* Call Github API to create new limited-scope token
* Use Ansible to clone (*or* update, depending on the git module's
idea of if it can update in place) using an HTTPS repo URI with this
new token, passed in as an extra-var/envvar.
* Revoke token via the API
Unfortunately, Ansible (although it may just be git itself, behind the
scenes) appears to freeze the username/password combination into the
repo's .git/config file, as part of the URI.
This means that, after the first deployment, the next
git-update/-pull/-fetch operation fails due to the initial token now
being revoked.
# Problem 2:
The git module must know that the URI contains a username and
password, because it blanks out (*only*) the password in its logged
output. However, using this with github method outlined above means
that it blanks out the fixed string "x-oauth-basic" and not the token.
Of course this is a result of Github's implementation choices, but
they're a big enough target for use by the git module that I believe
Ansible should deal with their choice.
Hopefully someone can tell me where I'm going wrong. No, using SSH
keys isn't an option!
* Call Github API to create new limited-scope token
* Use Ansible to clone (*or* update, depending on the git module's
idea of if it can update in place) using an HTTPS repo URI with this
new token, passed in as an extra-var/envvar.
* Revoke token via the API
Unfortunately, Ansible (although it may just be git itself, behind the
scenes) appears to freeze the username/password combination into the
repo's .git/config file, as part of the URI.
This means that, after the first deployment, the next
git-update/-pull/-fetch operation fails due to the initial token now
being revoked.
I can't think of anything in the current git module that would help with
this directly. You could workaround it by including a task to edit the git
config after this initial checkout.
# Problem 2:
The git module must know that the URI contains a username and
password, because it blanks out (*only*) the password in its logged
output. However, using this with github method outlined above means
that it blanks out the fixed string "x-oauth-basic" and not the token.
Of course this is a result of Github's implementation choices, but
they're a big enough target for use by the git module that I believe
Ansible should deal with their choice.
The password blanking that ansible does is best effort and somewhat limited
because there's just so many variations on how sensitive information can be
arbitrarily formatted.. In any non-standard case, it's probably better to
explicitly specify the no_log attribute to your task: