Fix GPG ID lookup and remove hardcoded test credentials

[Copilot]

GetGpgId was doing a top-down EnumerateFiles(StoreRoot, ".gpg-id") walk, which returns an arbitrary .gpg-id when multiple subdirectories have distinct GPG identities. GNU Pass resolves GPG identity by walking up from the credential file to the store root, using the nearest .gpg-id.

Changes

• GpgPassCredentialStore.GetGpgId: Renamed to accept credentialFullPath; walks up the directory tree stopping at StoreRoot, returning the first .gpg-id found closest to the credential.
• SerializeCredential: Passes credential.FullPath to GetGpgId.
• Test credentials: Replaced hardcoded "letmein123" strings in new tests with Guid.NewGuid().ToString("N") to avoid triggering secret scanning.
• New tests: GnuPassCredentialStore_ReadWriteDelete_GpgIdInSubdirectory and GnuPassCredentialStore_WriteCredential_MultipleGpgIds_UsesNearestGpgId cover subdirectory .gpg-id lookup and correct identity selection when sibling subdirs have distinct GPG IDs.

// Before: top-down, picks first found anywhere under StoreRoot
foreach (string gpgIdPath in FileSystem.EnumerateFiles(StoreRoot, ".gpg-id")) { ... }

// After: walk up from credential to StoreRoot, pick nearest
string dir = Path.GetDirectoryName(credentialFullPath);
while (dir != null)
{
    string gpgIdPath = Path.Combine(dir, ".gpg-id");
    if (FileSystem.FileExists(gpgIdPath)) { /* return it */ }
    if (FileSystem.IsSamePath(dir, StoreRoot)) break;
    dir = Path.GetDirectoryName(dir);
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• av-build-tel-api-v1.avaloniaui.net
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/0.0.29/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/0.0.29/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll (dns block)
• www.apple.com
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-693b39a03efbe893/dbs/csharp/working/files-to-index16171894119560313535.list --sourceArchiveDir=/tmp/codeql-scratch-693b39a03efbe893/dbs/csharp/src --outputDir=/tmp/codeql-scratch-693b39a03efbe893/dbs/csharp/trap/csharp r.Mac/Installer.Mac.csproj (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mjcheetham]

This is incorrect. This is going to do a top-down walk from the StoreRoot looking for any .gpg-id file.

We should instead be searching UP from the full credential path looking for the closest .gpg-id. Otherwise doing the top-down walk could result in us picking an incorrect GPG identity for the given credential.

We must align the behaviour with GNU Pass.