/github/home/.gitconfig does not exist for container runs

[arbourd]

Issue

If running a job that uses a container like the below, the file /github/home/.gitconfig will not exist, even after checkout runs a config command.

  example:
    runs-on: ubuntu-latest
    container:
      image: alpine

Here is a demo:

1. Checkout runs, and runs /usr/bin/git config --global --add safe.directory /__w/sat/sat
2. The global .gitconfig does not exist
3. Any calls to git remain unsafe/dubious

The safe.directory settings set by the command git config --global --add safe.directory <path> is a no-op.

Workaround

Use the --system scope over --global:

$ git config --system --add safe.directory <path>

  example:
    runs-on: ubuntu-latest
    container:
      image: alpine

    steps:
      - uses: actions/checkout@v3
      - run: git config --system --add safe.directory <path>

[destroyersrt]

I tried the workaround but it doesn't seem to work in my case.

[arbourd]

I tried the workaround but it doesn't seem to work in my case.

Try without the sudo? Might ahve something to do with the Slither action itself too and if it spins up containers.

[destroyersrt]

At first I tried without sudo but got permission denied error.

[destroyersrt]

slither-action had issue https://github.com/crytic/slither-action/pull/50. Thanks.

[LecrisUT]

Should note that the workaround described here is only for container runs

[xjlin0]

With "dubious ownership" errors, the workaround doesn't work for me, when I switch from --global to --system, it fails with permission error

jobs:
  pytest:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code Repository
        uses: actions/checkout@v3
      - name: change --global to --system
        run: git config --system --add safe.directory /app
      - name: Build the Stack
        run:  docker-compose -f local.yml build

results:

Run git config --system --add safe.directory /app
error: could not lock config file /etc/gitconfig: Permission denied
Error: Process completed with exit code 255.

Any suggestions? thanks!

[LecrisUT]

@xjlin0, please read my previous comment. This is specific to containers

[xjlin0]

@LecrisUT thanks for the reminder, could you let me know the containers specific thing? My repo is running Django in the container, could I make its github actions pass by the workaround? thanks!

[LecrisUT]

The container specific here refers to the Gihub action running as:

jobs:
  pytest:
    runs-on: ubuntu-latest
    container: fedora:laters

In this case there are specific volumes that are mounted and specific flags passed. When you run your own setup via docker-compose, you need to check what this does to replicate it. I don't know exactly what this does tbh.

[ST-DDT]

FFR: Using the users opzion might help here for the related issue: https://github.com/actions/runner/issues/2033#issuecomment-1598547465

[theory]

I banged my head on what I think is this issue all day. Consider this config:

name: Test Git
on:
  push:
jobs:
  bundle:
    name: Git
    runs-on: ubuntu-latest
    container: alpine/git
    steps:
    - uses: actions/checkout@v4
    - run: git archive -v --format zip --prefix foo/ --output foo.zip HEAD

This results in this error:

fatal: detected dubious ownership in repository at '/__w/test-pgxn-tools/test-pgxn-tools'
To add an exception for this directory, call:

    git config --global --add safe.directory /__w/test-pgxn-tools/test-pgxn-tools

Shouldn't we be able to do Git stuff with the repo in a container? Curious, I tried changing the last line to:

    - run: git config safe.directory

It simply exits with no error message, as in this run:

Run git config safe.directory
  git config safe.directory
  shell: sh -e {0}
Error: Process completed with exit code 1.

Is that because the global config file is missing? I find it simply wild that there is no error message.

Anyway, I then tried setting the global config:

    - run: git config --global --add safe.directory "$PWD"

And that works. But I admit I'm pretty confused about why this isn't set up by default when an action starts.

So fine, I can manually put this line into my workflow YAML files, but I'm mystified as to why it's necessary. Is it this issue or am I missing something?

Thanks for bearing with my examples.

[theory]

It simply exits with no error message, as in this run:

FWIW I see the same error using actions/checkout@v3 in this build an using actions/checkout@v2 in this build. Color me confused.

[theory]

I'm fixing the issue in pgxn-tools by adding this line to the Dockerfile to disable the check inside the running container:

git config --system --add safe.directory '*'

Is there any reason that is likely to be a security issue?

[feltech]

Thanks for this. Adding a step to our job with git config --system --add safe.directory $(pwd) works around the "dubious ownership" error.

For info, did a little experiment and added a step to print the id and owner of pwd - for some reason actions/checkout@v4 checks out the repo as user 1001, even though there is no such user in the container. Output from CI

Run id
  id
  ls -ld $(pwd)
  shell: sh -e {0}
uid=0(root) gid=0(root) groups=0(root)
drwxr-xr-x 7 1001 127 4096 Aug 15 15:40 /__w/OpenAssetIO-Test-CMake/OpenAssetIO-Test-CMake

For reference, the upstream change to git that performs the "dubious ownership" check appears to be https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8