ci: authenticate nksdeploy phar clone

[lukyrys]

Summary

• authenticate fallback nksdeploy clone used by the phar build script
• keep token out of logs by passing it through Git extraheader env config

Verification

• node --check scripts/build-nksdeploy-phar.mjs
• authenticated HTTPS clone of nks-hub/nksdeploy using Git extraheader

Summary by CodeRabbit

• New Features
  • Added support for GitHub token authentication during deployment. Users can now provide credentials via environment variables to improve access reliability and enable operations on private repositories.

[coderabbitai]

📝 Walkthrough

Walkthrough

The script adds a shellQuote() helper function and updates resolveSourceTree() to support optional GitHub token-based authentication for git clone operations via environment variables, replacing the prior unconditional anonymous clone approach.

Changes

GitHub Token Authentication for Git Clone

Layer / File(s)	Summary
Shell Quoting Utility scripts/build-nksdeploy-phar.mjs (lines 101–107)	A shellQuote() function safely quotes filesystem paths for shell invocation, using platform-appropriate escaping (double-quotes on Windows, single-quotes otherwise).
Authentication & Clone Logic scripts/build-nksdeploy-phar.mjs (lines 132–148)	resolveSourceTree() now checks for NKSDEPLOY_GITHUB_TOKEN, GITHUB_TOKEN, or GH_TOKEN in order; sets GIT_CONFIG_COUNT and GIT_CONFIG_KEY_*/GIT_CONFIG_VALUE_* environment variables to inject an Authorization: Basic HTTP header for https://github.com/; logs authenticated vs. anonymous mode; and invokes git clone with the shell-quoted destination and augmented environment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A rabbit hops through paths so clear,
With tokens safe and quoting near,
Git clones now whisper GitHub's name—
Authentication's gentle game! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: authenticate nksdeploy phar clone' directly and specifically summarizes the main change: adding authentication to the nksdeploy phar clone operation in the CI build script.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-ci-nksdeploy-phar-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

scripts/build-nksdeploy-phar.mjs (1)

145-148: ⚡ Quick win

Prefer argv-based Git execution over shell quoting.

This still depends on shell parsing on every platform. Since spawnSync is already available in this file, calling git with an argv array would be more portable and would let you drop shellQuote() from the clone path entirely.

♻️ Proposed refactor

-  execSync(`git clone --depth 1 https://github.com/nks-hub/nksdeploy ${shellQuote(tmp)}`, {
-    stdio: 'inherit',
-    env: cloneEnv,
-  })
+  const clone = spawnSync('git', ['clone', '--depth', '1', 'https://github.com/nks-hub/nksdeploy', tmp], {
+    stdio: 'inherit',
+    env: cloneEnv,
+  })
+  if (clone.status !== 0) {
+    die(`git clone failed with exit ${clone.status}`)
+  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/build-nksdeploy-phar.mjs` around lines 145 - 148, Replace the
execSync call that uses shellQuote(tmp) with a spawnSync invocation to run git
with argv style; specifically, stop using execSync(...) and shellQuote and
instead call spawnSync('git', ['clone', '--depth', '1',
'https://github.com/nks-hub/nksdeploy', tmp], { stdio: 'inherit', env: cloneEnv
}) (use the existing spawnSync import), and preserve error handling/exit
behavior if the spawnSync result indicates failure; remove the shellQuote(tmp)
usage entirely.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/build-nksdeploy-phar.mjs`:
- Around line 145-148: Replace the execSync call that uses shellQuote(tmp) with
a spawnSync invocation to run git with argv style; specifically, stop using
execSync(...) and shellQuote and instead call spawnSync('git', ['clone',
'--depth', '1', 'https://github.com/nks-hub/nksdeploy', tmp], { stdio:
'inherit', env: cloneEnv }) (use the existing spawnSync import), and preserve
error handling/exit behavior if the spawnSync result indicates failure; remove
the shellQuote(tmp) usage entirely.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3f71957c-c428-49f8-9114-5d792d640f08

📥 Commits

Reviewing files that changed from the base of the PR and between ced0b7e and 2813cc0.

📒 Files selected for processing (1)

• scripts/build-nksdeploy-phar.mjs