search

catthehacker / docker_images

Docker images
MIT License
212 stars 75 forks source link

fix act failure when the git command is used in the workflow job #108

Closed makiuchi-d closed 12 months ago

makiuchi-d commented 1 year ago

In act, action/checkout does not perform an actual repository checkout; instead, it copies (docker cp) local files. During this process, the local UID/GID of the file or directory is preserved.

For security reasons, git does not operate in repositories where the owner is not the same as the user. In the ubuntu:act-latest image, jobs are executed with the root user. However, the repository copied by action/checkout is not owned by the root, which prevents the use of the git command.

To address this, we need to configure safe.directory. In GitHub Actions, git config includes safe.directory=*.

For more details, please refer to my example: https://github.com/makiuchi-d/act-fail-example

ChristopherHX commented 12 months ago

Isn't this a problem in nektos/act?

What are you trying to do with git cli?

A git push only works if you tell act to run the actions/checkout instead of emulating parts of it.

--no-skip-checkout or something was it called...

adding a * to safe.directory makes this image vulnerable to the security bug this change of git aims to fix

makiuchi-d commented 12 months ago

Thank for your comment, @ChristopherHX.

Isn't this a problem in nektos/act?

No, it's not a problem in nektos/act. This is because it was working correctly with previous ubunt:act-latest images, which included a git version lower than 2.35.2. Additionally, actual GitHub Actions has a safe.directory = * configuration, so it should be aligned.

https://github.com/actions/runner-images/blob/main/images/linux/scripts/installers/git.sh#L19-L22

What are you trying to do with git cli?

The Go compiler is calling the git command internally to embed VCS information into the binary. As a result, jobs using Go do not work correctly in the current ubuntu:act-latest image.

adding a * to safe.directory makes this image vulnerable to the security bug this change of git aims to fix

The background for this configuration is the CVE-2022-24765. This vulnerability allowed the malicious .git/config files placed by others in parent directories of the repository to be read. I believe that the ubuntu:act-latest image does not contain such malicious files. Therefore, I consider safe.directory = * to be safe in this case.

ChristopherHX commented 12 months ago

Additionally, actual GitHub Actions has a safe.directory = * configuration, so it should be aligned

Oh I didn't know that, because actions/checkout does itself implement a workaround by calling git config