devops-infra / action-pull-request

GitHub Action that will create a pull request from the current branch
https://christophshyper.github.io/
MIT License
74 stars 21 forks source link

fatal: unsafe repository REPO is owned by someone else #78

Closed sarasensible closed 2 years ago

sarasensible commented 2 years ago

:memo: fatal: unsafe repository ('/github/workspace' is owned by someone else)

Same issue as https://github.com/gaurav-nelson/github-action-markdown-link-check/issues/132 . From the recent commit to master it looks like you guys are already aware of this, but the fix doesn't seem to be working yet.

:warning: Checklist

Check CONTRIBUTING.md and CODE_OF_CONDUCT.md for more information

sarasensible commented 2 years ago

Looks like the issue is the git version - set to 2.34.2 in the Dockerfile, but only 2.35.3 supports the safe directory syntax. Going to try forking this and attempt it myself.

ChristophShyper commented 2 years ago

Hello. I'm aware, that today's weekly update bumped git version to the broken one. Apparently, it has been already fixed in a newer version, but it hasn't been updated in Alpine's packages repo yet. They've never made breaking changes before... I'll change my workflow to prevent in future. For now, I've tried a couple of workarounds but none of them worked, unfortunately. Hopefully, it'll be fixed soon.

sarasensible commented 2 years ago

Hi @ChristophShyper this does seem to be a drastic response to a security vulnerability and it looks like it's breaking solutions like yours across the interwebs.

Is there a reason upgrading the git version to 2.35.3 won't work in this case?

sarasensible commented 2 years ago

Never mind, I tried it for myself and I get this error:

#7 2.392 ERROR: unable to select packages:
#7 2.421   git-2.34.2-r0:
#7 2.421     breaks: world[git~2.35.3]
------
executor failed running [/bin/sh -c set -eux ;  chmod +x /entrypoint.sh ;  apk update --no-cache ;  apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing hub~=2.14.2 ;  apk add --no-cache     bash~=5.1.16     git~=2.35.3     jq~=1.6 ;  rm -rf /var/cache/* ;  rm -rf /root/.cache/*]: exit code: 1

I see this is with the latest alpine too.

sarasensible commented 2 years ago

Looks like

export GIT_CEILING_DIRECTORIES=/__w

might be an alternative. Sourced from https://github.com/actions/checkout/issues/760#issuecomment-1102556218 and https://nvd.nist.gov/vuln/detail/CVE-2022-24765

sarasensible commented 2 years ago

Update: I was not able to get the above to work. Trying to see if any other base image would work instead of alpine.

ChristophShyper commented 2 years ago

As I was saying the newest available version is 2.34.2, see https://pkgs.alpinelinux.org/packages?name=git&branch=v3.15

ChristophShyper commented 2 years ago

After some trials I've restored previous functionality. Now it's using Ubuntu instead of Alpine, because only in that way I can add git-core/ppa with the newest git packages.

sarasensible commented 2 years ago

Hey, I actually have an alternative solution than using Ubuntu that works with hosted git runners. You can add the "runner" user with the same uid as the hosted git runner and it works fine.

Example Dockerfile built on Alpine:

# Use a clean tiny image to store artifacts in
FROM alpine:3.15.4

# Labels for http://label-schema.org/rc1/#build-time-labels
# And for https://github.com/opencontainers/image-spec/blob/master/annotations.md
# And for https://help.github.com/en/actions/building-actions/metadata-syntax-for-github-actions
ARG NAME="GitHub Action for creating Pull Requests"
ARG DESCRIPTION="GitHub Action that will create a pull request from the current branch"
ARG REPO_URL="https://github.com/devops-infra/action-pull-request"
ARG AUTHOR="Krzysztof Szyper / ChristophShyper / biotyk@mail.com"
ARG HOMEPAGE="https://christophshyper.github.io/"
ARG BUILD_DATE=2020-04-01T00:00:00Z
ARG VCS_REF=abcdef1
ARG VERSION=v0.0
LABEL \
  com.github.actions.name="${NAME}" \
  com.github.actions.author="${AUTHOR}" \
  com.github.actions.description="${DESCRIPTION}" \
  com.github.actions.color="purple" \
  com.github.actions.icon="upload-cloud" \
  org.label-schema.build-date="${BUILD_DATE}" \
  org.label-schema.name="${NAME}" \
  org.label-schema.description="${DESCRIPTION}" \
  org.label-schema.usage="README.md" \
  org.label-schema.url="${HOMEPAGE}" \
  org.label-schema.vcs-url="${REPO_URL}" \
  org.label-schema.vcs-ref="${VCS_REF}" \
  org.label-schema.vendor="${AUTHOR}" \
  org.label-schema.version="${VERSION}" \
  org.label-schema.schema-version="1.0" \
  org.opencontainers.image.created="${BUILD_DATE}" \
  org.opencontainers.image.authors="${AUTHOR}" \
  org.opencontainers.image.url="${HOMEPAGE}" \
  org.opencontainers.image.documentation="${REPO_URL}/blob/master/README.md" \
  org.opencontainers.image.source="${REPO_URL}" \
  org.opencontainers.image.version="${VERSION}" \
  org.opencontainers.image.revision="${VCS_REF}" \
  org.opencontainers.image.vendor="${AUTHOR}" \
  org.opencontainers.image.licenses="MIT" \
  org.opencontainers.image.title="${NAME}" \
  org.opencontainers.image.description="${DESCRIPTION}" \
  maintainer="${AUTHOR}" \
  repository="${REPO_URL}"

RUN adduser -u 1001 -g 1001 -D runner \
        && mkdir -p /etc/sudoers.d/ \
        && echo "runner ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/runner \
        && chmod 0440 /etc/sudoers.d/runner

RUN apk add --update sudo

RUN mkdir -p /github/workspace && chown -R runner:runner /github/workspace

USER runner

# Copy all needed files
COPY --chown=runner:runner entrypoint.sh /home/runner

# Install needed packages
RUN set -eux ;\
  chmod +x /home/runner/entrypoint.sh ;\
  sudo apk update --no-cache ;\
  sudo apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing hub~=2.14.2 ;\
  sudo apk add --no-cache \
    bash~=5.1.16 \
    git~=2.34.2 \
    jq~=1.6 ;\
  sudo rm -rf /var/cache/* ;\
  sudo rm -rf /root/.cache/*

# Finish up
CMD ["hub version"]
WORKDIR /github/workspace
ENTRYPOINT ["/home/runner/entrypoint.sh"]

This may not work for everyone since they may not be using hosted runners, but in that case you could just change the UID of the runner to match the UID of the user running the action. This solution preserves the small size of the image, although once Alpine gets its act together and patches git like Ubuntu did it may not make a difference.

Anyways, thank you so much for the help and this very useful action!

ChristophShyper commented 2 years ago

UID is not guaranteed in this case, so it may randomly fail sometime. Let's hope nobody will release breaking changes again soon :)