search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
325 stars 56 forks source link

Cannot run git commands in CI due to dubious ownership in repository #1271

Open biltongza opened 1 year ago

biltongza commented 1 year ago

Describe the bug

I have some code to get the current commit hash and time in my build process. Specifically, I am using SvelteKit and I fetch the commit details in the vite.config.js file.

For a while, this has been silently broken on my site and I have not been able to reproduce the issue locally. After adding some logging to my build process I found that the git commands to fetch these details do not execute successfully because the Azure/static-web-apps-deploy@v1 is getting mounted in the build container (which seems to mess up directory ownership) and the directory is not marked as a safe directory in git.

status: 'rejected',
    reason: Error: Command failed: git describe --tags || git rev-parse --short HEAD
    fatal: detected dubious ownership in repository at '/github/workspace'
    To add an exception for this directory, call:

        git config --global --add safe.directory /github/workspace

I think an easy way to fix it would be for the container to run git config --global --add safe.directory /github/workspace before actually running the build.

Github workflow file:

name: Azure Static Web Apps CI/CD

on:
  workflow_dispatch:
  push:
    branches:
      - master
    paths:
      - frontend/**

jobs:
  build_and_deploy_job:
    runs-on: ubuntu-latest
    name: Build and Deploy Job
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: true

      - name: Deploy
        id: builddeploy
        uses: Azure/static-web-apps-deploy@v1
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ICY_BUSH_07607F803 }}
          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
          action: "upload"
          ###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
          # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
          app_location: "frontend" # App source code path
          api_location: "frontend/build/server" # Api source code path - optional
          output_location: "build/static"
          skip_app_build: false
          ###### End of Repository/Build Configurations ######

To Reproduce Steps to reproduce the behavior:

  1. Create a sveltekit project
  2. Add replace the contents of the vite.config.js file with the following: 
    
import { sveltekit } from '@sveltejs/kit/vite';
import { exec } from 'child_process';
import { promisify } from 'util';

// Get current tag/commit and last commit date from git const pexec = promisify(exec); const promises = ( await Promise.allSettled([ pexec('git describe --tags || git rev-parse --short HEAD'), pexec('git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M"'), ]) ); console.log('VITE CONFIG: promises', promises);

const [version, lastmod] = promises.map(v => JSON.stringify(v.value?.stdout.trim())); console.log(VITE CONFIG: commit hash, version); console.log(VITE CONFIG: commit time, lastmod);

/* @type {import('vite').UserConfig} / const config = { plugins: [sveltekit({})], server: { port: 5000 }, define: { VERSION: version, LASTMOD: lastmod, }, };

export default config;

3. Run the build locally, it succeeds and logs the current commit hash and time
4. Run the build on github actions, it produces the following output:

VITE CONFIG: promises [ { status: 'rejected', reason: Error: Command failed: git describe --tags || git rev-parse --short HEAD fatal: detected dubious ownership in repository at '/github/workspace' To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace
fatal: detected dubious ownership in repository at '/github/workspace'
To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace

    at ChildProcess.exithandler (node:child_process:419:12)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1091:16)
    at Socket.<anonymous> (node:internal/child_process:449:11)
    at Socket.emit (node:events:514:28)
    at Pipe.<anonymous> (node:net:323:12) {
  code: 128,
  killed: false,
  signal: null,
  cmd: 'git describe --tags || git rev-parse --short HEAD',
  stdout: '',
  stderr: "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
    'To add an exception for this directory, call:\n' +
    '\n' +
    '\tgit config --global --add safe.directory /github/workspace\n' +
    "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
    'To add an exception for this directory, call:\n' +
    '\n' +
    '\tgit config --global --add safe.directory /github/workspace\n'
}

}, { status: 'rejected', reason: Error: Command failed: git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M" fatal: detected dubious ownership in repository at '/github/workspace' To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace

    at ChildProcess.exithandler (node:child_process:419:12)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1091:16)
    at Socket.<anonymous> (node:internal/child_process:449:11)
    at Socket.emit (node:events:514:28)
    at Pipe.<anonymous> (node:net:323:12) {
  code: 128,
  killed: false,
  signal: null,
  cmd: 'git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M"',
  stdout: '',
  stderr: "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
    'To add an exception for this directory, call:\n' +
    '\n' +
    '\tgit config --global --add safe.directory /github/workspace\n'
}

} ] VITE CONFIG: commit hash undefined VITE CONFIG: commit time undefined



My personal repo experiencing this issue: https://github.com/biltongza/ldam.co.za
Affected CI run: https://github.com/biltongza/ldam.co.za/actions/runs/6145310617/job/16672439301

**Expected behavior**
Git commands run normally.

**Additional context**
See https://github.com/actions/runner-images/issues/6775 for more details, it appears to be a result of a CVE in git.
kfiles commented 4 months ago

I have run into the same issue. I am deploying the Hugo app cstate (https://github.com/cstate/cstate), which gets the last-modified info from git history for displaying incident history.

As @biltongza says, since the container is mounting the git directory from outside, it really needs to run the git command to trust the directory as the first step in its containerized workflow.

biltongza commented 4 months ago

I forgot I logged this issue, but I also found a workaround. It turns out that you can specify pre build commands via an environment variable. You can add this to your workflow:

env:
    PRE_BUILD_COMMAND: git config --global --add safe.directory /github/workspace

Not sure where the "public" documentation for static web apps on this is, but since it uses Oryx under the hood, this is at least mentioned here: https://github.com/microsoft/Oryx/blob/d37b2225a252ab2c04b4726024d047cf01ea1318/doc/runtimes/nodejs.md?plain=1#L45