https://github.com/opsmill/infrahub-git-credential-helper
Git credential helpers for Infrahub, written in Rust. Provides infrahub-git-credential and infrahub-git-askpass as statically compiled binaries for authenticating git operations against repositories managed by Infrahub.
https://github.com/opsmill/infrahub-git-credential-helper
Last synced: about 2 months ago
JSON representation
Git credential helpers for Infrahub, written in Rust. Provides infrahub-git-credential and infrahub-git-askpass as statically compiled binaries for authenticating git operations against repositories managed by Infrahub.
- Host: GitHub
- URL: https://github.com/opsmill/infrahub-git-credential-helper
- Owner: opsmill
- License: apache-2.0
- Created: 2026-04-03T08:37:09.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-15T09:08:09.000Z (2 months ago)
- Last Synced: 2026-05-03T00:43:19.371Z (about 2 months ago)
- Language: Rust
- Size: 133 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# Infrahub Git Credential Helper
Git credential helpers for [Infrahub](https://github.com/opsmill/infrahub). These tools allow git processes to authenticate against repositories managed by Infrahub by fetching credentials from the Infrahub GraphQL API.
## Binaries
### `infrahub-git-credential`
A [git credential helper](https://git-scm.com/docs/gitcredentials) that implements the `get` and `store` subcommands. When git needs credentials for a remote, this helper queries Infrahub for the repository's stored credentials.
Requires `credential.useHttpPath` to be enabled:
```sh
git config --global credential.useHttpPath true
```
### `infrahub-git-askpass`
A [GIT_ASKPASS](https://git-scm.com/docs/gitcredentials#_requesting_credentials) helper. When git needs a username or password, it calls this program with a prompt string and reads the response from stdout.
## Configuration
Configuration is resolved in the following order:
| Setting | Environment Variable | TOML Config | Default |
|---------|---------------------|-------------|---------|
| Server address | `INFRAHUB_INTERNAL_ADDRESS` | `[main].internal_address` | - |
| API token | `INFRAHUB_API_TOKEN` | - | None |
| Config file path | `INFRAHUB_CONFIG` | - | `infrahub.toml` |
| Username | `INFRAHUB_USERNAME` | - | None |
| Password | `INFRAHUB_PASSWORD` | - | None |
| Timeout (seconds) | `INFRAHUB_TIMEOUT` | - | `30` |
| Proxy | `INFRAHUB_PROXY` | - | None |
| Skip TLS verification | `INFRAHUB_TLS_INSECURE` | - | `false` |
| Custom CA certificate | `INFRAHUB_TLS_CA_FILE` | - | None |
Authentication supports two methods:
- **Token auth**: set `INFRAHUB_API_TOKEN` — sent as `X-INFRAHUB-KEY` header
- **Password auth**: set `INFRAHUB_USERNAME` and `INFRAHUB_PASSWORD` — logs in via `/api/auth/login` to obtain a bearer token
Both binaries also accept `--config-file ` to override the config file path.
Environment variables take precedence over TOML values.
## Building
```sh
cargo build --release
```
Binaries are output to `target/release/infrahub-git-credential` and `target/release/infrahub-git-askpass`.
## Docker
The project includes a multi-stage Dockerfile that produces statically linked binaries (musl) in a scratch-based image. Supports both `amd64` and `arm64` architectures.
```sh
docker build -t registry.opsmill.io/opsmill/infrahub-git-credential-helper .
```
Use in a downstream Dockerfile:
```dockerfile
COPY --from=registry.opsmill.io/opsmill/infrahub-git-credential-helper:latest /usr/bin/infrahub-git-credential /usr/bin/infrahub-git-credential
COPY --from=registry.opsmill.io/opsmill/infrahub-git-credential-helper:latest /usr/bin/infrahub-git-askpass /usr/bin/infrahub-git-askpass
```
## License
This project is licensed under the Apache License, Version 2.0. See [LICENSE.txt](LICENSE.txt) for details.