search

NASA-PDS / roundup-action

Do a "roundup", a/k/a PDS-style continuous integration and delivery
Apache License 2.0
1 stars 4 forks source link

github-actions-base got upgraded to Alpine 3.16, broke `git` and `github_changelog_generator` #110

Closed nutjob4life closed 1 year ago

nutjob4life commented 1 year ago

Checked for duplicates

No - I haven't checked

πŸ› Describe the bug

A commit made directly to the main branch of github-actions-base upgraded the FROM image of github-actions-base from Alpine 3.14 to Alpine 3.16.

This resulted in:

The change to git broke the Roundup Action's "Requirements" step and the change to ruby broke the "Changelog" step. (The changelog issue will be addressed in the github-actions-base repository in a separate issue.)

The issue with git is that version 2.36 introduced a fix to a security vulnerability (see the changelog for git and this more full explanation) wherein an suspicious owner of a parent directory is flagged if it's different from the owner of the current repository directory. This is the case with Github Actions since /github is owned by root but /github/workspace (the cloned repository) is owned by user 1001.

In order for the Roundup Action's "Requirements" step to work with git 2.36, it will need to set in the global git configuration that the workspace directory is safe.

πŸ•΅οΈ Expected behavior

I expected these two steps to work.

πŸ“œ To Reproduce

Use nasapds/github-actions-base:latest in the Roundup Action's Dockerfile as its FROM and watch things blow up mysteriously.

πŸ–₯ Environment Info

Github Actions

πŸ“š Version of Software Used

nasapds/github-actions-base:latest

🩺 Test Data / Additional context

No response

πŸ¦„ Related requirements

πŸ¦„ #xyz

βš™οΈ Engineering Details

No response