Add support for ssh git credentials

source/Calamari.Tests/ArgoCD/Contracts/ArgoCDCustomPropertiesDtoSerializationTests.cs

@@ -10,8 +10,8 @@ namespace Calamari.Tests.ArgoCD.Contracts;
 /// <summary>
 /// Deserialisation tests for <see cref="ArgoCDCustomPropertiesDto"/> with a focus on
 /// the polymorphic <see cref="IGitCredentialDto"/> array. The converter discriminates on
-/// the <c>Type</c> field emitted by Octopus Server (the concrete type name); a missing
-/// <c>Type</c> defaults to <see cref="GitCredentialDto"/> for backwards compatibility.
+/// the <c>Type</c> field emitted by Octopus Server; a missing <c>Type</c> defaults to
+/// <see cref="GitCredentialDto"/> for backwards compatibility.
 /// </summary>
 [TestFixture]
 public class ArgoCDCustomPropertiesDtoSerializationTests
@@ -27,7 +27,7 @@ static T DeserializeRaw<T>(string json)
         => JsonConvert.DeserializeObject<T>(json, Settings)!;
 
     [Test]
-    public void TypeGitCredentialDto_DeserializesAsHttpsCredential()
+    public void TypeUsernamePassword_DeserializesAsHttpsCredential()
     {
         const string json = """
             {
@@ -52,6 +52,62 @@ public void TypeGitCredentialDto_DeserializesAsHttpsCredential()
         credential.Password.Should().Be("pass");
     }
 
+    [Test]
+    public void TypeSshKey_DeserializesAsSshCredential()
+    {
+        const string json = """
+            {
+              "Gateways": [], "Applications": [],
+              "Credentials": [
+                {
+                  "Type": "SshKey",
+                  "Url": "git@github.com:org/repo.git",
+                  "Username": "git",
+                  "PrivateKey": "-----BEGIN OPENSSH PRIVATE KEY-----"
+                }
+              ]
+            }
+            """;
+
+        var result = DeserializeRaw<ArgoCDCustomPropertiesDto>(json);
+
+        result.Credentials.Should().HaveCount(1);
+        var credential = result.Credentials[0].Should().BeOfType<SshKeyGitCredentialDto>().Subject;
+        credential.Url.Should().Be("git@github.com:org/repo.git");
+        credential.Username.Should().Be("git");
+        credential.PrivateKey.Should().Be("-----BEGIN OPENSSH PRIVATE KEY-----");
+    }
+
+    [Test]
+    public void MixedArray_BothTypesPreserved()
+    {
+        const string json = """
+            {
+              "Gateways": [], "Applications": [],
+              "Credentials": [
+                {
+                  "Type": "UsernamePassword",
+                  "Url": "https://github.com/org/repo.git",
+                  "Username": "user",
+                  "Password": "pass"
+                },
+                {
+                  "Type": "SshKey",
+                  "Url": "git@github.com:org/other.git",
+                  "Username": "git",
+                  "PrivateKey": "-----BEGIN OPENSSH PRIVATE KEY-----"
+                }
+              ]
+            }
+            """;
+
+        var result = DeserializeRaw<ArgoCDCustomPropertiesDto>(json);
+
+        result.Credentials.Should().HaveCount(2);
+        result.Credentials[0].Should().BeOfType<GitCredentialDto>();
+        result.Credentials[1].Should().BeOfType<SshKeyGitCredentialDto>();
+    }
+
     [Test]
     public void MissingType_DefaultsToHttpsCredential()
     {

source/Calamari.Tests/ArgoCD/Git/AuthenticatingRepositoryFactoryTests.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Collections.Generic;
 using System.IO;
 using Calamari.ArgoCD.Git;
 using Calamari.ArgoCD.Git.PullRequests;
@@ -8,6 +7,7 @@
 using Calamari.Testing.Helpers;
 using Calamari.Tests.Fixtures.Integration.FileSystem;
 using FluentAssertions;
+using NSubstitute;
 using NUnit.Framework;
 using Octopus.Calamari.Contracts.ArgoCD;
 
@@ -54,10 +54,7 @@ public void HttpsCredentialIsSelectedWhenUrlMatchesHttpsCredential()
         {
             var httpsUrl = RepositoryHelpers.ToFileUri(OriginPath);
             var factory = new AuthenticatingRepositoryFactory(
-                new Dictionary<string, IGitCredentialDto>
-                {
-                    [httpsUrl] = new GitCredentialDto(httpsUrl, "", "")
-                },
+                [new GitCredentialDto(httpsUrl, "", "")],
                 repositoryFactory,
                 log);
 
@@ -70,7 +67,7 @@ public void AnonymousCloneWhenNoCredentialsMatch()
         {
             var originUrl = RepositoryHelpers.ToFileUri(OriginPath);
             var factory = new AuthenticatingRepositoryFactory(
-                new Dictionary<string, IGitCredentialDto>(),
+                [],
                 repositoryFactory,
                 log);
 
@@ -80,6 +77,37 @@ public void AnonymousCloneWhenNoCredentialsMatch()
         }
     }
 
+    [TestFixture]
+    public class SshUrlTests : AuthenticatingRepositoryFactoryTestBase
+    {
+        [Test]
+        public void SshCredentialBranch_IsSelectedAndDispatchesSshKeyGitConnection()
+        {
+            // Use an ssh:// URL so the new strict validation allows it, and mock the factory
+            // so no real SSH connection is attempted.
+            const string sshUrl = "ssh://git@github.com/org/repo.git";
+            var mockRepoFactory = Substitute.For<IRepositoryFactory>();
+
+            var factory = new AuthenticatingRepositoryFactory(
+                [new SshKeyGitCredentialDto(sshUrl, "git", "private-key", [])],
+                mockRepoFactory,
+                log);
+
+            factory.CloneRepository(sshUrl, branchName.ToFriendlyName());
+
+            mockRepoFactory.Received()
+                           .CloneRepository(
+                               Arg.Any<string>(),
+                               Arg.Is<IGitConnection>(c => c is SshKeyGitConnection));
+        }
+
+        [Test]
+        public void HttpsCredentialTakesPriorityOverSshWhenBothMatchAnSshUrl()
+        {
+            AssertHttpsCredentialTakesPriorityOverSsh("ssh://git@github.com/org/repo.git");
+        }
+    }
+
     [TestFixture]
     public class ScpStyleUrlTests : AuthenticatingRepositoryFactoryTestBase
     {
@@ -91,10 +119,7 @@ public void ScpStyleUrlDoesNotMatchHttpsCredential()
             var httpsUrl = "https://github.com/org/repo.git";
 
             var factory = new AuthenticatingRepositoryFactory(
-                new Dictionary<string, IGitCredentialDto>
-                {
-                    [httpsUrl] = new GitCredentialDto(httpsUrl, "user", "pass")
-                },
+                [new GitCredentialDto(httpsUrl, "user", "pass")],
                 repositoryFactory,
                 log);
 
@@ -104,5 +129,32 @@ public void ScpStyleUrlDoesNotMatchHttpsCredential()
             act.Should().Throw<Exception>(); // clone failure expected
             log.Messages.Should().Contain(m => m.FormattedMessage.Contains("No Git credentials found"));
         }
+
+        [Test]
+        public void HttpsCredentialTakesPriorityOverSshWhenBothMatchAnScpUrl()
+        {
+            AssertHttpsCredentialTakesPriorityOverSsh("git@github.com:org/repo.git");
+        }
+    }
+
+    protected void AssertHttpsCredentialTakesPriorityOverSsh(string url)
+    {
+        var mockRepoFactory = Substitute.For<IRepositoryFactory>();
+
+        // If there are HTTPS and SSH credentials for the same URL, HTTPS wins so API functionality works.
+        IGitCredentialDto[] rawCredentials =
+        [
+            new GitCredentialDto(url, "https-user", "https-pass"),
+            new SshKeyGitCredentialDto(url, "ssh-user", "private-key", [])
+        ];
+
+        var factory = new AuthenticatingRepositoryFactory(rawCredentials, mockRepoFactory, log);
+
+        factory.CloneRepository(url, "main");
+
+        mockRepoFactory.Received()
+                       .CloneRepository(
+                           Arg.Any<string>(),
+                           Arg.Is<IGitConnection>(c => c is HttpsGitConnection));
     }
-}
+}

source/Calamari.Tests/ArgoCD/Git/PullRequests/GitVendorApiAdapter_PullRequestTests.cs

@@ -104,6 +104,7 @@ async Task TestPullRequest(string repositoryUrl, string defaultBranch, string cl
             using var temporaryFolder = TemporaryDirectory.Create();
 
             CredentialsHandler credentialsHandler = (url, usernameFromUrl, types) => new UsernamePasswordCredentials { Username = cloneUsername, Password = clonePassword};
+            LibGit2SharpTransportRegistration.EnsureRegistered();
             var repositoryPath =  Repository.Clone(repositoryUrl, temporaryFolder.DirectoryPath, new CloneOptions()
             {
                 FetchOptions =

source/Calamari.Tests/ArgoCD/Git/RepositoryFactoryTests.cs

@@ -5,6 +5,7 @@
 using Calamari.ArgoCD.Git.PullRequests;
 using Calamari.Common.Commands;
 using Calamari.Common.Plumbing.FileSystem;
+using Calamari.Common.Plumbing.Logging;
 using Calamari.Integration.Time;
 using Calamari.Testing.Helpers;
 using Calamari.Tests.Fixtures.Integration.FileSystem;
@@ -94,6 +95,31 @@ public void CanCloneAnExistingRepositoryAtHEADAndAssociatedFiles()
             fileContent.Should().Be(originalContent);
         }
 
+        [Test]
+        public void CloningSshKeyGitConnectionDoesNotResolveAPullRequestClientAndLogsVerboseMessage()
+        {
+            var filename = "sshTest.txt";
+            var content = "ssh test content";
+            CreateCommitOnOrigin(branchName, filename, content);
+
+            var mockResolver = Substitute.For<IGitVendorPullRequestClientResolver>();
+            var factoryWithMockedResolver = new RepositoryFactory(log, fileSystem, tempDirectory, mockResolver, new SystemClock());
+
+            var sshConnection = new SshKeyGitConnection(
+                Username: "git",
+                PrivateKey: "private-key",
+                Url: OriginPath,
+                GitReference: branchName);
+
+            // libgit2 skips credential callbacks for local file paths, so this test validates only pull-request-client resolution and verbose logging — not SSH credential validity.
+            factoryWithMockedResolver.CloneRepository("Clone_WithSshConnection", sshConnection);
+
+            mockResolver.DidNotReceive().TryResolve(Arg.Any<IHttpsGitConnection>(), Arg.Any<ILog>(), Arg.Any<System.Threading.CancellationToken>());
+
+            log.MessagesVerboseFormatted
+               .Should().Contain(s => s.Contains("SSH authentication") && s.Contains("PR creation will not be available"));
+        }
+
         void CreateCommitOnOrigin(GitBranchName branchName, string fileName, string content)
         {
             var message = $"Commit: Message";

source/Calamari.Tests/ArgoCD/Git/RepositoryHelpers.cs

@@ -10,6 +10,8 @@ public static class RepositoryHelpers
     {
         public static Repository CreateBareRepository(string repositoryPath)
         {
+            LibGit2SharpTransportRegistration.EnsureRegistered();
+
             Directory.CreateDirectory(repositoryPath);
             Repository.Init(repositoryPath, isBare: true);
             return new Repository(repositoryPath);
@@ -19,6 +21,8 @@ public static Repository CreateBareRepository(string repositoryPath)
 
         public static void CreateBranchIn(GitBranchName branchName, string originPath)
         {
+            LibGit2SharpTransportRegistration.EnsureRegistered();
+
             var signature = new Signature("Your Name", "your.email@example.com", DateTimeOffset.Now);
 
             var repository = new Repository(originPath);
@@ -47,6 +51,8 @@ public static void CreateBranchIn(GitBranchName branchName, string originPath)
 
         public static string CloneOrigin(string tempDirectory, string originPath, GitBranchName branchName)
         {
+            LibGit2SharpTransportRegistration.EnsureRegistered();
+
             var subPath = Guid.NewGuid().ToString();
             var resultPath = Path.Combine(tempDirectory, subPath);
             Repository.Clone(originPath, resultPath);

source/Calamari/ArgoCD/Conventions/UpdateArgoCDAppImagesInstallConvention.cs

@@ -62,11 +62,7 @@ public void Install(RunningDeployment deployment)
 
             var argoProperties = customPropertiesLoader.Load<ArgoCDCustomPropertiesDto>();
 
-            // Takes the first git credential per URL, with a preference for username/password credentials (they are more broadly useful)
-            var gitCredentials = argoProperties.Credentials
-                                               .GroupBy(c => c.Url)
-                                               .ToDictionary(g => g.Key, g => g.OfType<GitCredentialDto>().FirstOrDefault<IGitCredentialDto>() ?? g.First());
-            var authenticatingRepositoryFactory = new AuthenticatingRepositoryFactory(gitCredentials, repositoryFactory, log);
+            var authenticatingRepositoryFactory = new AuthenticatingRepositoryFactory(argoProperties.Credentials, repositoryFactory, log);
             var deploymentScope = deployment.Variables.GetDeploymentScope();
 
             log.LogApplicationCounts(deploymentScope, argoProperties.Applications);

source/Calamari/ArgoCD/Conventions/UpdateArgoCDApplicationManifestsInstallConvention.cs

@@ -69,11 +69,7 @@ public void Install(RunningDeployment deployment)
 
             var argoProperties = customPropertiesLoader.Load<ArgoCDCustomPropertiesDto>();
 
-            // Takes the first git credential per URL, with a preference for username/password credentials (they are more broadly useful)
-            var gitCredentials = argoProperties.Credentials
-                                               .GroupBy(c => c.Url)
-                                               .ToDictionary(g => g.Key, g => g.OfType<GitCredentialDto>().FirstOrDefault<IGitCredentialDto>() ?? g.First());
-            var authenticatingRepositoryFactory = new AuthenticatingRepositoryFactory(gitCredentials, repositoryFactory, log);
+            var authenticatingRepositoryFactory = new AuthenticatingRepositoryFactory(argoProperties.Credentials, repositoryFactory, log);
             var deploymentScope = deployment.Variables.GetDeploymentScope();
 
             log.LogApplicationCounts(deploymentScope, argoProperties.Applications);

source/Calamari/ArgoCD/Git/AuthenticatingRepositoryFactory.cs

@@ -1,4 +1,6 @@
+using System;
 using System.Collections.Generic;
+using System.Linq;
 using Calamari.Common.Plumbing.Logging;
 using Octopus.Calamari.Contracts.ArgoCD;
 
@@ -11,25 +13,50 @@ public class AuthenticatingRepositoryFactory
     readonly ILog log;
 
     public AuthenticatingRepositoryFactory(
-        Dictionary<string, IGitCredentialDto> gitCredentials,
+        IReadOnlyCollection<IGitCredentialDto> gitCredentials,
         IRepositoryFactory repositoryFactory,
         ILog log)
     {
-        this.gitCredentials = gitCredentials;
+        // Takes the first git credential per URL, with a preference for username/password credentials (they are more broadly useful as they can be used for PR creation)
+        this.gitCredentials = gitCredentials
+                              .GroupBy(c => c.Url)
+                              .ToDictionary(g => g.Key, g => g.OfType<GitCredentialDto>().FirstOrDefault<IGitCredentialDto>() ?? g.First());
+
         this.repositoryFactory = repositoryFactory;
         this.log = log;
     }
 
     public RepositoryWrapper CloneRepository(string requestedUrl, string targetRevision)
     {
         var gitCredential = gitCredentials.GetValueOrDefault(requestedUrl);
-        if (gitCredential is GitCredentialDto passwordCredential)
+        switch (gitCredential)
         {
-            var gitConnection = new HttpsGitConnection(passwordCredential.Username, passwordCredential.Password, GitCloneSafeUrl.ConvertToUriString(requestedUrl), GitReference.CreateFromString(targetRevision));
-            return repositoryFactory.CloneRepository(UniqueRepoNameGenerator.Generate(), gitConnection);
+            case GitCredentialDto passwordCredential:
+            {
+                var gitConnection = new HttpsGitConnection(passwordCredential.Username, passwordCredential.Password, GitCloneSafeUrl.ConvertToUriString(requestedUrl), GitReference.CreateFromString(targetRevision));
+                return repositoryFactory.CloneRepository(UniqueRepoNameGenerator.Generate(), gitConnection);
+            }
+            case SshKeyGitCredentialDto sshCredential:
+            {
+                var sshConnection = new SshKeyGitConnection(
+                    sshCredential.Username,
+                    sshCredential.PrivateKey,
+                    requestedUrl,
+                    GitReference.CreateFromString(targetRevision));
+                return repositoryFactory.CloneRepository(UniqueRepoNameGenerator.Generate(), sshConnection);
+            }
+            case null:
+            {
+                log.Info($"No Git credentials found for: '{requestedUrl}', will attempt to clone repository anonymously.");
+                break;
+            }
+            default:
+            {
+                log.Warn($"An unrecognised credential type '{gitCredential.GetType().Name}' was found for '{requestedUrl}'. Ignoring the credentials and attempting an anonymous clone.");
+                break;
+            }
         }
 
-        log.Info($"No Git credentials found for: '{requestedUrl}', will attempt to clone repository anonymously.");
         var anonGitConnection = new HttpsGitConnection(null, null, GitCloneSafeUrl.ConvertToUriString(requestedUrl), GitReference.CreateFromString(targetRevision));
         return repositoryFactory.CloneRepository(UniqueRepoNameGenerator.Generate(), anonGitConnection);
     }

source/Calamari/ArgoCD/Git/GitConnection.cs

@@ -56,4 +56,11 @@ static Uri ParseAsHttpsUri(string repositoryUrl)
             return uri;
         }
     }
+
+    public record SshKeyGitConnection(
+        string? Username,
+        string PrivateKey,
+        string Url,
+        GitReference GitReference)
+        : IGitConnection;
 }

source/Calamari/ArgoCD/Git/IGitCredentialDtoJsonConverter.cs

@@ -32,6 +32,7 @@ public override IGitCredentialDto ReadJson(
         return type switch
         {
             null or GitCredentialDto.DiscriminatorValue => obj.ToObject<GitCredentialDto>(ConcreteSerializer)!,
+            SshKeyGitCredentialDto.DiscriminatorValue => obj.ToObject<SshKeyGitCredentialDto>(ConcreteSerializer)!,
             _ => throw new JsonSerializationException($"Unrecognised credential Type '{type}'.")
         };
     }