Fix global auth when GIT_CONFIG_GLOBAL is set in the environment

__test__/git-auth-helper.test.ts

@@ -902,6 +902,25 @@ describe('git-auth-helper tests', () => {
     }
   })
 
+  const configureGlobalAuth_overridesGitConfigGlobal =
+    'configureGlobalAuth overrides GIT_CONFIG_GLOBAL'
+  it(configureGlobalAuth_overridesGitConfigGlobal, async () => {
+    // Arrange
+    await setup(configureGlobalAuth_overridesGitConfigGlobal)
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Act
+    await authHelper.configureAuth()
+    await authHelper.configureGlobalAuth()
+
+    // Assert GIT_CONFIG_GLOBAL is pinned to the temporary global config, so an
+    // inherited GIT_CONFIG_GLOBAL cannot redirect --global writes
+    expect(git.env['HOME']).toBeTruthy()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBe(
+      path.join(git.env['HOME'], '.gitconfig')
+    )
+  })
+
   const removeGlobalConfig_removesOverride =
     'removeGlobalConfig removes override'
   it(removeGlobalConfig_removesOverride, async () => {
@@ -912,13 +931,15 @@ describe('git-auth-helper tests', () => {
     await authHelper.configureGlobalAuth()
     const homeOverride = git.env['HOME'] // Sanity check
     expect(homeOverride).toBeTruthy()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBeTruthy()
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
     await authHelper.removeGlobalConfig()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
+    expect(git.env['GIT_CONFIG_GLOBAL']).toBeUndefined()
     try {
       await fs.promises.stat(homeOverride)
       throw new Error(`Should have been deleted '${homeOverride}'`)

dist/index.js

@@ -224,6 +224,10 @@ class GitAuthHelper {
             // Override HOME
             core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
             this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
+            // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
+            // config file. Pin it to the temporary config so an inherited
+            // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
+            this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath);
             return newGitConfigPath;
         });
     }
@@ -307,8 +311,9 @@ class GitAuthHelper {
         return __awaiter(this, void 0, void 0, function* () {
             var _a;
             if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) {
-                core.debug(`Unsetting HOME override`);
+                core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`);
                 this.git.removeEnvironmentVariable('HOME');
+                this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL');
                 yield io.rmRF(this.temporaryHomePath);
             }
         });

src/git-auth-helper.ts

@@ -122,6 +122,11 @@ class GitAuthHelper {
     )
     this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
 
+    // GIT_CONFIG_GLOBAL takes precedence over HOME when locating the global
+    // config file. Pin it to the temporary config so an inherited
+    // GIT_CONFIG_GLOBAL cannot redirect our global git config writes elsewhere.
+    this.git.setEnvironmentVariable('GIT_CONFIG_GLOBAL', newGitConfigPath)
+
     return newGitConfigPath
   }
 
@@ -237,8 +242,9 @@ class GitAuthHelper {
 
   async removeGlobalConfig(): Promise<void> {
     if (this.temporaryHomePath?.length > 0) {
-      core.debug(`Unsetting HOME override`)
+      core.debug(`Unsetting HOME and GIT_CONFIG_GLOBAL overrides`)
       this.git.removeEnvironmentVariable('HOME')
+      this.git.removeEnvironmentVariable('GIT_CONFIG_GLOBAL')
       await io.rmRF(this.temporaryHomePath)
     }
   }