I randomly noticed that your Github actions are always failing to Git safe directory check, but returning success, ie. false positives.
In the Makefile you have targets that are called like make links, and then in ci/links.sh you want to iterate over changed files via for file_name in $(git diff --name-only $HEAD main); do but git returns nothing on stdout due safe directory failure (all output goes to stderr), so you end up linting nothing in any of your actions. set -e is not enabled for the scripts, so it just falls thru.
Run make lint
Running lint...
Creating network "tag-security_default" with the default driver
Creating tag-security_lint_run ...
Creating tag-security_lint_run ... done
added [5](https://github.com/cncf/tag-security/actions/runs/7559235882/job/20582614675?pr=1202#step:3:6)9 packages in 3s
1[8](https://github.com/cncf/tag-security/actions/runs/7559235882/job/20582614675?pr=1202#step:3:9) packages are looking for funding
run `npm fund` for details
npm notice
npm notice New minor version of npm available! [10](https://github.com/cncf/tag-security/actions/runs/7559235882/job/20582614675?pr=1202#step:3:11).2.3 -> 10.3.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.3.0>
npm notice Run `npm install -g npm@10.3.0` to update!
npm notice
fatal: detected dubious ownership in repository at '/usr/src/app'
To add an exception for this directory, call:
git config --global --add safe.directory /usr/src/app
warning: Not a git repository. Use --no-index to compare two paths outside a working tree
usage: git diff --no-index [<options>] <path> <path>
...
Hello tag security maintainers!
I randomly noticed that your Github actions are always failing to Git safe directory check, but returning success, ie. false positives.
In the
Makefileyou have targets that are called likemake links, and then inci/links.shyou want to iterate over changed files viafor file_name in $(git diff --name-only $HEAD main); dobut git returns nothing on stdout due safe directory failure (all output goes to stderr), so you end up linting nothing in any of your actions.set -eis not enabled for the scripts, so it just falls thru.For example, on PR #1202 linter action logs
Same for spell check, links check and even the setup job.
If you run the linters locally over the repository content as suggested by the
ci/*.shscripts, you get:and so on.
This failure can be reproduced locally with
make links,make lint,make spelling, as node:18 image used is also using recent enough Git.edit: adjusted the numbers after actually counting them here: https://github.com/cncf/tag-security/pull/1223#issuecomment-1911664669