actions
/github/home/.gitconfig does not exist for container runs
Issue
If running a job that uses a container like the below, the file /github/home/.gitconfig will not exist, even after checkout runs a config command.
example:
runs-on: ubuntu-latest
container:
image: alpine
- Checkout runs, and runs
/usr/bin/git config --global --add safe.directory /__w/sat/sat - The global .gitconfig does not exist
- Any calls to git remain unsafe/dubious
The safe.directory settings set by the command git config --global --add safe.directory <path> is a no-op.
Workaround
Use the --system scope over --global:
$ git config --system --add safe.directory <path>
example:
runs-on: ubuntu-latest
container:
image: alpine
steps:
- uses: actions/checkout@v3
- run: git config --system --add safe.directory <path>
I tried the workaround but it doesn't seem to work in my case.
Try without the sudo? Might ahve something to do with the Slither action itself too and if it spins up containers.
slither-action had issue https://github.com/crytic/slither-action/pull/50. Thanks.
With "dubious ownership" errors, the workaround doesn't work for me, when I switch from --global to --system, it fails with permission error
jobs:
pytest:
runs-on: ubuntu-latest
steps:
- name: Checkout Code Repository
uses: actions/checkout@v3
- name: change --global to --system
run: git config --system --add safe.directory /app
- name: Build the Stack
run: docker-compose -f local.yml build
results:
Run git config --system --add safe.directory /app
error: could not lock config file /etc/gitconfig: Permission denied
Error: Process completed with exit code 255.
Any suggestions? thanks!
@LecrisUT thanks for the reminder, could you let me know the containers specific thing? My repo is running Django in the container, could I make its github actions pass by the workaround? thanks!
The container specific here refers to the Gihub action running as:
jobs:
pytest:
runs-on: ubuntu-latest
container: fedora:laters
In this case there are specific volumes that are mounted and specific flags passed. When you run your own setup via docker-compose, you need to check what this does to replicate it. I don't know exactly what this does tbh.
FFR: Using the users opzion might help here for the related issue: https://github.com/actions/runner/issues/2033#issuecomment-1598547465
I banged my head on what I think is this issue all day. Consider this config:
name: Test Git
on:
push:
jobs:
bundle:
name: Git
runs-on: ubuntu-latest
container: alpine/git
steps:
- uses: actions/checkout@v4
- run: git archive -v --format zip --prefix foo/ --output foo.zip HEAD
This results in this error:
fatal: detected dubious ownership in repository at '/__w/test-pgxn-tools/test-pgxn-tools'
To add an exception for this directory, call:
git config --global --add safe.directory /__w/test-pgxn-tools/test-pgxn-tools
Shouldn't we be able to do Git stuff with the repo in a container? Curious, I tried changing the last line to:
- run: git config safe.directory
It simply exits with no error message, as in this run:
Run git config safe.directory
git config safe.directory
shell: sh -e {0}
Error: Process completed with exit code 1.
Is that because the global config file is missing? I find it simply wild that there is no error message.
Anyway, I then tried setting the global config:
- run: git config --global --add safe.directory "$PWD"
And that works. But I admit I'm pretty confused about why this isn't set up by default when an action starts.
So fine, I can manually put this line into my workflow YAML files, but I'm mystified as to why it's necessary. Is it this issue or am I missing something?
Thanks for bearing with my examples.
It simply exits with no error message, as in this run:
FWIW I see the same error using actions/checkout@v3 in this build an using actions/checkout@v2 in this build. Color me confused.
I'm fixing the issue in pgxn-tools by adding this line to the Dockerfile to disable the check inside the running container:
git config --system --add safe.directory '*'
Is there any reason that is likely to be a security issue?