mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

build: use quick tunnels for ssh debugging (#48073)

Browse source 
* build: use dynamic local tunnels for ssh debugging

Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>

* weeee

Co-authored-by: Samuel Attard <samuel.r.attard@gmail.com>

* that'll do

Co-authored-by: Samuel Attard <samuel.r.attard@gmail.com>

* chore: pretty output

Co-authored-by: Samuel Attard <samuel.r.attard@gmail.com>

* build: allow ssh input

Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>

---------

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Co-authored-by: Samuel Attard <samuel.r.attard@gmail.com>
This commit is contained in:
trop[bot] 2025-08-14 16:48:00 +02:00 committed by GitHub
commit 2c6107b2b3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 167 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/actions/ssh-debug/action.yml vendored
View file

@ -6,10 +6,10 @@ inputs:
required: true required: true
default: 'false' default: 'false'
timeout: timeout:
description: 'SSH session timeout in minutes' description: 'SSH session timeout in seconds'
required: false required: false
type: number type: number
default: 60 default: 3600
runs: runs:
using: composite using: composite
steps: steps:

130
.github/actions/ssh-debug/setup-ssh.sh vendored
View file

@ -1,44 +1,20 @@
#!/bin/bash -e #!/bin/bash -e
get_authorized_keys() { if [ "${TUNNEL}" != "true" ]; then
if [ -z "$AUTHORIZED_USERS" ] || ! echo "$AUTHORIZED_USERS" | grep -q "\b$GITHUB_ACTOR\b"; then
return 1
fi
api_response=$(curl -s "https://api.github.com/users/$GITHUB_ACTOR/keys")
if echo "$api_response" | jq -e 'type == "object" and has("message")' >/dev/null; then
error_msg=$(echo "$api_response" | jq -r '.message')
echo "Error: $error_msg"
return 1
else
echo "$api_response" | jq -r '.[].key'
fi
}
authorized_keys=$(get_authorized_keys "$GITHUB_ACTOR")
if [ -n "$authorized_keys" ]; then
echo "Configured SSH key(s) for user: $GITHUB_ACTOR"
else
echo "Error: User '$GITHUB_ACTOR' is not authorized to access this debug session."
echo "Authorized users: $AUTHORIZED_USERS"
exit 1
fi
if [ "$TUNNEL" != "true" ]; then
echo "SSH tunneling is disabled. Set enable-tunnel: true to enable remote access." echo "SSH tunneling is disabled. Set enable-tunnel: true to enable remote access."
echo "Local SSH server would be available on localhost:2222 if this were a local environment." echo "Local SSH server would be available on localhost:2222 if this were a local environment."
exit 0 exit 0
fi fi
echo ::group::Configuring Tunnel
echo "SSH tunneling enabled. Setting up remote access..." echo "SSH tunneling enabled. Setting up remote access..."
EXTERNAL_DEPS="curl jq ssh-keygen" EXTERNAL_DEPS="curl jq ssh-keygen"
for dep in $EXTERNAL_DEPS; do for dep in $EXTERNAL_DEPS; do
if ! command -v "$dep" > /dev/null 2>&1; then if ! command -v "${dep}" > /dev/null 2>&1; then
echo "Command $dep not installed on the system!" >&2 echo "Command ${dep} not installed on the system!" >&2
exit 1 exit 1
fi fi
done done
@ -48,22 +24,21 @@ cd "$GITHUB_ACTION_PATH"
bashrc_path=$(pwd)/bashrc bashrc_path=$(pwd)/bashrc
# Source `bashrc` to auto start tmux on SSH login. # Source `bashrc` to auto start tmux on SSH login.
if ! grep -q "$bashrc_path" ~/.bash_profile; then if ! grep -q "${bashrc_path}" ~/.bash_profile; then
echo >> ~/.bash_profile # On macOS runner there's no newline at the end of the file echo >> ~/.bash_profile # On macOS runner there's no newline at the end of the file
echo "source \"$bashrc_path\"" >> ~/.bash_profile echo "source \"${bashrc_path}\"" >> ~/.bash_profile
fi fi
OS=$(uname -s | tr '[:upper:]' '[:lower:]') OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m) ARCH=$(uname -m)
if [ "$ARCH" = "x86_64" ]; then if [ "${ARCH}" = "x86_64" ]; then
ARCH="amd64" ARCH="amd64"
elif [ "$ARCH" = "aarch64" ]; then elif [ "${ARCH}" = "aarch64" ]; then
ARCH="arm64" ARCH="arm64"
fi fi
# Install tmux on macOS runners if not present. if [ "${OS}" = "darwin" ] && ! command -v tmux > /dev/null 2>&1; then
if [ "$OS" = "darwin" ] && ! command -v tmux > /dev/null 2>&1; then
echo "Installing tmux..." echo "Installing tmux..."
brew install tmux brew install tmux
fi fi
@ -71,47 +46,80 @@ fi
if [ "$OS" = "darwin" ]; then if [ "$OS" = "darwin" ]; then
cloudflared_url="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${OS}-${ARCH}.tgz" cloudflared_url="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${OS}-${ARCH}.tgz"
echo "Downloading \`cloudflared\` from <$cloudflared_url>..." echo "Downloading \`cloudflared\` from <$cloudflared_url>..."
curl --location --silent --output cloudflared.tgz "$cloudflared_url" curl --location --silent --output cloudflared.tgz "${cloudflared_url}"
tar xf cloudflared.tgz tar xf cloudflared.tgz
rm cloudflared.tgz rm cloudflared.tgz
else
cloudflared_url="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${OS}-${ARCH}"
echo "Downloading \`cloudflared\` from <$cloudflared_url>..."
curl --location --silent --output cloudflared "$cloudflared_url"
fi fi
chmod +x cloudflared chmod +x cloudflared
echo "Setting up SSH key for authorized user: $GITHUB_ACTOR"
echo "$authorized_keys" > authorized_keys
echo 'Creating SSH server key...' echo 'Creating SSH server key...'
ssh-keygen -q -f ssh_host_rsa_key -N '' ssh-keygen -q -f ssh_host_rsa_key -N ''
echo 'Creating SSH server config...' echo 'Creating SSH server config...'
sed "s,\$PWD,$PWD,;s,\$USER,$USER," sshd_config.template > sshd_config sed "s,\$PWD,${PWD},;s,\$USER,${USER}," sshd_config.template > sshd_config
echo 'Starting SSH server...' echo 'Starting SSH server...'
/usr/sbin/sshd -f sshd_config -D & sudo /usr/sbin/sshd -f sshd_config -D &
sshd_pid=$! sshd_pid=$!
echo 'Starting tmux session...' echo "SSH server started successfully (PID: ${sshd_pid})"
(cd "$GITHUB_WORKSPACE" && tmux new-session -d -s debug)
#if no cloudflare tunnel token is provided, exit echo 'Starting tmux session...'
if [ -z "$CLOUDFLARE_TUNNEL_TOKEN" ]; then (cd "${GITHUB_WORKSPACE}" && tmux new-session -d -s debug)
echo "Error: required CLOUDFLARE_TUNNEL_TOKEN not found"
mkdir ~/.cloudflared
CLEAN_TUNNEL_CERT=$(printf '%s\n' "${CLOUDFLARE_TUNNEL_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
echo "${CLEAN_TUNNEL_CERT}" > ~/.cloudflared/cert.pem
CLEAN_USER_CA_CERT=$(printf '%s\n' "${CLOUDFLARE_USER_CA_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
echo "${CLEAN_USER_CA_CERT}" | sudo tee /etc/ssh/ca.pub > /dev/null
sudo chmod 644 /etc/ssh/ca.pub
random_suffix=$(openssl rand -hex 5 | cut -c1-10)
tunnel_name="${GITHUB_SHA}-${GITHUB_RUN_ID}-${random_suffix}"
tunnel_url="${tunnel_name}.${CLOUDFLARE_TUNNEL_HOSTNAME}"
if ./cloudflared tunnel list | grep -q "${tunnel_name}"; then
echo "Deleting existing tunnel: ${tunnel_name}"
./cloudflared tunnel delete ${tunnel_name}
fi
echo "Creating new cloudflare tunnel: ${tunnel_name}"
./cloudflared tunnel create ${tunnel_name}
credentials_file=$(find ~/.cloudflared -name "*.json" | head -n 1)
if [ -z "${credentials_file}" ]; then
echo "Error: Could not find tunnel credentials file"
exit 1 exit 1
fi fi
echo 'Starting Cloudflare tunnel...' echo "Found credentials file: ${credentials_file}"
./cloudflared tunnel --no-autoupdate run --token "$CLOUDFLARE_TUNNEL_TOKEN" 2>&1 | tee cloudflared.log | sed -u 's/^/cloudflared: /' & echo 'Creating tunnel configuration...'
cat > tunnel_config.yml << EOF
tunnel: ${tunnel_name}
credentials-file: ${credentials_file}
ingress:
- hostname: ${tunnel_url}
service: ssh://localhost:2222
- service: http_status:404
EOF
echo 'Setting up DNS routing for tunnel...'
./cloudflared tunnel route dns ${tunnel_name} ${tunnel_url}
echo 'Running cloudflare tunnel...'
./cloudflared tunnel --no-autoupdate --config tunnel_config.yml run 2>&1 | tee cloudflared.log | sed -u 's/^/cloudflared: /' &
cloudflared_pid=$! cloudflared_pid=$!
url="$TUNNEL_HOSTNAME" echo ::endgroup::
echo ::notice title=SSH Debug Session Ready::ssh ${tunnel_url}
public_key=$(cut -d' ' -f1,2 < ssh_host_rsa_key.pub)
( (
echo ' ' echo ' '
@ -119,22 +127,20 @@ public_key=$(cut -d' ' -f1,2 < ssh_host_rsa_key.pub)
echo '🔗 SSH Debug Session Ready!' echo '🔗 SSH Debug Session Ready!'
echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━' echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
echo ' ' echo ' '
echo '📋 Copy and run this command to connect:' echo '📋 Infra WG can copy and run this command to connect:'
echo ' ' echo ' '
if [ -n "$TUNNEL_HOSTNAME" ]; then echo "ssh ${tunnel_url}"
echo "ssh-keygen -R action-ssh-debug && echo 'action-ssh-debug $public_key' >> ~/.ssh/known_hosts && ssh -o ProxyCommand='cloudflared access tcp --hostname $url' runner@action-ssh-debug"
else
echo "ssh-keygen -R action-ssh-debug && echo 'action-ssh-debug $public_key' >> ~/.ssh/known_hosts && ssh -o ProxyCommand='cloudflared access tcp --hostname $url' runner@action-ssh-debug"
fi
echo ' ' echo ' '
echo "⏰ Session expires automatically in $TIMEOUT minutes" echo "⏰ Session expires automatically in ${TIMEOUT} seconds"
echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━' echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
echo ' ' echo ' '
echo ' ' echo ' '
) | cat ) | cat
echo ::group::Starting Background Session
echo 'Starting SSH session in background...' echo 'Starting SSH session in background...'
./ssh-session.sh "$sshd_pid" "$cloudflared_pid" $TIMEOUT & ./ssh-session.sh "${sshd_pid}" "${cloudflared_pid}" "${TIMEOUT}" "${tunnel_name}" &
echo 'SSH session is running in background. GitHub Action will continue.' echo 'SSH session is running in background. GitHub Action will continue.'
echo 'Session will auto-cleanup after timeout or when processes end.' echo 'Session will auto-cleanup after timeout or when processes end.'
echo ::endgroup::

51
.github/actions/ssh-debug/ssh-session.sh vendored
View file

@ -2,20 +2,51 @@
SSHD_PID=$1 SSHD_PID=$1
CLOUDFLARED_PID=$2 CLOUDFLARED_PID=$2
SESSION_TIMEOUT=${3:-3600} SESSION_TIMEOUT=${3:-10000}
TUNNEL_NAME=$4
cleanup() {
# Kill processes.
for pid in "$SLEEP_PID" "$SSHD_PID" "$CLOUDFLARED_PID"; do
if [ -n "$pid" ] && kill -0 "$pid" 2>/dev/null; then
kill "$pid" 2>/dev/null || true
fi
done
# Clean up tunnel.
if [ -n "$TUNNEL_NAME" ]; then
cd "$GITHUB_ACTION_PATH"
./cloudflared tunnel delete "$TUNNEL_NAME" 2>/dev/null || {
echo "Failed to delete tunnel"
}
fi
echo "Session ended at $(date)"
exit 0
}
# Trap signals to ensure cleanup.
trap cleanup SIGTERM SIGINT SIGQUIT SIGHUP EXIT
# Wait for timeout or until processes die. # Wait for timeout or until processes die.
sleep "$SESSION_TIMEOUT" & sleep "$SESSION_TIMEOUT" &
SLEEP_PID=$! SLEEP_PID=$!
# Monitor if SSH or cloudflared dies early. # Monitor processes
while kill -0 "$SSHD_PID" 2>/dev/null && kill -0 "$CLOUDFLARED_PID" 2>/dev/null && kill -0 "$SLEEP_PID" 2>/dev/null; do while kill -0 "$SLEEP_PID" 2>/dev/null; do
sleep 10 # Check SSH daemon.
if ! kill -0 "$SSHD_PID" 2>/dev/null; then
echo "SSH daemon died at $(date)"
break
fi
# Check cloudflared,
if ! kill -0 "$CLOUDFLARED_PID" 2>/dev/null; then
echo "Cloudflared died at $(date)"
break
fi
sleep 10
done done
# Cleanup. cleanup
kill "$SLEEP_PID" 2>/dev/null || true
kill "$SSHD_PID" 2>/dev/null || true
kill "$CLOUDFLARED_PID" 2>/dev/null || true
echo "SSH session ended"

24
.github/actions/ssh-debug/sshd_config.template vendored
View file

@ -2,8 +2,24 @@ Port 2222
HostKey $PWD/ssh_host_rsa_key HostKey $PWD/ssh_host_rsa_key
PidFile $PWD/sshd.pid PidFile $PWD/sshd.pid
# Only allow single user # Connection settings
AllowUsers $USER ClientAliveInterval 30
ClientAliveCountMax 10
MaxStartups 10
LoginGraceTime 120
# Only allow those keys # Allow TCP forwarding for tunneling
AuthorizedKeysFile $PWD/authorized_keys AllowTcpForwarding yes
# Try to prevent timeouts
TCPKeepAlive yes
# Security
TrustedUserCAKeys /etc/ssh/ca.pub
PubkeyAuthentication yes
PasswordAuthentication no
AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
AuthorizedPrincipalsCommandUser nobody
PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com

7
.github/workflows/build.yml vendored
View file

@ -28,6 +28,11 @@ on:
description: 'Skip lint check' description: 'Skip lint check'
default: false default: false
required: false required: false
enable-ssh:
description: 'Enable SSH debugging'
required: false
type: boolean
default: false
push: push:
branches: branches:
- main - main
@ -224,6 +229,7 @@ jobs:
gn-build-type: testing gn-build-type: testing
generate-symbols: false generate-symbols: false
upload-to-storage: '0' upload-to-storage: '0'
enable-ssh: ${{ inputs.enable-ssh || false }}
secrets: inherit secrets: inherit
macos-arm64: macos-arm64:
@ -242,6 +248,7 @@ jobs:
gn-build-type: testing gn-build-type: testing
generate-symbols: false generate-symbols: false
upload-to-storage: '0' upload-to-storage: '0'
enable-ssh: ${{ inputs.enable-ssh || false }}
secrets: inherit secrets: inherit
linux-x64: linux-x64:

11
.github/workflows/pipeline-electron-build-and-test.yml vendored
View file

@ -54,6 +54,11 @@ on:
required: false required: false
type: boolean type: boolean
default: false default: false
enable-ssh:
description: 'Enable SSH debugging'
required: false
type: boolean
default: false
concurrency: concurrency:
group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }} group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
@ -76,7 +81,8 @@ jobs:
gn-build-type: ${{ inputs.gn-build-type }} gn-build-type: ${{ inputs.gn-build-type }}
generate-symbols: ${{ inputs.generate-symbols }} generate-symbols: ${{ inputs.generate-symbols }}
upload-to-storage: ${{ inputs.upload-to-storage }} upload-to-storage: ${{ inputs.upload-to-storage }}
is-asan: ${{ inputs.is-asan}} is-asan: ${{ inputs.is-asan }}
enable-ssh: ${{ inputs.enable-ssh }}
secrets: inherit secrets: inherit
test: test:
uses: ./.github/workflows/pipeline-segment-electron-test.yml uses: ./.github/workflows/pipeline-segment-electron-test.yml
@ -86,5 +92,6 @@ jobs:
target-platform: ${{ inputs.target-platform }} target-platform: ${{ inputs.target-platform }}
test-runs-on: ${{ inputs.test-runs-on }} test-runs-on: ${{ inputs.test-runs-on }}
test-container: ${{ inputs.test-container }} test-container: ${{ inputs.test-container }}
is-asan: ${{ inputs.is-asan}} is-asan: ${{ inputs.is-asan }}
enable-ssh: ${{ inputs.enable-ssh }}
secrets: inherit secrets: inherit

14
.github/workflows/pipeline-segment-electron-build.yml vendored
View file

@ -58,7 +58,11 @@ on:
required: false required: false
type: boolean type: boolean
default: false default: false
enable-ssh:
description: 'Enable SSH debugging'
required: false
type: boolean
default: false
concurrency: concurrency:
group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }} group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
@ -96,14 +100,16 @@ jobs:
fetch-depth: 0 fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: Setup SSH Debugging - name: Setup SSH Debugging
if: ${{ inputs.target-platform == 'macos' && env.ACTIONS_STEP_DEBUG == 'true' }} if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
uses: ./src/electron/.github/actions/ssh-debug uses: ./src/electron/.github/actions/ssh-debug
with: with:
tunnel: 'true' tunnel: 'true'
env: env:
CLOUDFLARE_TUNNEL_TOKEN: ${{ secrets.CLOUDFLARE_TUNNEL_TOKEN }} CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
TUNNEL_HOSTNAME: ${{ secrets.CLOUDFLARED_SSH_HOSTNAME }} CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }} AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Free up space (macOS) - name: Free up space (macOS)
if: ${{ inputs.target-platform == 'macos' }} if: ${{ inputs.target-platform == 'macos' }}
uses: ./src/electron/.github/actions/free-space-macos uses: ./src/electron/.github/actions/free-space-macos

13
.github/workflows/pipeline-segment-electron-test.yml vendored
View file

@ -25,6 +25,11 @@ on:
required: false required: false
type: boolean type: boolean
default: false default: false
enable-ssh:
description: 'Enable SSH debugging'
required: false
type: boolean
default: false
concurrency: concurrency:
group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }} group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
@ -128,14 +133,16 @@ jobs:
fetch-depth: 0 fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: Setup SSH Debugging - name: Setup SSH Debugging
if: ${{ inputs.target-platform == 'macos' && env.ACTIONS_STEP_DEBUG == 'true' }} if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
uses: ./src/electron/.github/actions/ssh-debug uses: ./src/electron/.github/actions/ssh-debug
with: with:
tunnel: 'true' tunnel: 'true'
env: env:
CLOUDFLARE_TUNNEL_TOKEN: ${{ secrets.CLOUDFLARE_TUNNEL_TOKEN }} CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
TUNNEL_HOSTNAME: ${{ secrets.CLOUDFLARED_SSH_HOSTNAME }} CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }} AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Dependencies - name: Install Dependencies
uses: ./src/electron/.github/actions/install-dependencies uses: ./src/electron/.github/actions/install-dependencies
- name: Set Chromium Git Cookie - name: Set Chromium Git Cookie