Generalize pygit2 remote callback handling

Signed-off-by: Tobias Wolf <wolf@b1-systems.de>
On-behalf-of: SAP <tobias.wolf@sap.com>

Author: NotTheEvilOne

src/gardenlinux/git/__init__.py

@@ -4,7 +4,6 @@
 Git module
 """
 
-from .credentials import Credentials
 from .repository import Repository
 
-__all__ = ["Credentials", "Repository"]
+__all__ = ["Repository"]

src/gardenlinux/git/credentials.py

@@ -0,0 +1,77 @@
+# -*- coding: utf-8 -*-
+
+"""
+Git credentials provider
+"""
+
+from typing import Any, Optional
+
+from pygit2 import KeypairFromAgent
+from pygit2 import RemoteCallbacks as _RemoteCallbacks
+from pygit2 import UserPass
+from pygit2.enums import CredentialType
+
+
+class RemoteCallbacks(_RemoteCallbacks):  # type: ignore[misc]
+    """
+    pygit2.org: Base class for pygit2 remote callbacks.
+
+    :author:     Garden Linux Maintainers
+    :copyright:  Copyright 2024 SAP SE
+    :package:    gardenlinux
+    :subpackage: git
+    :since:      1.0.0
+    :license:    https://www.apache.org/licenses/LICENSE-2.0
+                 Apache License, Version 2.0
+    """
+
+    def __init__(
+        self,
+        *args: Any,
+        username: Optional[str] = None,
+        password: Optional[str] = None,
+        **kwargs: Any,
+    ):
+        """
+        Constructor __init__(RemoteCallbacks)
+
+        :param token: GitHub/Git access token for HTTPS authentication.
+                      Falls back to the GITHUB_TOKEN environment variable if not provided.
+
+        :since: 1.0.0
+        """
+
+        self._username = ""
+        self._password = ""
+
+        if username and password:
+            self._username = username
+            self._password = password
+
+    def credentials(
+        self,
+        url: str,
+        username_from_url: Optional[str],
+        allowed_types: CredentialType,
+    ) -> Optional[UserPass | KeypairFromAgent]:
+        """
+        pygit2.org: Credentials callback. If the remote server requires
+        authentication, this function will be called and its return value
+        used for authentication.
+
+                :param url: The URL being accessed (after any insteadOf rewrites)
+                :param username_from_url: Username extracted from the URL, if any
+                :param allowed_types: Bitmask of credential types the server accepts
+
+                :return: A pygit2 credential object
+                :since:  1.0.0
+        """
+
+        if allowed_types & CredentialType.USERPASS_PLAINTEXT:
+            if self._password:
+                return UserPass(self._username, self._password)
+
+        if allowed_types & CredentialType.SSH_KEY:
+            return KeypairFromAgent(username_from_url or "git")
+
+        return _RemoteCallbacks.credentials(url, username_from_url, allowed_types)

src/gardenlinux/git/remote_callbacks.py

@@ -1,17 +1,17 @@
 # -*- coding: utf-8 -*-
 
 from logging import Logger
-from os import PathLike
+from os import PathLike, environ
 from pathlib import Path
 from typing import Any, List, Optional
 
-from pygit2 import Oid, RemoteCallbacks
+from pygit2 import Oid
 from pygit2 import Repository as _Repository
 from pygit2 import init_repository
 
 from ..constants import GL_REPOSITORY_URL
 from ..logger import LoggerSetup
-from .credentials import Credentials
+from .remote_callbacks import RemoteCallbacks
 
 
 class Repository(_Repository):  # type: ignore[misc]
@@ -136,8 +136,11 @@ def checkout_repo(
             )
 
         repo = init_repository(git_directory, origin_url=repo_url)
-        callbacks = RemoteCallbacks(credentials=Credentials())
-        repo.remotes["origin"].fetch(callbacks=callbacks)
+        repo.remotes["origin"].fetch(
+            callbacks=RemoteCallbacks(
+                username=environ.get("GITHUB_TOKEN"), password="x-oauth-basic"
+            )
+        )
 
         if commit is None:
             refish = f"origin/{branch}"