Git v2.35.2 workarounds CVE-2022-24765 by safe.directory.
actions/checkout workarounds safe.directory by creating user-wide .gitconfig (this config doesn't work in repo-wide .gitconfig) - that's why it worked.
To avoid flushing .gitconfig on self-hosted runners, actions/checkout uses a temporary home directory to put user .gitconfig.
gh CLI apparently isn't aware of that temporary .gitconfig - that's why it failed.
The most simple solution: set user-wide actions/checkout in the runner - we don't use self-hosted runners for now on aosc-os-abbs.
The simple and robust solution: use actions/checkout to check out PRs.
Currently the workflow cannot build PRs: Sample log for #4224.
Long story long, read this GitHub blog.
Long story short:
safe.directory
.actions/checkout
workaroundssafe.directory
by creating user-wide.gitconfig
(this config doesn't work in repo-wide.gitconfig
) - that's why it worked..gitconfig
on self-hosted runners,actions/checkout
uses a temporary home directory to put user.gitconfig
.gh
CLI apparently isn't aware of that temporary.gitconfig
- that's why it failed.The most simple solution: set user-wide
actions/checkout
in the runner - we don't use self-hosted runners for now on aosc-os-abbs.The simple and robust solution: use
actions/checkout
to check out PRs.See-Also: actions/checkout#762