Description

Recently, when workspaces were upgraded to Debian 13 (Trixie) with Git 2.47.2, Git authentication to GitLab failed in new workspaces. The root cause appears to be related to the credential.interactive=never setting. On Debian 12 (Bookworm) with Git 2.39.5, this issue does not occur—the Coder binary is invoked properly for the askpass prompt.

• There’s no existing reported issue covering this scenario.

Details / Investigation

Environment (Debian 13)

• OS: Debian GNU/Linux 13 (Trixie)
• Git: git version 2.47.2
• Coder binary: v2.25.1+3bf6a00 (Thu Aug 7 16:06:14 UTC 2025)
• Env var settings relevant to Git:

  GIT_ASKPASS=/tmp/coder…/coder
  GIT_SSH_COMMAND=/tmp/coder…/coder gitssh --
  credential.interactive=never
  

• Running git fetch fails:

  fatal: unable to get password from user
  

Environment (Debian 12)

• OS: Debian GNU/Linux 12 (Bookworm)
• Git: git version 2.39.5
• Same Coder version and env var settings
• git fetch works successfully.

Key Observation

Unsetting credential.interactive=never resolves the issue on Debian 13:

git config --unset credential.interactive
git fetch  # works on Debian 13 after removal

strace Evidence

For the failed Debian 13 case, strace -f -e execve git fetch logs show:

execve("/usr/bin/git", ["git", "fetch"], ...)
execve("/usr/lib/git-core/git-remote-https", ...)
exited with status 128

—indicating Git does not invoke the Coder askpass binary.

Question / Pivot Point

Why does credential.interactive=never block askpass invocation under Debian 13, but not Debian 12? Who is setting this configuration—Coder, the workspace, or the environment—and can Coder detect this change and work around it?

Steps to Reproduce

1. Launch a new workspace with Debian 13 (Trixie).
2. Ensure Coder is v2.25.1 or later.
3. Confirm GIT_ASKPASS and GIT_SSH_COMMAND are set to the Coder binary, and credential.interactive=never is present in Git config.
4. Run git fetch using an HTTPS GitLab remote—observe failure:

   fatal: unable to get password from user
   

5. Run:

   git config --unset credential.interactive
   git fetch

   —observe Git now successfully prompts via the Coder askpass.

Expected Behavior

Git authentication should use the Coder askpass binary regardless of the credential.interactive setting—especially in environments using Debian 13 or newer.

Context & Impact

• Root cause likely stems from upstream changes in Git or Debian altering how Git responds to credential.interactive=never.
• Relevant because Debian 13 is expected to be backported to other distros (e.g., Ubuntu), so more users could be affected as well as Fedora-base pickup of more recent Git versions.
• Ideally, Coder should detect when askpass is being overridden or blocked and either automatically unset credential.interactive=never, or otherwise ensure it can still intercept credential prompts as expected.

Request / Proposal

• Investigate whether Coder can safely override or unset credential.interactive=never when initializing a workspace on affected OS/Git versions.
• If unsafe to override globally, perhaps detect failing credential paths and log a precise troubleshooting message with recommendation to unset this setting.
• Alternatively, document the behavior clearly and provide guidance/workarounds until a long-term upstream fix is identified.