Closed SaschaSchwarze0 closed 1 month ago
My proposal:
GIT_CLONE_PROTECTION_ACTIVE=false
environment variable using Ginkgo for the test case that uses git-lfsGIT_CLONE_PROTECTION_ACTIVE=false
to the step template of the Git step. The container image is based on the git version coming from RedHat UBI which is older. But eventually, we will also have that problem there. I think that it is safe that we disable the protection because we run git clone
in a very isolated environment = a container running as non-root without any privileges in a Kubernetes cluster.@MaheshRKumawat will take this
I worked on this together with @MaheshRKumawat . The issue is not present anymore, so we encourage existing PRs to rerun the unit test:
We were running on an ubuntu 20240516.1
image. This image comes with Git 2.45.1
see here. The latest CI runs for unit-test are running a newest ubuntu 20240603.1
image, this one comes with Git 2.45.2
, see here. Now that we understand the delta, when looking at the changelog for Git 2.45.2, we see the following:
clone: drop the protections where hooks aren't run
This explains why the issue does not longer exists. For reference, here an example of the failing unit tests:
Git Resource Some tests mutate or depend on git configurations. They must run sequentially to avoid race-conditions. Test that require git configurations cloning repositories with Git Large File Storage [It] should Git clone a repository to the specified target directory
/home/runner/work/build/build/cmd/git/main_test.go:502
[FAILED] Unexpected error:
<*main.ExitError | 0xc000341080>:
fatal: active `post-checkout` hook found during `git clone`:
/tmp/git3063540752/.git/hooks/post-checkout
For security reasons, this is disallowed by default.
If this is intentional and the hook should actually be run, please
run the command again with `GIT_CLONE_PROTECTION_ACTIVE=false`
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/' (exit code 128)
{
Is there an existing issue for this?
Kubernetes Version
No response
Shipwright Version
No response
Current Behavior
Git recently introduced new security features that prevent hooks to be automatically invoked during
git clone
. This affects git-lfs, see https://github.com/git-lfs/git-lfs/issues/5749. As a consequence, our unit tests that use git-lfs are also broken. See https://github.com/shipwright-io/build/actions/runs/9250581194/job/25446913912?pr=1610#step:5:38.Expected Behavior
git-lfs should be functional
Steps To Reproduce
No response
Anything else?
No response