/github/home/.gitconfig does not exist for container runs

[arbourd]

Issue

If running a job that uses a container like the below, the file /github/home/.gitconfig will not exist, even after checkout runs a config command.

  example:
    runs-on: ubuntu-latest
    container:
      image: alpine

Here is a demo:

1. Checkout runs, and runs /usr/bin/git config --global --add safe.directory /__w/sat/sat
2. The global .gitconfig does not exist
3. Any calls to git remain unsafe/dubious

The safe.directory settings set by the command git config --global --add safe.directory <path> is a no-op.

Workaround

Use the --system scope over --global:

$ git config --system --add safe.directory <path>

  example:
    runs-on: ubuntu-latest
    container:
      image: alpine

    steps:
      - uses: actions/checkout@v3
      - run: git config --system --add safe.directory <path>

[destroyersrt]

I tried the workaround but it doesn't seem to work in my case.

[arbourd]

I tried the workaround but it doesn't seem to work in my case.

Try without the sudo? Might ahve something to do with the Slither action itself too and if it spins up containers.

[destroyersrt]

At first I tried without sudo but got permission denied error.

[destroyersrt]

slither-action had issue crytic/slither-action#50. Thanks.

[LecrisUT]

Should note that the workaround described here is only for container runs

[theory]

I banged my head on what I think is this issue all day. Consider this config:

name: Test Git
on:
  push:
jobs:
  bundle:
    name: Git
    runs-on: ubuntu-latest
    container: alpine/git
    steps:
    - uses: actions/checkout@v4
    - run: git archive -v --format zip --prefix foo/ --output foo.zip HEAD

This results in this error:

fatal: detected dubious ownership in repository at '/__w/test-pgxn-tools/test-pgxn-tools'
To add an exception for this directory, call:

	git config --global --add safe.directory /__w/test-pgxn-tools/test-pgxn-tools

Shouldn't we be able to do Git stuff with the repo in a container? Curious, I tried changing the last line to:

    - run: git config safe.directory

It simply exits with no error message, as in this run:

Run git config safe.directory
  git config safe.directory
  shell: sh -e {0}
Error: Process completed with exit code 1.

Is that because the global config file is missing? I find it simply wild that there is no error message.

Anyway, I then tried setting the global config:

    - run: git config --global --add safe.directory "$PWD"

And that works. But I admit I'm pretty confused about why this isn't set up by default when an action starts.

So fine, I can manually put this line into my workflow YAML files, but I'm mystified as to why it's necessary. Is it this issue or am I missing something?

Thanks for bearing with my examples.

[theory]

It simply exits with no error message, as in this run:

FWIW I see the same error using actions/checkout@v3 in this build an using actions/checkout@v2 in this build. Color me confused.

[theory]

I'm fixing the issue in pgxn-tools by adding this line to the Dockerfile to disable the check inside the running container:

git config --system --add safe.directory '*'

Is there any reason that is likely to be a security issue?

[feltech]

Thanks for this. Adding a step to our job with git config --system --add safe.directory $(pwd) works around the "dubious ownership" error.

For info, did a little experiment and added a step to print the id and owner of pwd - for some reason actions/checkout@v4 checks out the repo as user 1001, even though there is no such user in the container. Output from CI

Run id
  id
  ls -ld $(pwd)
  shell: sh -e {0}
uid=0(root) gid=0(root) groups=0(root)
drwxr-xr-x 7 1001 127 4096 Aug 15 15:40 /__w/OpenAssetIO-Test-CMake/OpenAssetIO-Test-CMake

For reference, the upstream change to git that performs the "dubious ownership" check appears to be git/git@f4aa8c8

[mxw-sec]

Any working arounds for this, I am seeing the same /github/home/.gitconfig doesn't exist message on Terraform-docs/gh-actions.