Closed sarasensible closed 2 years ago
Looks like the issue is the git version - set to 2.34.2
in the Dockerfile, but only 2.35.3
supports the safe directory syntax. Going to try forking this and attempt it myself.
Hello.
I'm aware, that today's weekly update bumped git
version to the broken one. Apparently, it has been already fixed in a newer version, but it hasn't been updated in Alpine's packages repo yet.
They've never made breaking changes before... I'll change my workflow to prevent in future.
For now, I've tried a couple of workarounds but none of them worked, unfortunately.
Hopefully, it'll be fixed soon.
Hi @ChristophShyper this does seem to be a drastic response to a security vulnerability and it looks like it's breaking solutions like yours across the interwebs.
Is there a reason upgrading the git version to 2.35.3 won't work in this case?
Never mind, I tried it for myself and I get this error:
#7 2.392 ERROR: unable to select packages:
#7 2.421 git-2.34.2-r0:
#7 2.421 breaks: world[git~2.35.3]
------
executor failed running [/bin/sh -c set -eux ; chmod +x /entrypoint.sh ; apk update --no-cache ; apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing hub~=2.14.2 ; apk add --no-cache bash~=5.1.16 git~=2.35.3 jq~=1.6 ; rm -rf /var/cache/* ; rm -rf /root/.cache/*]: exit code: 1
I see this is with the latest alpine too.
Looks like
export GIT_CEILING_DIRECTORIES=/__w
might be an alternative. Sourced from https://github.com/actions/checkout/issues/760#issuecomment-1102556218 and https://nvd.nist.gov/vuln/detail/CVE-2022-24765
Update: I was not able to get the above to work. Trying to see if any other base image would work instead of alpine.
As I was saying the newest available version is 2.34.2, see https://pkgs.alpinelinux.org/packages?name=git&branch=v3.15
After some trials I've restored previous functionality.
Now it's using Ubuntu instead of Alpine, because only in that way I can add git-core/ppa
with the newest git packages.
Hey, I actually have an alternative solution than using Ubuntu that works with hosted git runners. You can add the "runner" user with the same uid as the hosted git runner and it works fine.
Example Dockerfile built on Alpine:
# Use a clean tiny image to store artifacts in
FROM alpine:3.15.4
# Labels for http://label-schema.org/rc1/#build-time-labels
# And for https://github.com/opencontainers/image-spec/blob/master/annotations.md
# And for https://help.github.com/en/actions/building-actions/metadata-syntax-for-github-actions
ARG NAME="GitHub Action for creating Pull Requests"
ARG DESCRIPTION="GitHub Action that will create a pull request from the current branch"
ARG REPO_URL="https://github.com/devops-infra/action-pull-request"
ARG AUTHOR="Krzysztof Szyper / ChristophShyper / biotyk@mail.com"
ARG HOMEPAGE="https://christophshyper.github.io/"
ARG BUILD_DATE=2020-04-01T00:00:00Z
ARG VCS_REF=abcdef1
ARG VERSION=v0.0
LABEL \
com.github.actions.name="${NAME}" \
com.github.actions.author="${AUTHOR}" \
com.github.actions.description="${DESCRIPTION}" \
com.github.actions.color="purple" \
com.github.actions.icon="upload-cloud" \
org.label-schema.build-date="${BUILD_DATE}" \
org.label-schema.name="${NAME}" \
org.label-schema.description="${DESCRIPTION}" \
org.label-schema.usage="README.md" \
org.label-schema.url="${HOMEPAGE}" \
org.label-schema.vcs-url="${REPO_URL}" \
org.label-schema.vcs-ref="${VCS_REF}" \
org.label-schema.vendor="${AUTHOR}" \
org.label-schema.version="${VERSION}" \
org.label-schema.schema-version="1.0" \
org.opencontainers.image.created="${BUILD_DATE}" \
org.opencontainers.image.authors="${AUTHOR}" \
org.opencontainers.image.url="${HOMEPAGE}" \
org.opencontainers.image.documentation="${REPO_URL}/blob/master/README.md" \
org.opencontainers.image.source="${REPO_URL}" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.revision="${VCS_REF}" \
org.opencontainers.image.vendor="${AUTHOR}" \
org.opencontainers.image.licenses="MIT" \
org.opencontainers.image.title="${NAME}" \
org.opencontainers.image.description="${DESCRIPTION}" \
maintainer="${AUTHOR}" \
repository="${REPO_URL}"
RUN adduser -u 1001 -g 1001 -D runner \
&& mkdir -p /etc/sudoers.d/ \
&& echo "runner ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/runner \
&& chmod 0440 /etc/sudoers.d/runner
RUN apk add --update sudo
RUN mkdir -p /github/workspace && chown -R runner:runner /github/workspace
USER runner
# Copy all needed files
COPY --chown=runner:runner entrypoint.sh /home/runner
# Install needed packages
RUN set -eux ;\
chmod +x /home/runner/entrypoint.sh ;\
sudo apk update --no-cache ;\
sudo apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing hub~=2.14.2 ;\
sudo apk add --no-cache \
bash~=5.1.16 \
git~=2.34.2 \
jq~=1.6 ;\
sudo rm -rf /var/cache/* ;\
sudo rm -rf /root/.cache/*
# Finish up
CMD ["hub version"]
WORKDIR /github/workspace
ENTRYPOINT ["/home/runner/entrypoint.sh"]
This may not work for everyone since they may not be using hosted runners, but in that case you could just change the UID of the runner to match the UID of the user running the action. This solution preserves the small size of the image, although once Alpine gets its act together and patches git like Ubuntu did it may not make a difference.
Anyways, thank you so much for the help and this very useful action!
UID is not guaranteed in this case, so it may randomly fail sometime. Let's hope nobody will release breaking changes again soon :)
:memo: fatal: unsafe repository ('/github/workspace' is owned by someone else)
Same issue as https://github.com/gaurav-nelson/github-action-markdown-link-check/issues/132 . From the recent commit to master it looks like you guys are already aware of this, but the fix doesn't seem to be working yet.
:warning: Checklist
Check CONTRIBUTING.md and CODE_OF_CONDUCT.md for more information