Closed makiuchi-d closed 12 months ago
Isn't this a problem in nektos/act?
What are you trying to do with git cli?
A git push only works if you tell act to run the actions/checkout instead of emulating parts of it.
--no-skip-checkout or something was it called...
adding a * to safe.directory makes this image vulnerable to the security bug this change of git aims to fix
Thank for your comment, @ChristopherHX.
Isn't this a problem in nektos/act?
No, it's not a problem in nektos/act.
This is because it was working correctly with previous ubunt:act-latest
images, which included a git version lower than 2.35.2.
Additionally, actual GitHub Actions has a safe.directory = *
configuration, so it should be aligned.
https://github.com/actions/runner-images/blob/main/images/linux/scripts/installers/git.sh#L19-L22
What are you trying to do with git cli?
The Go compiler is calling the git command internally to embed VCS information into the binary.
As a result, jobs using Go do not work correctly in the current ubuntu:act-latest
image.
adding a * to safe.directory makes this image vulnerable to the security bug this change of git aims to fix
The background for this configuration is the CVE-2022-24765.
This vulnerability allowed the malicious .git/config
files placed by others in parent directories of the repository to be read.
I believe that the ubuntu:act-latest
image does not contain such malicious files.
Therefore, I consider safe.directory = *
to be safe in this case.
Additionally, actual GitHub Actions has a safe.directory = * configuration, so it should be aligned
Oh I didn't know that, because actions/checkout does itself implement a workaround by calling git config
In act,
action/checkout
does not perform an actual repository checkout; instead, it copies (docker cp
) local files. During this process, the local UID/GID of the file or directory is preserved.For security reasons, git does not operate in repositories where the owner is not the same as the user. In the
ubuntu:act-latest
image, jobs are executed with the root user. However, the repository copied byaction/checkout
is not owned by the root, which prevents the use of the git command.To address this, we need to configure
safe.directory
. In GitHub Actions, git config includessafe.directory=*
.For more details, please refer to my example: https://github.com/makiuchi-d/act-fail-example