FAILED: Rebase shears/main (#26088886419)

.github/workflows/main.yml

@@ -420,7 +420,9 @@ jobs:
       CI_JOB_IMAGE: ${{matrix.vector.image}}
       CUSTOM_PATH: /custom
     runs-on: ubuntu-latest
-    container: ${{matrix.vector.image}}
+    container:
+      image: ${{ matrix.vector.image }}
+      options: ${{ github.repository_visibility == 'private' && '--pids-limit 16384 --ulimit nproc=16384:16384 --ulimit nofile=32768:32768' || '' }}
     steps:
     - name: prepare libc6 for actions
       if: matrix.vector.jobname == 'linux32'

compat/mingw.c

@@ -351,6 +351,29 @@ process_phantom_symlink(const wchar_t *wtarget, const wchar_t *wlink)
 	wchar_t relative[MAX_PATH];
 	const wchar_t *rel;
 
+	/*
+	 * Do not follow symlinks to network shares, to avoid NTLM credential
+	 * leak from crafted repositories (e.g. \\attacker-server\share).
+	 * Since paths come in all kind of enterprising shapes and forms (in
+	 * addition to the canonical `\\host\share` form, there's also
+	 * `\??\UNC\host\share`, `\GLOBAL??\UNC\host\share` and also
+	 * `\Device\Mup\host\share`, just to name a few), we simply avoid
+	 * following every symlink target that starts with a slash.
+	 *
+	 * This also catches drive-less absolute paths, of course. These are
+	 * uncommon in practice (and also fragile because they are relative to
+	 * the current working directory's drive). The only "harm" this does
+	 * is that it now requires users to specify via the Git attributes if
+	 * they have such an uncommon symbolic link and need it to be a
+	 * directory type link.
+	 */
+	if (is_wdir_sep(wtarget[0])) {
+		warning("created file symlink '%ls' pointing to '%ls';\n"
+			"set the `symlink` gitattribute to `dir` if a "
+			"directory symlink is required", wlink, wtarget);
+		return PHANTOM_SYMLINK_DONE;
+	}
+
 	/* check that wlink is still a file symlink */
 	if ((GetFileAttributesW(wlink)
 			& (FILE_ATTRIBUTE_REPARSE_POINT | FILE_ATTRIBUTE_DIRECTORY))

conflict-report.md

@@ -0,0 +1,70 @@
+## Rebase Summary: main
+
+**From**: [a99c60ceeb](https://github.com/git-for-windows/git/commit/a99c60ceeb5a05a8102c0c442203cd9dd92c91e2) (build: tolerate use of _Generic from glibc 2.43 with Clang (#6233), 2026-05-08) ([c2ed2cc6f6..a99c60ceeb](https://github.com/git-for-windows/git/compare/c2ed2cc6f6dd67ef6f0d056cedd566613582a77e...a99c60ceeb5a05a8102c0c442203cd9dd92c91e2))
+
+#### FAILED: 1558b5f4ca (t5563: verify that NTLM authentication works, 2025-11-26)
+
+Unexpected AI decision: ''. Full output:
+
+```
+● Check if patch is upstreamed (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && git range-diff REBASE_HEAD^! REBASE_HEAD.. 2>&1
+  │ | head -50
+  └ 29 lines...
+
+● See patch summary (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && git show --stat REBASE_HEAD | head -20
+  └ 21 lines...
+
+The range-diff shows `1: 1558b5f4ca < -: ----------` meaning no upstream equivalent. Let me check if upstream's changes to t5563 made this patch obsolete, or if I need to resolve surgically.
+
+● Find conflict markers (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && grep -n "<<<<<<" t/t5563-simple-http-auth.sh |
+  │ head -20
+  └ 2 lines...
+
+● Check if file exists in both (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && git diff --name-only HEAD REBASE_HEAD --
+  │ t/t5563-simple-http-auth.sh 2>&1 | head -5
+  └ 2 lines...
+
+● Read t5563-simple-http-auth.sh
+  │ ~/work/git-for-windows-automation/git-for-windows-automation/git/rebase-work
+  │ tree-main/t/t5563-simple-http-auth.sh
+  └ L715:780 (66 lines read)
+
+● Read t5563-simple-http-auth.sh
+  │ ~/work/git-for-windows-automation/git-for-windows-automation/git/rebase-work
+  │ tree-main/t/t5563-simple-http-auth.sh
+  └ L780:860 (33 lines read)
+
+Now I can see the conflict. The upstream added SPNEGO/Negotiate tests (lines 723-794) and our patch adds NTLM tests (lines 796-809). Both are appended before `test_done`. The resolution is to keep both.
+
+● Edit t5563-simple-http-auth.sh +2 -3
+  └ ~/work/git-for-windows-automation/git-for-windows-automation/git/rebase-work
+    tree-main/t/t5563-simple-http-auth.sh
+
+● Verify no remaining conflict markers (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && grep -n "<<<<<<\|======\|>>>>>>"
+  │ t/t5563-simple-http-auth.sh | head -5
+  └ 1 line...
+
+● Stage resolved file (shell)
+  │ cd "/home/runner/work/git-for-windows-automation/git-for-windows-automation/
+  │ git/rebase-worktree-main" && git add t/t5563-simple-http-auth.sh
+  └ 1 line...
+
+continue -- kept both upstream SPNEGO tests and downstream NTLM test, placing NTLM after SPNEGO before test_done
+
+
+
+Changes   +2 -3
+AI Units  37.2 (53s)
+Tokens    ↑ 30.4k • ↓ 3.5k • 190.3k (cached)
+```
+

copilot.exitcode

@@ -0,0 +1 @@
+0

grep.c

@@ -1647,6 +1647,8 @@ static int grep_source_1(struct grep_opt *opt, struct grep_source *gs, int colle
 
 	bol = gs->buf;
 	left = gs->size;
+	if (left && gs->buf[left-1] == '\n')
+		left--;
 	while (left) {
 		const char *eol;
 		int hit;