pub fn git_credential_helper(
cred: &Credential,
expect_host: Option<&str>,
) -> GitCredentialHelperExpand description
Build a git credential.helper invocation that supplies cred over HTTPS
while keeping the secret out of argv (which is broadly observable). The
returned config_args install an inline
helper that prints the credential read from two environment variables; the
secret value appears only in env, i.e. the child
process environment. A leading empty credential.helper= first clears any
inherited helper so only ours runs.
The helper is a tiny POSIX-shell snippet: git runs credential.helper values
that begin with ! via the shell it ships with (so this works on Windows too,
where Git for Windows bundles its own sh — it never goes through cmd.exe).
It applies to HTTPS remotes only: git invokes a credential helper just for
HTTP(S) user/password auth, so an SSH remote ignores it and falls through to
the SSH agent. It is opt-in — built only when a CredentialProvider yields a
credential — so the default path is unchanged. The helper answers only git’s
get action (never store/erase), so the secret is never written to a
credential cache or config; it lives only in the child’s environment.
The username/secret must not contain a newline: git’s credential protocol is
line-based, so an embedded \n is read as the end of the value (git truncates
there). Real tokens and usernames never contain one.
expect_host scopes the credential to a host: when Some, the helper reads
git’s request (which names the host git is about to authenticate to) and
releases the secret only if that host matches — so a cross-host redirect or a
submodule fetch to another host can’t extract the token. None (or an
unknown host) leaves the helper ungated. Callers that know the operation’s
target (e.g. clone from its URL) pass https_host of it.