Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fatal: unsafe repository ('/github/workspace' is owned by someone else) #30

Closed
stefanb opened this issue Apr 13, 2022 · 12 comments
Closed

fatal: unsafe repository ('/github/workspace' is owned by someone else) #30

stefanb opened this issue Apr 13, 2022 · 12 comments

Comments

@stefanb
Copy link
Contributor

stefanb commented Apr 13, 2022
edited
Loading

All GitHub actions that are committing changes back to the repository started to fail overnight.

It is likely due to git emergency upgrade to fix CVE-2022-24765, see:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

Log:

Traceback (most recent call last):
  File "/entrypoint.py", line 57, in <module>
    run()
  File "/entrypoint.py", line 47, in run
    debug(git(['pull', '--rebase', '--autostash', 'origin', branch]))
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 99, in __call__
    return self.run(args, **kwargs)[1]
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 240, in run
    return p.run()
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 201, in runner
    return run_proc(p, retcode, timeout)
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/processes.py", line 322, in run_proc
    return _check_process(proc, retcode, timeout, stdout, stderr)
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/processes.py", line 24, in _check_process
    proc.verify(retcode, timeout, stdout, stderr)
  File "/usr/local/lib/python3.7/site-packages/plumbum/machines/base.py", line 29, in verify
    getattr(self, "argv", None), self.returncode, stdout, stderr
plumbum.commands.processes.ProcessExecutionError: Unexpected exit code: 128
Command line: | /usr/bin/git pull --rebase --autostash origin master
Stderr:       | fatal: unsafe repository ('/github/workspace' is owned by someone else)
              | To add an exception for this directory, call:
              | 
              | 	git config --global --add safe.directory /github/workspace

Example actions: https://github.com/sledilnik/data/actions
@behnambm
Copy link

@stefanb Is there a fix for this?

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

My untested guess at fixing this is to either

  • unify the ownership of checked out repository and parent folder (/github/workspace) or
  • marking the parent folder (/github/workspace) as safe.directory, as error suggests (if this seems safe to do).

@behnambm
Copy link

@stefanb Thanks for responding.

I tried both:

git config --global --add safe.directory /github/workspace

and

env:
      GIT_CEILING_DIRECTORIES: /github::/github/workspace

but none of them worked.

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

Ownership seem to be ok:

$ pwd
/home/runner/work/reponame/reponame

$ ls -la
drwxr-xr-x 6 runner docker 4096 Apr 13 06:13 .
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 ..
drwxr-xr-x 8 runner docker 4096 Apr 13 06:13 .git
-rw-r--r-- 1 runner docker   66 Apr 13 06:13 .gitattributes
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 .github
-rw-r--r-- 1 runner docker  300 Apr 13 06:13 README.md
...

$ ls -la ..
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 .
drwxr-xr-x 6 runner root   4096 Apr 13 06:13 ..
drwxr-xr-x 6 runner docker 4096 Apr 13 06:13 reponame

Note the repeated "reponame" in the path, but this should not be a problem.

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

Not sure where the /github/workspace comes from as the code is in /home/runner/work/reponame/reponame

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022 

$ ls -la '/github/workspace'
ls: cannot access '/github/workspace': No such file or directory

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

Tried setting both
git config --global --add safe.directory /home/runner/work/reponame
and
git config --global --add safe.directory /github/workspace
with no luck

@chenzaichun
Copy link
Contributor

From the Dockerfile, there's no running user defined, so it use root as default, but the directory ownership is runner:docker.

I test with docker build and run it and shows:

 docker run -it --rm commit:v1 sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

If github action use user (runner), we cloud add it and run entrypoint with runner.

@chenzaichun chenzaichun mentioned this issue Apr 13, 2022
Merged
@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

FYI, I also tried with local config:
git config --local --add safe.directory /github/workspace
just before github-actions-x/commit step in hopes it would be persisted in the local repository config, which should then be also used inside the docker container, but that didn't have any effect.

@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

Tried also

env:
  GIT_CEILING_DIRECTORIES: '/home/runner/work/reponame'

and

env:
  GIT_CEILING_DIRECTORIES: '/github/workspace'

both with no effect, even though GIT_CEILING_DIRECTORIES was listed in the command line to docker.

@ghost
Copy link

ghost commented Apr 13, 2022

Also getting this error as well.

@stefanb stefanb mentioned this issue Apr 13, 2022
Merged
@stefanb stefanb mentioned this issue Apr 13, 2022
Merged
@stefanb
Copy link
Contributor Author

stefanb commented Apr 13, 2022

FIxed in release 2.9 via #31

elrido added a commit to PrivateBin/PrivateBin that referenced this issue Apr 14, 2022
@elrido
fix php8 refresh workflow
d2126d6 
requires updating the commit action due to
github-actions-x/commit#30
elrido added a commit to elrido/ZeroBin that referenced this issue Apr 14, 2022
@elrido
fix php8 refresh workflow
624fcdd 
requires updating the commit action due to
github-actions-x/commit#30
elrido added a commit to PrivateBin/PrivateBin that referenced this issue Apr 14, 2022
@elrido
fix php8 refresh workflow
15a9b8d 
requires updating the commit action due to
github-actions-x/commit#30
elrido added a commit to PrivateBin/PrivateBin that referenced this issue Apr 14, 2022
@elrido
fix php8 refresh workflow
a15b395 
requires updating the commit action due to
github-actions-x/commit#30
@danth danth mentioned this issue Apr 14, 2022
Merged
cyrillbolliger added a commit to cyrillbolliger/breedersDB that referenced this issue Apr 18, 2022
@cyrillbolliger
[FIX] l10n pipeline
ad26307 
see github-actions-x/commit#30
moltar added a commit to moltar/typescript-runtime-type-benchmarks that referenced this issue Apr 21, 2022
@moltar
ci: fixes safe directory issue
e8aba3f 
See github-actions-x/commit#30
ppisar added a commit to ppisar/libmodulemd that referenced this issue May 17, 2022
@ppisar
CI: Mark $GITHUB_WORKSPACE directory safe for git
a6daf69 
git addressed CVE-2022-24765 by refusing to process a git repository
configuration file if the repository is owned by a different user.

That broke CI on GitHub which uses a different user for checking out
and for running the tests. actions/checkout worked around it for
itself, but it reverts safe.directory git settings on exit.

Hence this patch fixes it by explicitly setting git option
safe.directory when a packit, which calls git, is called.

github-actions-x/commit#30
@ppisar ppisar mentioned this issue May 17, 2022
Merged
SuperFola added a commit to SuperFola/totw-cpp that referenced this issue Jul 12, 2023
@SuperFola
Bumping github-actions-x/commit version to 2.9
ff116dd 
As per github-actions-x/commit#30, /github/workspace isn't a safe directory anymore, preventing the push

Bumping to 2.9 fixes the problem
@SuperFola SuperFola mentioned this issue Jul 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chenzaichun @stefanb @behnambm