Fix git promisor fetch authorization failure with partial clones

[Copilot]

Problem

When using partial clones with fetchFilter: blob:none, git checkout operations fail during promisor fetches with authorization errors:

fatal: Cannot prompt because user interactivity has been disabled.
fatal: could not fetch 6a71b2f6ddb7efe80d6ee7dad18a1183a2cf36a3 from promisor remote
##[error]Git checkout failed with exit code: 128

This occurs because git's automatic promisor fetches (used to retrieve missing objects in partial clones) don't inherit the authorization headers that were passed as command-line arguments to the main git operations.

Root Cause

The current implementation only passes authentication as command line arguments (-c http.extraheader=...) to explicit git commands like fetch and checkout. However, git's internal promisor fetches are separate operations that don't inherit these command line configurations and need the authentication to be available in git config.

Solution

When partial clones are detected (presence of fetch filters), the authentication headers are now set up in git config using gitCommandManager.GitConfig(). This ensures that all git operations, including automatic promisor fetches, have access to the authentication credentials.

Key Changes

1. Authentication for partial clones: Added logic in GitSourceProvider.cs to detect when fetch filters are being used and set up authentication in git config
2. Automatic cleanup: Authentication config is added to the configModifications dictionary for proper cleanup via existing mechanisms
3. Error handling: Added warning if git config setup fails, but allows operation to continue
4. Minimal scope: Only affects scenarios using partial clones with authentication

How it works

// When using partial clones (fetch filters), set up authentication in git config
// so that git's automatic promisor fetches can access credentials
if (additionalFetchFilterOptions.Any())
{
    string authHeader = GenerateAuthHeader(executionContext, username, password, useBearerAuthType);
    string configValue = $"AUTHORIZATION: {authHeader}";
    int exitCode_configAuth = await gitCommandManager.GitConfig(executionContext, targetPath, configKey, configValue);
    // ... error handling and cleanup tracking
}

Testing

Added comprehensive unit test TestPartialCloneAuthenticationConfigSetup that verifies git config authentication is properly set up when using partial clones. Enhanced the MockGitCliManager to support testing git config operations.

Impact

This change only affects scenarios where:

• Fetch filters are being used (partial clones like blob:none)
• Git authentication headers are supported (v2.9+)
• Credentials are not self-managed
• UseFetchFilterInCheckoutTask knob is enabled

The fix is backward compatible and doesn't impact existing git operations that don't use partial clones.

Fixes #5143.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• 03nvsblobprodwcus014.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 055vsblobprodwcus02.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 1g1vsblobprodwcus01.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 3eavsblobprodwcus03.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 3zgvsblobprodwcus024.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 40qvsblobprodwcus022.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 4fdvsblobprodwcus012.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 5tbvsblobprodwcus06.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 61cvsblobprodwcus010.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 73dvsblobprodwcus07.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 8usvsblobprodwcus011.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• 9owvsblobprodwcus020.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• arpvsblobprodwcus017.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• crcvsblobprodwcus021.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• fslvsblobprodwcus015.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• uubvsblobprodwcus018.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• vwmvsblobprodwcus016.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)
• xg1vsblobprodwcus019.vsblob.vsassets.io
  • Triggering command: dotnet build --configuration Release -p:PackageRuntime=linux-x64 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.