Add support for git includIf config

[mathroc]

closes #750

Summary by CodeRabbit

• Bug Fixes

  • Git identity and SSH-signing now respect project-local git configuration (includeIf gitdir), resolving config relative to the repository so per-project name/email and signing keys are honored inside workspaces and forwarded into containers.

• Tests

  • Added unit and end-to-end tests validating project-scoped git user/email and SSH signing key resolution are correctly propagated into containers and SSH sessions.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR threads a workingDir through git configuration resolution: GetUser and ExtractGitConfiguration accept a workingDir and run git config in that directory when provided so includeIf "gitdir:..." directives resolve relative to the project. Callers derive the directory from workspace metadata or pass empty string.

Changes

Git includeIf resolution with directory context

Layer / File(s)	Summary
GetUser signature and directory-aware resolution pkg/gitcredentials/gitcredentials.go, pkg/gitcredentials/gitcredentials_test.go	GetUser now accepts workingDir; when empty it uses --global, otherwise it omits --global and runs git config with cmd.Dir=workingDir. Tests cover includeIf resolution and fallback cases.
Git SSH signing configuration with directory support pkg/gitsshsigning/utils.go, pkg/gitsshsigning/utils_test.go	ExtractGitConfiguration(workingDir) forwards workingDir to readGitConfigValue, which sets cmd.Dir when provided so includeIf is resolved per-project; tests validate success and missing-config error.
SSH signing key wiring through tunnel services pkg/tunnel/services.go, pkg/tunnel/services_test.go	addGitSSHSigningKey and buildCredentialsCommand thread workingDir from opts.Workspace.Source.LocalFolder into ExtractGitConfiguration; related tests updated to pass the new param.
Credential provider call sites updated for workingDir cmd/agent/container/credentials_server.go, pkg/agent/tunnelserver/tunnelserver.go, pkg/devcontainer/setup/setup.go	Callers updated to the two-argument GetUser(userName, workingDir) signature. tunnelserver.GitUser derives workingDir from workspace; others pass empty string or workspace folder as appropriate.
End-to-end SSH test e2e/tests/ssh/ssh.go	Adds a Ginkgo test that creates project/global gitconfigs with includeIf, starts the workspace, and asserts the container-side git config user.email matches the includeIf-resolved project email; fmt import added for formatting test content.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• skevetter/devpod#704: Both PRs modify pkg/tunnel/services.go's SSH signing/credential wiring and relate to how signing credentials are sourced and threaded.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change—adding support for git includeIf config resolution—which is the core objective across all modified files.
Linked Issues check	✅ Passed	The pull request successfully implements the feature requested in issue #750: git config commands are now executed from the project working directory so that includeIf directives are evaluated, allowing project-specific git settings to be imported into the devcontainer.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the objective to support git includeIf config resolution by passing working directory context through the git credential and signing key retrieval call chains, with supporting test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/devcontainer/setup/setup.go`:
- Line 467: The call to gitcredentials.GetUser(userName, "") disables
directory-aware git resolution; change the second argument from "" to the
workspace working directory (the variable representing the repo/workspace path
in this scope—e.g., workspaceDir or workDir) so GetUser can resolve includeIf
and repo-specific identities correctly; if that path is not already available,
compute/obtain the absolute workspace directory and pass it into
gitcredentials.GetUser(userName, workspaceDir).

In `@pkg/gitsshsigning/utils.go`:
- Around line 32-36: The readGitConfigValue function currently runs "git config
--get <key>" and may read repo-local config from the current process directory;
change it so when workingDir == "" the git command includes the "--global" flag
to force reading the user's global ~/.gitconfig; update the logic around
exec.Command/cmd.Args in readGitConfigValue to insert "--global" before "--get"
when no workingDir is provided so the call becomes "git config --global --get
<key>" in that case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 622e9537-e9b6-45c8-a9fc-3930bdfc16e4

📥 Commits

Reviewing files that changed from the base of the PR and between 95d2230 and ce06447.

📒 Files selected for processing (9)

• cmd/agent/container/credentials_server.go
• pkg/agent/tunnelserver/tunnelserver.go
• pkg/devcontainer/setup/setup.go
• pkg/gitcredentials/gitcredentials.go
• pkg/gitcredentials/gitcredentials_test.go
• pkg/gitsshsigning/utils.go
• pkg/gitsshsigning/utils_test.go
• pkg/tunnel/services.go
• pkg/tunnel/services_test.go

[skevetter]

This may be complex, but it would be helpful if you included an integration test of this new functionality in e2e/tests

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/devcontainer/setup/setup.go`:
- Line 163: The code is passing
cfg.SetupInfo.SubstitutionContext.LocalWorkspaceFolder into
gitcredentials.GetUser which can fail inside a container because the host path
may not exist; update the call site to pass the container path instead
(cfg.SetupInfo.SubstitutionContext.ContainerWorkspaceFolder) when available,
falling back to LocalWorkspaceFolder only if ContainerWorkspaceFolder is empty,
and ensure the change is applied where gitcredentials.GetUser is invoked
(reference the GetUser call and
cfg.SetupInfo.SubstitutionContext.LocalWorkspaceFolder/ContainerWorkspaceFolder
symbols).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8b125a7f-ee12-4a00-b2aa-0c6eede4b51e

📥 Commits

Reviewing files that changed from the base of the PR and between ce06447 and c6edf63.

📒 Files selected for processing (10)

• cmd/agent/container/credentials_server.go
• e2e/tests/ssh/ssh.go
• pkg/agent/tunnelserver/tunnelserver.go
• pkg/devcontainer/setup/setup.go
• pkg/gitcredentials/gitcredentials.go
• pkg/gitcredentials/gitcredentials_test.go
• pkg/gitsshsigning/utils.go
• pkg/gitsshsigning/utils_test.go
• pkg/tunnel/services.go
• pkg/tunnel/services_test.go

🚧 Files skipped from review as they are similar to previous changes (7)

• pkg/gitsshsigning/utils.go
• cmd/agent/container/credentials_server.go
• pkg/gitcredentials/gitcredentials.go
• pkg/gitsshsigning/utils_test.go
• pkg/gitcredentials/gitcredentials_test.go
• pkg/agent/tunnelserver/tunnelserver.go
• pkg/tunnel/services.go

[mathroc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[skevetter]

FYSA, you can add additional commits (e.g., not necessary to continue force pushing). The commits are squashed before they are merged to main.

[mathroc]

This may be complex, but it would be helpful if you included an integration test of this new functionality in e2e/tests

I made a few tries but couldn't make an e2e test that confirms this works. I built and used devpod with this feature for past week and it's working for my use case at least.
what would like me to do? the current test is green but doesn't test includeIf itself, just that devpod forward the git user name from the local config to the container.

I can cleanup the debug logs I added and either keep the e2e test or remove it. if you have ideas on how to test includeIf too let me know I can give it another try :)

[skevetter]

This may be complex, but it would be helpful if you included an integration test of this new functionality in e2e/tests

I made a few tries but couldn't make an e2e test that confirms this works. I built and used devpod with this feature for past week and it's working for my use case at least. what would like me to do? the current test is green but doesn't test includeIf itself, just that devpod forward the git user name from the local config to the container.

I can cleanup the debug logs I added and either keep the e2e test or remove it. if you have ideas on how to test includeIf too let me know I can give it another try :)

I haven't investigated this, but it looks like the jobs are passing with your most recent changes except for lint. As long as this isn't breaking the SSH tunnel (I don't think it is), I am fine with dropping the e2e test/debug logs to ship the change. If you want, you can add the integration tests as a follow-up. Not a requirement from me.

[mathroc]

great, thx. I cleaned up what I added to try to debug the e2e test, build it again and tried it on my project to confirm I didn't break anything during my experiements

it's all green on my side :)

[skevetter]

Great work! Thanks for adding this!