
 [gcm-azrepos-sp-secret]: #gcm_azrepos_sp_secret
 [gcm-azrepos-sp-cert-thumbprint]: #gcm_azrepos_sp_cert_thumbprint
+[gcm-azrepos-sp-cert-x5c]: #gcm_azrepos_sp_cert_send_x5c
 [credential-azrepos-sp]: configuration.md#credentialazreposserviceprincipal
 [credential-azrepos-sp-secret]: configuration.md#credentialazreposserviceprincipalsecret
 [credential-azrepos-sp-cert-thumbprint]: configuration.md#credentialazreposserviceprincipalcertificatethumbprint
+[credential-azrepos-sp-cert-x5c]: configuration.md#credentialazreposserviceprincipalcertificatesendx5c

docs/generic-oauth.md

@@ -101,7 +101,7 @@ In order to use special characters you need to URL encode the values; for
 example `@` becomes `%40`.
 
 By default GCM uses the value `OAUTH-USER` unless specified in the remote URL,
-or overriden using the `credential.<HOST>.oauthDefaultUserName` configuration.
+or overridden using the `credential.<HOST>.oauthDefaultUserName` configuration.
 
 #### Include client authentication in headers
 

src/shared/Atlassian.Bitbucket.Tests/Atlassian.Bitbucket.Tests.csproj

@@ -8,13 +8,16 @@
  </PropertyGroup>
 
  <ItemGroup>
- <PackageReference Include="coverlet.collector" Version="3.1.0">
+ <PackageReference Include="coverlet.collector" Version="6.0.2">
  <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
  <PrivateAssets>all</PrivateAssets>
  </PackageReference>
- <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
- <PackageReference Include="ReportGenerator" Version="5.1.9" />
- <PackageReference Include="xunit.runner.visualstudio" Version="2.3.1" />
+ <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
+ <PackageReference Include="ReportGenerator" Version="5.3.10" />
+ <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
+ <PrivateAssets>all</PrivateAssets>
+ <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+ </PackageReference>
  <DotNetCliToolReference Include="dotnet-xunit" Version="2.3.1" />
  </ItemGroup>
 

src/shared/Core.Tests/ApplicationTests.cs

@@ -244,7 +244,7 @@ public async Task Application_UnconfigureAsync_EmptyAndGcmWithOthersBefore_Remov
 
  Assert.Single(context.Git.Configuration.Global);
  Assert.True(context.Git.Configuration.Global.TryGetValue(key, out var actualValues));
- Assert.Equal(1, actualValues.Count);
+ Assert.Single(actualValues);
  Assert.Equal(beforeHelper, actualValues[0]);
  }