Open arbourd opened 1 year ago
I tried the workaround but it doesn't seem to work in my case.
I tried the workaround but it doesn't seem to work in my case.
Try without the sudo
? Might ahve something to do with the Slither action itself too and if it spins up containers.
At first I tried without sudo
but got permission denied error.
slither-action had issue https://github.com/crytic/slither-action/pull/50. Thanks.
Should note that the workaround described here is only for container runs
With "dubious ownership" errors, the workaround doesn't work for me, when I switch from --global to --system, it fails with permission error
jobs:
pytest:
runs-on: ubuntu-latest
steps:
- name: Checkout Code Repository
uses: actions/checkout@v3
- name: change --global to --system
run: git config --system --add safe.directory /app
- name: Build the Stack
run: docker-compose -f local.yml build
results:
Run git config --system --add safe.directory /app
error: could not lock config file /etc/gitconfig: Permission denied
Error: Process completed with exit code 255.
Any suggestions? thanks!
@xjlin0, please read my previous comment. This is specific to containers
@LecrisUT thanks for the reminder, could you let me know the containers specific thing? My repo is running Django in the container, could I make its github actions pass by the workaround? thanks!
The container specific here refers to the Gihub action running as:
jobs:
pytest:
runs-on: ubuntu-latest
container: fedora:laters
In this case there are specific volumes that are mounted and specific flags passed. When you run your own setup via docker-compose
, you need to check what this does to replicate it. I don't know exactly what this does tbh.
FFR: Using the users opzion might help here for the related issue: https://github.com/actions/runner/issues/2033#issuecomment-1598547465
I banged my head on what I think is this issue all day. Consider this config:
name: Test Git
on:
push:
jobs:
bundle:
name: Git
runs-on: ubuntu-latest
container: alpine/git
steps:
- uses: actions/checkout@v4
- run: git archive -v --format zip --prefix foo/ --output foo.zip HEAD
This results in this error:
fatal: detected dubious ownership in repository at '/__w/test-pgxn-tools/test-pgxn-tools'
To add an exception for this directory, call:
git config --global --add safe.directory /__w/test-pgxn-tools/test-pgxn-tools
Shouldn't we be able to do Git stuff with the repo in a container? Curious, I tried changing the last line to:
- run: git config safe.directory
It simply exits with no error message, as in this run:
Run git config safe.directory
git config safe.directory
shell: sh -e {0}
Error: Process completed with exit code 1.
Is that because the global config file is missing? I find it simply wild that there is no error message.
Anyway, I then tried setting the global config:
- run: git config --global --add safe.directory "$PWD"
And that works. But I admit I'm pretty confused about why this isn't set up by default when an action starts.
So fine, I can manually put this line into my workflow YAML files, but I'm mystified as to why it's necessary. Is it this issue or am I missing something?
Thanks for bearing with my examples.
It simply exits with no error message, as in this run:
FWIW I see the same error using actions/checkout@v3 in this build an using actions/checkout@v2 in this build. Color me confused.
I'm fixing the issue in pgxn-tools by adding this line to the Dockerfile
to disable the check inside the running container:
git config --system --add safe.directory '*'
Is there any reason that is likely to be a security issue?
Thanks for this. Adding a step to our job with git config --system --add safe.directory $(pwd)
works around the "dubious ownership" error.
For info, did a little experiment and added a step to print the id
and owner of pwd
- for some reason actions/checkout@v4
checks out the repo as user 1001, even though there is no such user in the container. Output from CI
Run id
id
ls -ld $(pwd)
shell: sh -e {0}
uid=0(root) gid=0(root) groups=0(root)
drwxr-xr-x 7 1001 127 4096 Aug 15 15:40 /__w/OpenAssetIO-Test-CMake/OpenAssetIO-Test-CMake
For reference, the upstream change to git that performs the "dubious ownership" check appears to be https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
Issue
If running a job that uses a container like the below, the file
/github/home/.gitconfig
will not exist, even after checkout runs a config command.Here is a demo:
/usr/bin/git config --global --add safe.directory /__w/sat/sat
The
safe.directory
settings set by the commandgit config --global --add safe.directory <path>
is a no-op.Workaround
Use the
--system
scope over--global
: