feat: allow GIT_USER env var to be unset if SSH is used

[wpyoga]

Motivation

Fixes #3454 and allows me to run yarn deploy with one less environment variable.

Have you read the Contributing Guidelines on pull requests?

Yes

Test Plan

I used this on my own GitHub Pages site, and the remote URL is git@github.com:wpyoga/wpyoga.github.io.git:

$ yarn add ../docusaurus_not-require-use-ssh/packages/docusaurus
$ yarn install
$ DEPLOYMENT_BRANCH=gh-pages yarn deploy

[netlify]

✔️ [V2]
Built without sensitive environment variables

🔨 Explore the source changes: 29ae674

🔍 Inspect the deploy log: https://app.netlify.com/sites/docusaurus-2/deploys/618ba0f96a5f3c0008293460

😎 Browse the preview: https://deploy-preview-5840--docusaurus-2.netlify.app

[github-actions]

⚡️ Lighthouse report for the changes in this PR:

Category	Score
🟠 Performance	78
🟢 Accessibility	98
🟢 Best practices	100
🟢 SEO	100
🟢 PWA	95

Lighthouse ran on https://deploy-preview-5840--docusaurus-2.netlify.app/

[wpyoga]

@Josh-Cena Thanks for the input :)

I wonder why the ESLint doesn't give a warning for this?

    currentRepoUrl.match(/^([\w-]+@)?[\w.-]+:[\w.\-/_]+(\.git)?/) !== null;

After the colon, we have:

[\w.\-/_]

Why does this hyphen need to be escaped?

[Josh-Cena]

[\w.\-/_]

Because without the escape it becomes a range mark, as in [A-Z]. If the dash is placed last then you don't need the escape either: [\w./_-]

I'm not confident to say that this PR is safe to merge although it looks pretty good to me. Please resolve the conflicts and we can wait for @slorber to review this :D

[Josh-Cena]

Oops, shouldn't have force-pushed your branch😅 Anyways, fixed the branch.

[wpyoga]

Because without the escape it becomes a range mark, as in [A-Z]. If the dash is placed last then you don't need the escape either: [\w./_-]

Thank you, I've modified the regex :)

[slorber]

Thanks, that looks good to me overall, but not totally confident without running this myself.

Also, we have this code:

  const gitPass: string | undefined = process.env.GIT_PASS;
  let gitCredentials = `${gitUser}`;
  if (gitPass) {
    gitCredentials = `${gitCredentials}:${gitPass}`;
  }

Probably requires some refactoring, ensuring we don't have a 'undefined' string being passed to later method: I'd rather have a real undefined (non-string) value (even if it's ignored later in the process, it's more explicit.

Wouldn't it be easier if the doc recommended using a ssh URL? We could avoid adding the extra env variable in the commands, and only show them in another tab?

[slorber]

Where do these regexp come from? If you found there somewhere I'd appreciate a link to an immutable URL as comment.

Can you add test cases for those?

[Josh-Cena]

This seems... intuitive to me🧐

It's either ssh://*** or user@server:project.git

[slorber]

A regexp is a less readable shorthand for real code and must be tested in the same way. Similarly an if/else is intuitive until there's a bug in it 🤪

[Josh-Cena]

After the refactoring the changes make a lot of sense: the git credentials aren't even used if using SSH. The only case I'm not sure of is inferring useSSH = true when the source repo is using SSH🧐 I think in most instances that's a valid assumption?

[Josh-Cena]

I believe this is safe. The deployment works like this:

• The source repository is cloned. If the clone happens through SSH (the repo URL is SSH), it means there's already an SSH key associated in the environment to carry out all further interactions with GitHub.
• The deploy command does the build.
• In case of a cross-repo publish, the deployment repo is cloned & checked out. If using HTTPS, GH will ask for the username & password for authentication; if using SSH, the clone will always succeed (just like cloning the source repo). Note: the user here doesn't have to be the same that made the deployment commit. She just needs to have push access to the deployment repo.
• The build output is committed to the deployment branch. It requires setting the git username & email locally, which is not handled by the deploy command itself. (I wonder if it's possible to also enable GPG signing)
• The commit is pushed to the deployment origin. Already authenticated during the clone step—should always succeed.

The workflow is a bit messy and lacking explanations. I'll try to add some inline comments & refactor since we also have #5829 waiting to be merged

[slorber]

That looks fine but I haven't tested it in practice 😅 if there are errors we could patch it later anyway

Should this be merged before #5829 ? I don't know

[slorber]

what about having an external/tested hasSSHProtocol(sourceRepoUrl) fn?

[Josh-Cena]

Yeah, we can merge this and then I can test with canary myself... I don't see any clear pitfalls, but there may be corner cases