dependabot · sachin-sandhu · Mar 6, 2025 · Mar 5, 2024 · Mar 5, 2024 · Mar 5, 2024
@@ -9,6 +9,7 @@
 require "open3"
 require "sorbet-runtime"
 require "tmpdir"
+require "securerandom"
 
 require "dependabot/credential"
 require "dependabot/simple_instrumentor"
@@ -22,7 +23,6 @@ module Dependabot
   module SharedHelpers # rubocop:disable Metrics/ModuleLength
     extend T::Sig
 
-    GIT_CONFIG_GLOBAL_PATH = T.let(File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH), String)
     USER_AGENT = T.let(
       "dependabot-core/#{Dependabot::VERSION} " \
       "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
@@ -290,12 +290,15 @@ def self.with_git_configured(credentials:, &_block)
       FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
 
       previous_config = ENV.fetch("GIT_CONFIG_GLOBAL", nil)
+      # adding a random suffix to avoid conflicts when running in parallel
+      # some package managers like bundler will modify the global git config
+      git_config_global_path = File.expand_path("#{SecureRandom.hex(16)}.gitconfig", Utils::BUMP_TMP_DIR_PATH)
       previous_terminal_prompt = ENV.fetch("GIT_TERMINAL_PROMPT", nil)
 
       begin
-        ENV["GIT_CONFIG_GLOBAL"] = GIT_CONFIG_GLOBAL_PATH
+        ENV["GIT_CONFIG_GLOBAL"] = git_config_global_path
         ENV["GIT_TERMINAL_PROMPT"] = "false"
-        configure_git_to_use_https_with_credentials(credentials, safe_directories)
+        configure_git_to_use_https_with_credentials(credentials, safe_directories, git_config_global_path)
         yield
       ensure
         ENV["GIT_CONFIG_GLOBAL"] = previous_config
@@ -304,7 +307,7 @@ def self.with_git_configured(credentials:, &_block)
     rescue Errno::ENOSPC => e
       raise Dependabot::OutOfDisk, e.message
     ensure
-      FileUtils.rm_f(GIT_CONFIG_GLOBAL_PATH)
+      FileUtils.rm_f(T.must(git_config_global_path))
     end
 
     # Handle SCP-style git URIs
@@ -321,9 +324,12 @@ def self.credential_helper_path
     end
 
     # rubocop:disable Metrics/PerceivedComplexity
-    sig { params(credentials: T::Array[Dependabot::Credential], safe_directories: T::Array[String]).void }
-    def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
-      File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
+    sig do
+      params(credentials: T::Array[Dependabot::Credential], safe_directories: T::Array[String],
+             git_config_global_path: String).void
+    end
+    def self.configure_git_to_use_https_with_credentials(credentials, safe_directories, git_config_global_path)
+      File.open(git_config_global_path, "w") do |file|
         file << "# Generated by dependabot/dependabot-core"
       end
 

@@ -599,14 +599,18 @@ def alternatives(host)
     end
 
     let(:credentials) { [] }
-    let(:git_config_path) { File.expand_path(".gitconfig", tmp) }
+    let(:git_config_path) { File.expand_path("XXXXXXXXXXXXXXXX.gitconfig", tmp) }
     let(:configured_git_config) { with_git_configured { `cat #{git_config_path}` } }
     let(:configured_git_credentials) { with_git_configured { `cat #{Dir.pwd}/git.store` } }
 
     def with_git_configured(&block)
       Dependabot::SharedHelpers.with_git_configured(credentials: credentials, &block)
     end
 
+    before do
+      allow(SecureRandom).to receive(:hex).and_return("XXXXXXXXXXXXXXXX")
+    end
+
     context "when the global .gitconfig has a safe directory" do
       before do
         Open3.capture2("git config --global --add safe.directory /home/dependabot/dependabot-core/repo")
@@ -749,10 +753,10 @@ def with_git_configured(&block)
     context "when the host has run out of disk space" do
       before do
         allow(File).to receive(:open)
-          .with(described_class::GIT_CONFIG_GLOBAL_PATH, anything)
+          .with(git_config_path, anything)
           .and_raise(Errno::ENOSPC)
         allow(FileUtils).to receive(:rm_f)
-          .with(described_class::GIT_CONFIG_GLOBAL_PATH)
+          .with(git_config_path)
       end
 
       specify { expect { configured_git_config }.to raise_error(Dependabot::OutOfDisk) }