search

jaumann / github-bumpversion-action

A GitHub action that utilizes the bumpversion tool
MIT License
6 stars 11 forks source link

Git 2.23.2 has new security that breaks this action #4

Open jasonamyers opened 2 years ago

jasonamyers commented 2 years ago

Recently, we started getting errors like:

fatal: unsafe repository ('/github/workspace' is owned by someone else)
To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace

when using this action. This started when the container started install git 2.23.2-r0 instead of git 2.23.1-r0

This results in the workspace being marked as insecure due to a CVE Fix: https://github.com/git/git/blob/master/Documentation/RelNotes/2.34.2.txt

in this case, we're not in a multiuser git workspace, so we should be save to enable the git config above.

doc-balto commented 2 years ago

I naively tried to set git config --global --add safe.directory /github/workspace in the step beforehand, but had no luck.

peterdudfield commented 2 years ago

I'm seeing the same problem here - https://github.com/openclimatefix/nowcasting_datamodel/actions/runs/2166584312

jasonamyers commented 2 years ago

I ended up shipping https://github.com/marketplace/actions/bumpversion-action-for-github as a workaround for this issue with my PR to this repo.

peterdudfield commented 2 years ago

I ended up shipping https://github.com/marketplace/actions/bumpversion-action-for-github as a workaround for this issue with my PR to this repo.

@thanks @jasonamyers for this - this worked for me

peterdudfield commented 2 years ago

I ended up shipping https://github.com/marketplace/actions/bumpversion-action-for-github as a workaround for this issue with my PR to this repo.

@jasonamyers is there a slight bug / update of read me needed.

Looks like the output is 'new_ver' not 'new_tag' your github action readme

but maybe ive got myself confused

jasonamyers commented 2 years ago

Good catch @peterdudfield fixed