Support rotating Git credentials

[oneingan]

What

• Add GIT_PASSWORD_FILE and GITHUB_TOKEN_FILE to read HTTP git credentials from files (trimmed), useful for short-lived tokens.
• Refresh Git auth right before each remote operation (clone/pull/fetch/push), so rotated tokens are picked up automatically without restarts, signals, or file watchers.
• Add unit tests for HTTP credential discovery and token file re-read behavior.

Why

Long-lived terraform-backend-git daemons cache git auth on clone; when tokens rotate/expire, pulls/pushes start failing. Reading credentials from a file and resolving auth per remote operation keeps the backend vendor-agnostic and works well with common rotation mechanisms (e.g. Kubernetes Secret atomic symlink swaps).

How to use

• Set GIT_USERNAME and one of GIT_PASSWORD_FILE / GITHUB_TOKEN_FILE.
• Rotate the file contents as needed; new remote operations will use the updated value.

Test

• nix shell nixpkgs#go nixpkgs#gcc -c go test ./...

[dee-kryvenko]

Hey @oneingan - thanks, this is a really good idea. I don't think SIGHUP is going to cut it though. In an environment like kubernetes, there would be nothing to send it. Better to set up a file watcher.

[oneingan]

Good point re Kubernetes. Rather than relying on SIGHUP (which isn’t a great operational fit in many K8s setups) or adding a file watcher, I think the simplest single mechanism is: when GIT_PASSWORD_FILE / GITHUB_TOKEN_FILE is set, re-read the file and refresh the go-git AuthMethod right before each remote operation (clone/pull/fetch/push). That naturally picks up rotated tokens (including the atomic symlink swap pattern used by K8s Secrets) without any external trigger. If you’re OK with that direction I can update this PR to do that and drop the SIGHUP handler.

Disclosure: drafted with opencode, model openai/gpt-5.2-xhigh.

[oneingan]

Updated the PR to implement the single-mechanism approach: auth is now resolved right before each remote op (clone/pull/fetch/push), so GIT_PASSWORD_FILE/GITHUB_TOKEN_FILE rotations are picked up automatically (works with K8s Secret atomic symlink swaps). The SIGHUP handler and explicit Reload API/tests were removed accordingly.

[dee-kryvenko]

Hmmm reading the file on every request seems inefficient. I don't know if this service will ever experience that much traffic for it to matter, probably not, but it's not much work for AI to make a file watcher - virtually every other kubernetes operator has one. I'm not going to insist but if you're open to add it - please add it.

[oneingan]

Good call. I pushed an update that caches GIT_PASSWORD_FILE / GITHUB_TOKEN_FILE contents in-memory and only re-reads the file when stat indicates it changed (mtime/size), so we avoid doing a file read on every remote op while keeping the behavior deterministic (no background watcher goroutines required). This should still work with K8s secret atomic symlink swaps since both stat and ReadFile follow the symlink.

If you’d still prefer an fsnotify watcher over the stat-based change detection, happy to adjust.