feat: Private git repositories

[sstreichan]

Description

Adds support for configuring and using Personal Access Tokens (PAT) to access private Git repositories (GitHub and GitLab) via ov add-resource. Users can now store host-to-token mappings in ovcli.conf and have tokens automatically injected into git URLs during resource import.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test update

Changes Made

• Added _cmd_configure_git_credentials command to interactively configure git credentials per host
• Added _preprocess_add_resource_token to inject PATs into git URLs for ov add-resource
• Updated main to support the new configure-git-credentials command
• Introduced git_credentials mapping in ovcli.conf for host-to-token associations
• Created git_credentials.py for token injection, retrieval, and URL masking logic
• Added integration and unit tests for credential handling and token masking
• Updated documentation with guidance on using PATs for private repositories

Testing

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have tested this on the following platforms:
  • Linux
  • macOS
  • Windows

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Additional Notes

Tokens are masked in logs and CLI output. The credential store uses the existing ovcli.conf config file to avoid introducing a separate secrets file.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🏅 Score: 75

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ Recommended focus areas for review GitLab token injection is incorrect The inject_token function uses the token directly as the username for all hosts, but GitLab requires oauth2:<token> as the userinfo (username oauth2, password token). This will cause authentication failures for private GitLab repositories. def inject_token(url: str, token: str) -> str: """Inject a token into an HTTPS/HTTP git URL as URL userinfo. Transforms ``https://github.com/org/repo`` to ``https://token@github.com/org/repo``. SSH (``git@``, ``ssh://``) and ``git://`` URLs are returned unchanged — token injection is not applicable for those schemes. Args: url: The repository URL. token: The authentication token to embed. Returns: URL with token injected as userinfo, or the original URL unchanged. """ if not url.startswith(("https://", "http://")): return url parsed = urlparse(url) # Build netloc with token as userinfo, replacing any pre-existing credentials. hostname = parsed.hostname or "" host_with_port = f"{hostname}:{parsed.port}" if parsed.port else hostname netloc_with_token = f"{token}@{host_with_port}" return parsed._replace(netloc=netloc_with_token).geturl() GitLab token extraction from URL is incorrect The _gitlab_zip_download function extracts the token from parsed.username, but for correctly formatted GitLab URLs (with oauth2:<token> userinfo), the token is in parsed.password. This will fail to use tokens injected for GitLab. # Extract token from embedded URL userinfo (injected client-side), fall back to env. token_from_url = parsed.username gitlab_token = token_from_url or os.environ.get("GITLAB_TOKEN")

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Use oauth2:token for GitLab URLs in inject_token For GitLab (and non-GitHub hosts), Git expects the username to be "oauth2" when using a personal access token over HTTPS. Update inject_token to use "oauth2:" for hosts not containing "github" to ensure compatibility with GitLab. openviking_cli/utils/git_credentials.py [39-62] def inject_token(url: str, token: str) -> str: """Inject a token into an HTTPS/HTTP git URL as URL userinfo. Transforms ``https://github.com/org/repo`` to ``https://token@github.com/org/repo``. + + Transforms ``https://gitlab.com/group/repo`` to + ``https://oauth2:token@gitlab.com/group/repo``. SSH (``git@``, ``ssh://``) and ``git://`` URLs are returned unchanged — token injection is not applicable for those schemes. Args: url: The repository URL. token: The authentication token to embed. Returns: URL with token injected as userinfo, or the original URL unchanged. """ if not url.startswith(("https://", "http://")): return url parsed = urlparse(url) - # Build netloc with token as userinfo, replacing any pre-existing credentials. hostname = parsed.hostname or "" host_with_port = f"{hostname}:{parsed.port}" if parsed.port else hostname - netloc_with_token = f"{token}@{host_with_port}" + + # Use token directly as username for GitHub, oauth2:token for others + if "github" in hostname.lower(): + netloc_with_token = f"{token}@{host_with_port}" + else: + netloc_with_token = f"oauth2:{token}@{host_with_port}" + return parsed._replace(netloc=netloc_with_token).geturl() Suggestion importance[1-10]: 5 __ Why: The current implementation uses the token directly as the username for all hosts, which works for GitLab, but the plan.md recommends using "oauth2:token" for non-GitHub hosts. This change improves compatibility with GitLab's documented authentication format, though it is not strictly required for functionality.	Low

[MaojiaSheng]

Could move this code into Rust?

[MaojiaSheng]

openviking_cli/setup_wizard.py is for server side setup.
you can add this in command: ov config setup-cli