Merge branch 'main' into fix-clean-filter-for-small-files

* main: Improve command hint to fix secret files not encrypted in index (#120) (#130) Remove Ubuntu 16.04 LTS from test matrix (#123) Configure default Git branch name for macOS tests in GitHub Handle rename of primary branch from "master" to "main" Ensure Git index is up-to-date before dirty repo check #37 (#109) Fix incorrect salt when partially staged files are commited (#119) Use shorthand for grep options for broader compatibility (#121)
elasticdog · Jan 15, 2022 · dd8bf80 · dd8bf80
2 parents 4caa777 + 331b4af
commit dd8bf80
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 22 deletions.
diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml
@@ -1,12 +1,12 @@
 name: Tests
 
 on:
-  # Only run tests on push to master branch
+  # Only run tests on push to main branch
   push:
-    branches: [master]
-  # Run tests for all pull request changes targeting master
+    branches: [main]
+  # Run tests for all pull request changes targeting main
   pull_request:
-    branches: [master]
+    branches: [main]
 
 jobs:
 
@@ -28,7 +28,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-16.04, ubuntu-18.04, ubuntu-20.04, macos-latest]
+        os: [ubuntu-18.04, ubuntu-20.04, macos-latest]
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -40,6 +40,13 @@ jobs:
     - name: Print OpenSSL version
       run: openssl version
 
+    - name: Print Git version
+      run: git version
+
+    # Configure default Git branch name to suppress hint warnings
+    - name: Configure default Git branch to "main"
+      run: git config --global init.defaultBranch main
+
     - name: Install and set up bats-core
       run: |
         git clone https://github.com/bats-core/bats-core.git /tmp/bats-core-repo

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,8 +19,12 @@ The format is based on [Keep a Changelog][1], and this project adheres to
 
 ### Fixed
 
+- Ensure Git index is up-to-date before checking for dirty repo, to avoid
+  failures seen in CI systems where the repo seems dirty when it isn't. (#37)
 - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104)
 - Zsh completion. (#107)
+- Fix salt generation for partial (patch) commits (#118)
+- Improve command hint to fix secret files not encrypted in index (#120)
 
 ## [2.1.0] - 2020-09-07
 

diff --git a/INSTALL.md b/INSTALL.md
@@ -1,16 +1,14 @@
-Install transcrypt
-==================
+# Install transcrypt
 
 The requirements to run transcrypt are minimal:
 
-* Bash
-* Git
-* OpenSSL
+- Bash
+- Git
+- OpenSSL
 
 You also need access to the _transcrypt_ script itself...
 
-Manual Installation
--------------------
+## Manual Installation
 
 You can add transcrypt directly to your repository, or just put it somewhere in
 your $PATH:
@@ -19,8 +17,7 @@ your $PATH:
     $ cd transcrypt/
     $ sudo ln -s ${PWD}/transcrypt /usr/local/bin/transcrypt
 
-Installation via Packages
--------------------------
+## Installation via Packages
 
 A number of packages are available for installing transcrypt directly on your
 system via its native package manager. Some of these packages also include man
@@ -29,7 +26,7 @@ page documentation as well as shell auto-completion scripts.
 ### Arch Linux
 
 If you're on Arch Linux, you can build/install transcrypt using the
-[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/master/contrib/packaging/pacman/PKGBUILD):
+[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/main/contrib/packaging/pacman/PKGBUILD):
 
     $ git clone https://github.com/elasticdog/transcrypt.git
     $ cd transcrypt/contrib/packaging/pacman/
@@ -50,7 +47,7 @@ If you're on NixOS, you can install transcrypt directly via
     $ nix-env -iA nixos.gitAndTools.transcrypt
 
 > _**Note:**
-> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix)
+> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/main/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix)
 > was added in Oct 2015, so it is not available on the 15.09 channel._
 
 ### OS X

diff --git a/README.md b/README.md
@@ -183,7 +183,7 @@ re-configure transcrypt with the new credentials.
 
     $ transcrypt --flush-credentials
     $ git fetch origin
-    $ git merge origin/master
+    $ git merge origin/main
     $ transcrypt -c aes-256-cbc -p 'the-new-password'
 
 ### Command Line Options

diff --git a/tests/test_merge.bats b/tests/test_merge.bats
@@ -90,7 +90,7 @@ load "$BATS_TEST_DIRNAME/_test_helper.bash"
 
   run cat sensitive_file
   [[ "$status" -eq 0 ]]
-  [[ "${lines[0]}" = "<<<<<<< master" ]]
+  [[ "${lines[0]}" = "<<<<<<< main" ]]
   [[ "${lines[1]}" = "a. First step" ]]
   [[ "${lines[2]}" = "=======" ]]
   [[ "${lines[3]}" = "1. Step the first" ]]

diff --git a/tests/test_pre_commit.bats b/tests/test_pre_commit.bats
@@ -47,7 +47,7 @@ load "$BATS_TEST_DIRNAME/_test_helper.bash"
   [[ "${output}" = *"Transcrypt managed file is not encrypted in the Git index: sensitive_file"* ]]
   [[ "${output}" = *"You probably staged this file using a tool that does not apply .gitattribute filters as required by Transcrypt."* ]]
   [[ "${output}" = *"Fix this by re-staging the file with a compatible tool or with Git on the command line:"* ]]
-  [[ "${output}" = *"    git reset -- sensitive_file"* ]]
+  [[ "${output}" = *"    git rm --cached -- sensitive_file"* ]]
   [[ "${output}" = *"    git add sensitive_file"* ]]
 }
 

diff --git a/transcrypt b/transcrypt
@@ -52,6 +52,7 @@ realpath() {
 }
 
 # establish repository metadata and directory handling
+# shellcheck disable=SC2155
 gather_repo_metadata() {
 	# whether or not transcrypt is already configured
 	readonly CONFIGURED=$(git config --get --local transcrypt.version 2>/dev/null)
@@ -134,7 +135,7 @@ git_clean() {
 		cipher=$(git config --get --local transcrypt.cipher)
 		password=$(git config --get --local transcrypt.password)
 		openssl_path=$(git config --get --local transcrypt.openssl-path)
-		salt=$("${openssl_path}" dgst -hmac "${filename}:${password}" -sha256 "$filename" | tr -d '\r\n' | tail -c16)
+		salt=$("${openssl_path}" dgst -hmac "${filename}:${password}" -sha256 "$tempfile" | tr -d '\r\n' | tail -c16)
 		ENC_PASS=$password "$openssl_path" enc "-${cipher}" -md MD5 -pass env:ENC_PASS -e -a -S "$salt" -in "$tempfile"
 	fi
 }
@@ -220,6 +221,8 @@ run_safety_checks() {
 	# ensure the repository is clean (if it has a HEAD revision) so we can force
 	# checkout files without the destruction of uncommitted changes
 	if [[ $requires_clean_repo ]] && [[ $HEAD_EXISTS ]] && [[ $IS_BARE == 'false' ]]; then
+		# ensure index is up-to-date before dirty check
+		git update-index -q --really-refresh
 		# check if the repo is dirty
 		if ! git diff-index --quiet HEAD --; then
 			die 1 'the repo is dirty; commit or stash your changes before running transcrypt'
@@ -239,7 +242,7 @@ validate_cipher() {
 	fi
 
 	local supported
-	supported=$($list_cipher_commands | tr -s ' ' '\n' | grep --line-regexp "$cipher") || true
+	supported=$($list_cipher_commands | tr -s ' ' '\n' | grep -Fx "$cipher") || true
 	if [[ ! $supported ]]; then
 		if [[ $interactive ]]; then
 			printf '"%s" is not a valid cipher; choose one of the following:\n\n' "$cipher"
@@ -428,7 +431,7 @@ save_helper_hooks() {
 		      printf 'Fix this by re-staging the file with a compatible tool or with'
 		      printf ' Git on the command line:\n' >&2
 		      printf '\n' >&2
-		      printf '    git reset -- %s\n' "$secret_file" >&2
+		      printf '    git rm --cached -- %s\n' "$secret_file" >&2
 		      printf '    git add %s\n' "$secret_file" >&2
 		      printf '\n' >&2
 		      exit 1