From 6117692279f665f55a8ce4822b944594465484ec Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 18 May 2026 15:24:35 +0000 Subject: [PATCH 1/5] feat(coder/modules/git-clone): add support for recursive submodule cloning and parallel jobs --- registry/coder/modules/git-clone/README.md | 44 +++++-- registry/coder/modules/git-clone/main.test.ts | 107 +++++++++++++++--- registry/coder/modules/git-clone/main.tf | 26 ++++- registry/coder/modules/git-clone/run.sh | 26 +++-- 4 files changed, 166 insertions(+), 37 deletions(-) diff --git a/registry/coder/modules/git-clone/README.md b/registry/coder/modules/git-clone/README.md index 3336770f5..4490521fd 100644 --- a/registry/coder/modules/git-clone/README.md +++ b/registry/coder/modules/git-clone/README.md @@ -14,7 +14,7 @@ This module allows you to automatically clone a repository by URL and skip if it module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" } @@ -28,7 +28,7 @@ module "git-clone" { module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" base_dir = "~/projects/coder" @@ -43,7 +43,7 @@ To use with [Git Authentication](https://coder.com/docs/v2/latest/admin/git-prov module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" } @@ -70,7 +70,7 @@ data "coder_parameter" "git_repo" { module "git_clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = data.coder_parameter.git_repo.value } @@ -105,7 +105,7 @@ Configuring `git-clone` for a self-hosted GitHub Enterprise Server running at `g module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.example.com/coder/coder/tree/feat/example" git_providers = { @@ -125,7 +125,7 @@ To GitLab clone with a specific branch like `feat/example` module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://gitlab.com/coder/coder/-/tree/feat/example" } @@ -137,7 +137,7 @@ Configuring `git-clone` for a self-hosted GitLab running at `gitlab.example.com` module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://gitlab.example.com/coder/coder/-/tree/feat/example" git_providers = { @@ -159,7 +159,7 @@ For example, to clone the `feat/example` branch: module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" branch_name = "feat/example" @@ -177,7 +177,7 @@ For example, this will clone into the `~/projects/coder/coder-dev` folder: module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" folder_name = "coder-dev" @@ -196,13 +196,33 @@ If not defined, the default, `0`, performs a full clone. module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" depth = 1 } ``` +## Recurse submodules + +Set `recurse_submodules = true` to initialize and clone submodules during the +clone (equivalent to `git clone --recurse-submodules`). + +Pair it with `clone_jobs` to fetch submodules in parallel (equivalent to +`git clone --jobs `) and speed up workspace start. + +```tf +module "git-clone" { + count = data.coder_workspace.me.start_count + source = "registry.coder.com/coder/git-clone/coder" + version = "1.4.0" + agent_id = coder_agent.example.id + url = "https://github.com/coder/coder" + recurse_submodules = true + clone_jobs = 8 +} +``` + ## Pre-clone script Run a custom script before cloning the repository by setting the `pre_clone_script` variable. @@ -212,7 +232,7 @@ This is useful for preparing the environment or validating prerequisites before module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" pre_clone_script = <<-EOT @@ -235,7 +255,7 @@ This is useful for running initialization tasks like installing dependencies or module "git-clone" { count = data.coder_workspace.me.start_count source = "registry.coder.com/coder/git-clone/coder" - version = "1.3.1" + version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" post_clone_script = <<-EOT diff --git a/registry/coder/modules/git-clone/main.test.ts b/registry/coder/modules/git-clone/main.test.ts index af900eeff..4a30aa4f3 100644 --- a/registry/coder/modules/git-clone/main.test.ts +++ b/registry/coder/modules/git-clone/main.test.ts @@ -1,11 +1,37 @@ import { describe, expect, it } from "bun:test"; import { - executeScriptInContainer, + execContainer, + findResourceInstance, + runContainer, runTerraformApply, runTerraformInit, testRequiredVariables, + type scriptOutput, + type TerraformState, } from "~test"; +// The clone script uses bash arrays, which busybox `sh` (alpine's default +// shell) cannot parse. Install bash in the container, then run the script +// with bash. The optional `before` setup step still runs with `sh`. +const executeScriptInContainer = async ( + state: TerraformState, + image: string, + before?: string, +): Promise => { + const instance = findResourceInstance(state, "coder_script"); + const id = await runContainer(image); + await execContainer(id, ["sh", "-c", "apk add --no-cache bash >/dev/null"]); + if (before) { + await execContainer(id, ["sh", "-c", before]); + } + const resp = await execContainer(id, ["bash", "-c", instance.script]); + return { + exitCode: resp.exitCode, + stdout: resp.stdout.trim().split("\n"), + stderr: resp.stderr.trim().split("\n"), + }; +}; + describe("git-clone", async () => { await runTerraformInit(import.meta.dir); @@ -31,8 +57,8 @@ describe("git-clone", async () => { }); const output = await executeScriptInContainer(state, "alpine/git"); expect(output.stdout).toEqual([ - "Creating directory ~/fake-url...", - "Cloning fake-url to ~/fake-url...", + "Creating directory /root/fake-url...", + "Cloning fake-url to /root/fake-url...", ]); expect(output.stderr.join(" ")).toContain("fatal"); expect(output.stderr.join(" ")).toContain("fake-url"); @@ -207,8 +233,8 @@ describe("git-clone", async () => { const output = await executeScriptInContainer(state, "alpine/git"); expect(output.exitCode).toBe(0); expect(output.stdout).toEqual([ - "Creating directory ~/repo-tests.log...", - "Cloning https://github.com/michaelbrewer/repo-tests.log to ~/repo-tests.log on branch feat/branch...", + "Creating directory /root/repo-tests.log...", + "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", ]); }); @@ -220,8 +246,8 @@ describe("git-clone", async () => { const output = await executeScriptInContainer(state, "alpine/git"); expect(output.exitCode).toBe(0); expect(output.stdout).toEqual([ - "Creating directory ~/repo-tests.log...", - "Cloning https://gitlab.com/mike.brew/repo-tests.log to ~/repo-tests.log on branch feat/branch...", + "Creating directory /root/repo-tests.log...", + "Cloning https://gitlab.com/mike.brew/repo-tests.log to /root/repo-tests.log on branch feat/branch...", ]); }); @@ -241,8 +267,8 @@ describe("git-clone", async () => { const output = await executeScriptInContainer(state, "alpine/git"); expect(output.exitCode).toBe(0); expect(output.stdout).toEqual([ - "Creating directory ~/repo-tests.log...", - "Cloning https://github.com/michaelbrewer/repo-tests.log to ~/repo-tests.log on branch feat/branch...", + "Creating directory /root/repo-tests.log...", + "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", ]); }); @@ -256,7 +282,6 @@ describe("git-clone", async () => { const output = await executeScriptInContainer( state, "alpine/git", - "sh", "mkdir -p /tmp/fake-url && echo 'existing' > /tmp/fake-url/file.txt", ); expect(output.stdout).toContain("Running post-clone script..."); @@ -272,7 +297,7 @@ describe("git-clone", async () => { const output = await executeScriptInContainer(state, "alpine/git"); expect(output.stdout).toContain("Running pre-clone script..."); expect(output.stdout).toContain("Pre-clone script executed"); - expect(output.stdout).toContain("Cloning fake-url to ~/fake-url..."); + expect(output.stdout).toContain("Cloning fake-url to /root/fake-url..."); }); it("fails when pre-clone script fails", async () => { @@ -285,7 +310,64 @@ describe("git-clone", async () => { expect(output.exitCode).toBe(42); expect(output.stdout).toContain("Running pre-clone script..."); expect(output.stdout).toContain("Pre-clone script failed"); - expect(output.stdout).not.toContain("Cloning fake-url to ~/fake-url..."); + expect(output.stdout).not.toContain( + "Cloning fake-url to /root/fake-url...", + ); + }); + + it("defaults recurse_submodules to false and clone_jobs to 0", async () => { + const state = await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + }); + const script = findResourceInstance(state, "coder_script").script; + expect(script).toContain('RECURSE_SUBMODULES="false"'); + expect(script).toContain('CLONE_JOBS="0"'); + }); + + it("sets RECURSE_SUBMODULES=true when recurse_submodules is enabled", async () => { + const state = await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + recurse_submodules: "true", + }); + const script = findResourceInstance(state, "coder_script").script; + expect(script).toContain('RECURSE_SUBMODULES="true"'); + }); + + it("sets CLONE_JOBS when clone_jobs > 0", async () => { + const state = await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + recurse_submodules: "true", + clone_jobs: "8", + }); + const script = findResourceInstance(state, "coder_script").script; + expect(script).toContain('CLONE_JOBS="8"'); + }); + + it("rejects non-positive clone_jobs", async () => { + const t = async () => { + await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + clone_jobs: "-1", + }); + }; + expect(t).toThrow("clone_jobs must be a positive integer when set."); + }); + + it("rejects clone_jobs without recurse_submodules", async () => { + const t = async () => { + await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + clone_jobs: "4", + }); + }; + expect(t).toThrow( + "clone_jobs only affects submodule fetching, so it requires recurse_submodules", + ); }); it("fails when post-clone script fails", async () => { @@ -298,7 +380,6 @@ describe("git-clone", async () => { const output = await executeScriptInContainer( state, "alpine/git", - "sh", "mkdir -p /tmp/fake-url && echo 'existing' > /tmp/fake-url/file.txt", ); expect(output.exitCode).toBe(43); diff --git a/registry/coder/modules/git-clone/main.tf b/registry/coder/modules/git-clone/main.tf index 1fb28a4d9..ec5f13395 100644 --- a/registry/coder/modules/git-clone/main.tf +++ b/registry/coder/modules/git-clone/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0" + required_version = ">= 1.9" required_providers { coder = { @@ -62,6 +62,26 @@ variable "depth" { default = 0 } +variable "recurse_submodules" { + description = "If true, clone submodules recursively (equivalent to `git clone --recurse-submodules`)." + type = bool + default = false +} + +variable "clone_jobs" { + description = "If set, fetch submodules in parallel using this many jobs (equivalent to `git clone --jobs `). Only takes effect when `recurse_submodules = true`." + type = number + default = null + validation { + condition = var.clone_jobs == null || var.clone_jobs > 0 + error_message = "clone_jobs must be a positive integer when set." + } + validation { + condition = var.clone_jobs == null || var.recurse_submodules + error_message = "clone_jobs only affects submodule fetching, so it requires recurse_submodules = true." + } +} + variable "post_clone_script" { description = "Custom script to run after cloning the repository. Runs always after git clone, even if the repository already exists." type = string @@ -135,7 +155,9 @@ resource "coder_script" "git_clone" { CLONE_PATH = local.clone_path, REPO_URL : local.clone_url, BRANCH_NAME : local.branch_name, - DEPTH = var.depth, + DEPTH = var.depth, + RECURSE_SUBMODULES = tostring(var.recurse_submodules), + CLONE_JOBS = coalesce(var.clone_jobs, 0), POST_CLONE_SCRIPT : local.encoded_post_clone_script, PRE_CLONE_SCRIPT : local.encoded_pre_clone_script, }) diff --git a/registry/coder/modules/git-clone/run.sh b/registry/coder/modules/git-clone/run.sh index 76928a406..fb0d83b82 100644 --- a/registry/coder/modules/git-clone/run.sh +++ b/registry/coder/modules/git-clone/run.sh @@ -8,6 +8,8 @@ BRANCH_NAME="${BRANCH_NAME}" # Expand home if it's specified! CLONE_PATH="$${CLONE_PATH/#\~/$${HOME}}" DEPTH="${DEPTH}" +RECURSE_SUBMODULES="${RECURSE_SUBMODULES}" +CLONE_JOBS="${CLONE_JOBS}" POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}" PRE_CLONE_SCRIPT="${PRE_CLONE_SCRIPT}" @@ -46,23 +48,27 @@ if [ -n "$PRE_CLONE_SCRIPT" ]; then rm "$PRE_CLONE_TMP" fi +# Build optional git clone flags +CLONE_FLAGS=() +if [ "$DEPTH" -gt 0 ]; then + CLONE_FLAGS+=(--depth "$DEPTH") +fi +if [ "$RECURSE_SUBMODULES" = "true" ]; then + CLONE_FLAGS+=(--recurse-submodules) +fi +if [ "$CLONE_JOBS" -gt 0 ]; then + CLONE_FLAGS+=(--jobs "$CLONE_JOBS") +fi + # Check if the directory is empty # and if it is, clone the repo, otherwise skip cloning if [ -z "$(ls -A "$CLONE_PATH")" ]; then if [ -z "$BRANCH_NAME" ]; then echo "Cloning $REPO_URL to $CLONE_PATH..." - if [ "$DEPTH" -gt 0 ]; then - git clone --depth "$DEPTH" "$REPO_URL" "$CLONE_PATH" - else - git clone "$REPO_URL" "$CLONE_PATH" - fi + git clone "$${CLONE_FLAGS[@]}" "$REPO_URL" "$CLONE_PATH" else echo "Cloning $REPO_URL to $CLONE_PATH on branch $BRANCH_NAME..." - if [ "$DEPTH" -gt 0 ]; then - git clone --depth "$DEPTH" -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH" - else - git clone "$REPO_URL" -b "$BRANCH_NAME" "$CLONE_PATH" - fi + git clone "$${CLONE_FLAGS[@]}" -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH" fi else echo "$CLONE_PATH already exists and isn't empty, skipping clone!" From 1fc855711b7a0a514c3c9a178b1cd8b0a67cec27 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Tue, 19 May 2026 03:17:55 +0000 Subject: [PATCH 2/5] feat(run): log git clone command with flags and branch information --- registry/coder/modules/git-clone/main.test.ts | 4 ++++ registry/coder/modules/git-clone/run.sh | 2 ++ 2 files changed, 6 insertions(+) diff --git a/registry/coder/modules/git-clone/main.test.ts b/registry/coder/modules/git-clone/main.test.ts index 4a30aa4f3..0327417af 100644 --- a/registry/coder/modules/git-clone/main.test.ts +++ b/registry/coder/modules/git-clone/main.test.ts @@ -59,6 +59,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/fake-url...", "Cloning fake-url to /root/fake-url...", + "Running: git clone fake-url /root/fake-url", ]); expect(output.stderr.join(" ")).toContain("fatal"); expect(output.stderr.join(" ")).toContain("fake-url"); @@ -235,6 +236,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", + "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", ]); }); @@ -248,6 +250,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://gitlab.com/mike.brew/repo-tests.log to /root/repo-tests.log on branch feat/branch...", + "Running: git clone -b feat/branch https://gitlab.com/mike.brew/repo-tests.log /root/repo-tests.log", ]); }); @@ -269,6 +272,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", + "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", ]); }); diff --git a/registry/coder/modules/git-clone/run.sh b/registry/coder/modules/git-clone/run.sh index fb0d83b82..db0fb373e 100644 --- a/registry/coder/modules/git-clone/run.sh +++ b/registry/coder/modules/git-clone/run.sh @@ -65,9 +65,11 @@ fi if [ -z "$(ls -A "$CLONE_PATH")" ]; then if [ -z "$BRANCH_NAME" ]; then echo "Cloning $REPO_URL to $CLONE_PATH..." + echo "Running: git clone $${CLONE_FLAGS[*]} $REPO_URL $CLONE_PATH" git clone "$${CLONE_FLAGS[@]}" "$REPO_URL" "$CLONE_PATH" else echo "Cloning $REPO_URL to $CLONE_PATH on branch $BRANCH_NAME..." + echo "Running: git clone $${CLONE_FLAGS[*]} -b $BRANCH_NAME $REPO_URL $CLONE_PATH" git clone "$${CLONE_FLAGS[@]}" -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH" fi else From d0629d2e28ec0c0965dd62b610f074afea0adcb5 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Tue, 19 May 2026 03:29:24 +0000 Subject: [PATCH 3/5] refactor(test): remove outdated comments regarding bash and busybox compatibility --- registry/coder/modules/git-clone/main.test.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/registry/coder/modules/git-clone/main.test.ts b/registry/coder/modules/git-clone/main.test.ts index 0327417af..9e1ddea12 100644 --- a/registry/coder/modules/git-clone/main.test.ts +++ b/registry/coder/modules/git-clone/main.test.ts @@ -10,9 +10,6 @@ import { type TerraformState, } from "~test"; -// The clone script uses bash arrays, which busybox `sh` (alpine's default -// shell) cannot parse. Install bash in the container, then run the script -// with bash. The optional `before` setup step still runs with `sh`. const executeScriptInContainer = async ( state: TerraformState, image: string, From 9d2e19de1a61032b8088abe930d2108240431d29 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Tue, 19 May 2026 06:32:24 +0000 Subject: [PATCH 4/5] feat(git-clone): replace depth, recurse_submodules, and clone_jobs with extra_args for flexible git clone options --- registry/coder/modules/git-clone/README.md | 37 +++++--------- registry/coder/modules/git-clone/main.test.ts | 48 +++---------------- registry/coder/modules/git-clone/main.tf | 36 ++++---------- registry/coder/modules/git-clone/run.sh | 16 ++----- 4 files changed, 31 insertions(+), 106 deletions(-) diff --git a/registry/coder/modules/git-clone/README.md b/registry/coder/modules/git-clone/README.md index 4490521fd..2d3a1a827 100644 --- a/registry/coder/modules/git-clone/README.md +++ b/registry/coder/modules/git-clone/README.md @@ -185,12 +185,12 @@ module "git-clone" { } ``` -## Git shallow clone +## Extra `git clone` arguments -Limit the clone history to speed-up workspace startup by setting `depth`. - -When `depth` is greater than `0` the module runs `git clone --depth `. -If not defined, the default, `0`, performs a full clone. +Pass any additional flags through `extra_args` (one element per argument). +This lets you enable anything `git clone` supports without the module having +to expose it explicitly — for example a shallow clone, submodules, parallel +fetches, or partial clones. ```tf module "git-clone" { @@ -199,27 +199,12 @@ module "git-clone" { version = "1.4.0" agent_id = coder_agent.example.id url = "https://github.com/coder/coder" - depth = 1 -} -``` - -## Recurse submodules - -Set `recurse_submodules = true` to initialize and clone submodules during the -clone (equivalent to `git clone --recurse-submodules`). - -Pair it with `clone_jobs` to fetch submodules in parallel (equivalent to -`git clone --jobs `) and speed up workspace start. - -```tf -module "git-clone" { - count = data.coder_workspace.me.start_count - source = "registry.coder.com/coder/git-clone/coder" - version = "1.4.0" - agent_id = coder_agent.example.id - url = "https://github.com/coder/coder" - recurse_submodules = true - clone_jobs = 8 + extra_args = [ + "--depth=1", + "--recurse-submodules", + "--jobs=8", + "--filter=blob:none", + ] } ``` diff --git a/registry/coder/modules/git-clone/main.test.ts b/registry/coder/modules/git-clone/main.test.ts index 9e1ddea12..93eaa32a5 100644 --- a/registry/coder/modules/git-clone/main.test.ts +++ b/registry/coder/modules/git-clone/main.test.ts @@ -316,58 +316,24 @@ describe("git-clone", async () => { ); }); - it("defaults recurse_submodules to false and clone_jobs to 0", async () => { + it("defaults extra_args to empty", async () => { const state = await runTerraformApply(import.meta.dir, { agent_id: "foo", url: "fake-url", }); const script = findResourceInstance(state, "coder_script").script; - expect(script).toContain('RECURSE_SUBMODULES="false"'); - expect(script).toContain('CLONE_JOBS="0"'); + expect(script).toContain('EXTRA_ARGS_B64=""'); }); - it("sets RECURSE_SUBMODULES=true when recurse_submodules is enabled", async () => { + it("passes extra_args to git clone", async () => { const state = await runTerraformApply(import.meta.dir, { agent_id: "foo", url: "fake-url", - recurse_submodules: "true", + extra_args: '["--recurse-submodules", "--jobs=8"]', }); - const script = findResourceInstance(state, "coder_script").script; - expect(script).toContain('RECURSE_SUBMODULES="true"'); - }); - - it("sets CLONE_JOBS when clone_jobs > 0", async () => { - const state = await runTerraformApply(import.meta.dir, { - agent_id: "foo", - url: "fake-url", - recurse_submodules: "true", - clone_jobs: "8", - }); - const script = findResourceInstance(state, "coder_script").script; - expect(script).toContain('CLONE_JOBS="8"'); - }); - - it("rejects non-positive clone_jobs", async () => { - const t = async () => { - await runTerraformApply(import.meta.dir, { - agent_id: "foo", - url: "fake-url", - clone_jobs: "-1", - }); - }; - expect(t).toThrow("clone_jobs must be a positive integer when set."); - }); - - it("rejects clone_jobs without recurse_submodules", async () => { - const t = async () => { - await runTerraformApply(import.meta.dir, { - agent_id: "foo", - url: "fake-url", - clone_jobs: "4", - }); - }; - expect(t).toThrow( - "clone_jobs only affects submodule fetching, so it requires recurse_submodules", + const output = await executeScriptInContainer(state, "alpine/git"); + expect(output.stdout).toContain( + "Running: git clone --recurse-submodules --jobs=8 fake-url /root/fake-url", ); }); diff --git a/registry/coder/modules/git-clone/main.tf b/registry/coder/modules/git-clone/main.tf index ec5f13395..2a2f2e722 100644 --- a/registry/coder/modules/git-clone/main.tf +++ b/registry/coder/modules/git-clone/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.9" + required_version = ">= 1.0" required_providers { coder = { @@ -56,30 +56,10 @@ variable "folder_name" { default = "" } -variable "depth" { - description = "If > 0, perform a shallow clone using this depth." - type = number - default = 0 -} - -variable "recurse_submodules" { - description = "If true, clone submodules recursively (equivalent to `git clone --recurse-submodules`)." - type = bool - default = false -} - -variable "clone_jobs" { - description = "If set, fetch submodules in parallel using this many jobs (equivalent to `git clone --jobs `). Only takes effect when `recurse_submodules = true`." - type = number - default = null - validation { - condition = var.clone_jobs == null || var.clone_jobs > 0 - error_message = "clone_jobs must be a positive integer when set." - } - validation { - condition = var.clone_jobs == null || var.recurse_submodules - error_message = "clone_jobs only affects submodule fetching, so it requires recurse_submodules = true." - } +variable "extra_args" { + description = "Extra arguments to pass to `git clone`, one element per argument (e.g. `[\"--recurse-submodules\", \"--jobs=8\", \"--filter=blob:none\"]`)." + type = list(string) + default = [] } variable "post_clone_script" { @@ -117,6 +97,8 @@ locals { encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : "" # Encode the pre_clone_script for passing to the shell script encoded_pre_clone_script = var.pre_clone_script != null ? base64encode(var.pre_clone_script) : "" + # Encode extra clone args (newline-separated) so the shell script can split them into an array safely + encoded_extra_args = base64encode(join("\n", var.extra_args)) } output "repo_dir" { @@ -155,9 +137,7 @@ resource "coder_script" "git_clone" { CLONE_PATH = local.clone_path, REPO_URL : local.clone_url, BRANCH_NAME : local.branch_name, - DEPTH = var.depth, - RECURSE_SUBMODULES = tostring(var.recurse_submodules), - CLONE_JOBS = coalesce(var.clone_jobs, 0), + EXTRA_ARGS = local.encoded_extra_args, POST_CLONE_SCRIPT : local.encoded_post_clone_script, PRE_CLONE_SCRIPT : local.encoded_pre_clone_script, }) diff --git a/registry/coder/modules/git-clone/run.sh b/registry/coder/modules/git-clone/run.sh index db0fb373e..752e84bc2 100644 --- a/registry/coder/modules/git-clone/run.sh +++ b/registry/coder/modules/git-clone/run.sh @@ -7,9 +7,7 @@ CLONE_PATH="${CLONE_PATH}" BRANCH_NAME="${BRANCH_NAME}" # Expand home if it's specified! CLONE_PATH="$${CLONE_PATH/#\~/$${HOME}}" -DEPTH="${DEPTH}" -RECURSE_SUBMODULES="${RECURSE_SUBMODULES}" -CLONE_JOBS="${CLONE_JOBS}" +EXTRA_ARGS_B64="${EXTRA_ARGS}" POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}" PRE_CLONE_SCRIPT="${PRE_CLONE_SCRIPT}" @@ -50,14 +48,10 @@ fi # Build optional git clone flags CLONE_FLAGS=() -if [ "$DEPTH" -gt 0 ]; then - CLONE_FLAGS+=(--depth "$DEPTH") -fi -if [ "$RECURSE_SUBMODULES" = "true" ]; then - CLONE_FLAGS+=(--recurse-submodules) -fi -if [ "$CLONE_JOBS" -gt 0 ]; then - CLONE_FLAGS+=(--jobs "$CLONE_JOBS") +if [ -n "$EXTRA_ARGS_B64" ]; then + while IFS= read -r arg || [ -n "$arg" ]; do + [ -n "$arg" ] && CLONE_FLAGS+=("$arg") + done < <(echo "$EXTRA_ARGS_B64" | base64 -d) fi # Check if the directory is empty From cf98844e273cfc498db8af55562de1fc61e93428 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Tue, 19 May 2026 10:06:04 +0000 Subject: [PATCH 5/5] chore: address coder-agents-comments --- registry/coder/modules/git-clone/README.md | 7 +- registry/coder/modules/git-clone/main.test.ts | 81 ++++++++++++++++--- registry/coder/modules/git-clone/main.tf | 3 +- registry/coder/modules/git-clone/run.sh | 18 ++--- 4 files changed, 88 insertions(+), 21 deletions(-) diff --git a/registry/coder/modules/git-clone/README.md b/registry/coder/modules/git-clone/README.md index 2d3a1a827..513ba5119 100644 --- a/registry/coder/modules/git-clone/README.md +++ b/registry/coder/modules/git-clone/README.md @@ -189,9 +189,14 @@ module "git-clone" { Pass any additional flags through `extra_args` (one element per argument). This lets you enable anything `git clone` supports without the module having -to expose it explicitly — for example a shallow clone, submodules, parallel +to expose it explicitly, for example a shallow clone, submodules, parallel fetches, or partial clones. +> Do not put secrets in `extra_args`. The resolved `git clone` command +> (including every element of `extra_args`) is echoed to the workspace +> startup log, so values like `--config=http.extraHeader=Authorization: Bearer ` +> would appear there in plaintext. + ```tf module "git-clone" { count = data.coder_workspace.me.start_count diff --git a/registry/coder/modules/git-clone/main.test.ts b/registry/coder/modules/git-clone/main.test.ts index 93eaa32a5..e3175ed69 100644 --- a/registry/coder/modules/git-clone/main.test.ts +++ b/registry/coder/modules/git-clone/main.test.ts @@ -29,6 +29,20 @@ const executeScriptInContainer = async ( }; }; +// Drops a fake `git` onto PATH that prints each argv entry on its own line. +// Lets tests prove that arguments (including ones with embedded spaces) reach +// `git clone` as single argv tokens, which the echo line cannot show because +// it joins with spaces. +const installFakeGit = [ + "cat > /usr/local/bin/git <<'SHIM'", + "#!/bin/sh", + 'for arg in "$@"; do', + ' printf "argv:%s\\n" "$arg"', + "done", + "SHIM", + "chmod +x /usr/local/bin/git", +].join("\n"); + describe("git-clone", async () => { await runTerraformInit(import.meta.dir); @@ -56,7 +70,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/fake-url...", "Cloning fake-url to /root/fake-url...", - "Running: git clone fake-url /root/fake-url", + "Running: git clone fake-url /root/fake-url", ]); expect(output.stderr.join(" ")).toContain("fatal"); expect(output.stderr.join(" ")).toContain("fake-url"); @@ -233,7 +247,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", - "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", + "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", ]); }); @@ -247,7 +261,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://gitlab.com/mike.brew/repo-tests.log to /root/repo-tests.log on branch feat/branch...", - "Running: git clone -b feat/branch https://gitlab.com/mike.brew/repo-tests.log /root/repo-tests.log", + "Running: git clone -b feat/branch https://gitlab.com/mike.brew/repo-tests.log /root/repo-tests.log", ]); }); @@ -269,7 +283,7 @@ describe("git-clone", async () => { expect(output.stdout).toEqual([ "Creating directory /root/repo-tests.log...", "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...", - "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", + "Running: git clone -b feat/branch https://github.com/michaelbrewer/repo-tests.log /root/repo-tests.log", ]); }); @@ -322,18 +336,67 @@ describe("git-clone", async () => { url: "fake-url", }); const script = findResourceInstance(state, "coder_script").script; - expect(script).toContain('EXTRA_ARGS_B64=""'); + expect(script).toContain('EXTRA_ARGS=""'); }); it("passes extra_args to git clone", async () => { const state = await runTerraformApply(import.meta.dir, { agent_id: "foo", url: "fake-url", - extra_args: '["--recurse-submodules", "--jobs=8"]', + extra_args: JSON.stringify([ + "--recurse-submodules", + "--jobs=8", + "--config=user.name=Coder User", + "-c", + "core.sshCommand=ssh -i /tmp/key", + ]), }); - const output = await executeScriptInContainer(state, "alpine/git"); - expect(output.stdout).toContain( - "Running: git clone --recurse-submodules --jobs=8 fake-url /root/fake-url", + const output = await executeScriptInContainer( + state, + "alpine/git", + installFakeGit, + ); + expect(output.exitCode).toBe(0); + expect(output.stdout.join("\n")).toContain( + [ + "argv:clone", + "argv:--recurse-submodules", + "argv:--jobs=8", + "argv:--config=user.name=Coder User", + "argv:-c", + "argv:core.sshCommand=ssh -i /tmp/key", + "argv:fake-url", + "argv:/root/fake-url", + ].join("\n"), + ); + }); + + it("passes extra_args alongside branch_name in the correct order", async () => { + const state = await runTerraformApply(import.meta.dir, { + agent_id: "foo", + url: "fake-url", + branch_name: "feat/branch", + extra_args: JSON.stringify([ + "--recurse-submodules", + "--config=user.name=Coder User", + ]), + }); + const output = await executeScriptInContainer( + state, + "alpine/git", + installFakeGit, + ); + expect(output.exitCode).toBe(0); + expect(output.stdout.join("\n")).toContain( + [ + "argv:clone", + "argv:--recurse-submodules", + "argv:--config=user.name=Coder User", + "argv:-b", + "argv:feat/branch", + "argv:fake-url", + "argv:/root/fake-url", + ].join("\n"), ); }); diff --git a/registry/coder/modules/git-clone/main.tf b/registry/coder/modules/git-clone/main.tf index 2a2f2e722..ab2279fef 100644 --- a/registry/coder/modules/git-clone/main.tf +++ b/registry/coder/modules/git-clone/main.tf @@ -97,8 +97,7 @@ locals { encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : "" # Encode the pre_clone_script for passing to the shell script encoded_pre_clone_script = var.pre_clone_script != null ? base64encode(var.pre_clone_script) : "" - # Encode extra clone args (newline-separated) so the shell script can split them into an array safely - encoded_extra_args = base64encode(join("\n", var.extra_args)) + encoded_extra_args = base64encode(join("\n", var.extra_args)) } output "repo_dir" { diff --git a/registry/coder/modules/git-clone/run.sh b/registry/coder/modules/git-clone/run.sh index 752e84bc2..bad790f83 100644 --- a/registry/coder/modules/git-clone/run.sh +++ b/registry/coder/modules/git-clone/run.sh @@ -7,7 +7,7 @@ CLONE_PATH="${CLONE_PATH}" BRANCH_NAME="${BRANCH_NAME}" # Expand home if it's specified! CLONE_PATH="$${CLONE_PATH/#\~/$${HOME}}" -EXTRA_ARGS_B64="${EXTRA_ARGS}" +EXTRA_ARGS="${EXTRA_ARGS}" POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}" PRE_CLONE_SCRIPT="${PRE_CLONE_SCRIPT}" @@ -47,11 +47,11 @@ if [ -n "$PRE_CLONE_SCRIPT" ]; then fi # Build optional git clone flags -CLONE_FLAGS=() -if [ -n "$EXTRA_ARGS_B64" ]; then +extra_args=() +if [ -n "$EXTRA_ARGS" ]; then while IFS= read -r arg || [ -n "$arg" ]; do - [ -n "$arg" ] && CLONE_FLAGS+=("$arg") - done < <(echo "$EXTRA_ARGS_B64" | base64 -d) + [ -n "$arg" ] && extra_args+=("$arg") + done < <(echo "$EXTRA_ARGS" | base64 -d) fi # Check if the directory is empty @@ -59,12 +59,12 @@ fi if [ -z "$(ls -A "$CLONE_PATH")" ]; then if [ -z "$BRANCH_NAME" ]; then echo "Cloning $REPO_URL to $CLONE_PATH..." - echo "Running: git clone $${CLONE_FLAGS[*]} $REPO_URL $CLONE_PATH" - git clone "$${CLONE_FLAGS[@]}" "$REPO_URL" "$CLONE_PATH" + echo "Running: git clone $${extra_args[@]:+$${extra_args[@]} }$REPO_URL $CLONE_PATH" + git clone $${extra_args[@]+"$${extra_args[@]}"} "$REPO_URL" "$CLONE_PATH" else echo "Cloning $REPO_URL to $CLONE_PATH on branch $BRANCH_NAME..." - echo "Running: git clone $${CLONE_FLAGS[*]} -b $BRANCH_NAME $REPO_URL $CLONE_PATH" - git clone "$${CLONE_FLAGS[@]}" -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH" + echo "Running: git clone $${extra_args[@]:+$${extra_args[@]} }-b $BRANCH_NAME $REPO_URL $CLONE_PATH" + git clone $${extra_args[@]+"$${extra_args[@]}"} -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH" fi else echo "$CLONE_PATH already exists and isn't empty, skipping clone!"