fatal: unsafe repository ('/github/workspace' is owned by someone else)

[stefanb]

All GitHub actions that are committing changes back to the repository started to fail overnight.

It is likely due to git emergency upgrade to fix CVE-2022-24765, see:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

Log:

Traceback (most recent call last):
  File "/entrypoint.py", line 57, in <module>
    run()
  File "/entrypoint.py", line 47, in run
    debug(git(['pull', '--rebase', '--autostash', 'origin', branch]))
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 99, in __call__
    return self.run(args, **kwargs)[1]
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 240, in run
    return p.run()
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/base.py", line 201, in runner
    return run_proc(p, retcode, timeout)
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/processes.py", line 322, in run_proc
    return _check_process(proc, retcode, timeout, stdout, stderr)
  File "/usr/local/lib/python3.7/site-packages/plumbum/commands/processes.py", line 24, in _check_process
    proc.verify(retcode, timeout, stdout, stderr)
  File "/usr/local/lib/python3.7/site-packages/plumbum/machines/base.py", line 29, in verify
    getattr(self, "argv", None), self.returncode, stdout, stderr
plumbum.commands.processes.ProcessExecutionError: Unexpected exit code: 128
Command line: | /usr/bin/git pull --rebase --autostash origin master
Stderr:       | fatal: unsafe repository ('/github/workspace' is owned by someone else)
              | To add an exception for this directory, call:
              | 
              | 	git config --global --add safe.directory /github/workspace

Example actions: https://github.com/sledilnik/data/actions

[behnambm]

@stefanb Is there a fix for this?

[stefanb]

My untested guess at fixing this is to either

• unify the ownership of checked out repository and parent folder (/github/workspace) or
• marking the parent folder (/github/workspace) as safe.directory, as error suggests (if this seems safe to do).

[behnambm]

@stefanb Thanks for responding.

I tried both:

git config --global --add safe.directory /github/workspace

and

env:
      GIT_CEILING_DIRECTORIES: /github::/github/workspace

but none of them worked.

[stefanb]

Ownership seem to be ok:

$ pwd
/home/runner/work/reponame/reponame

$ ls -la
drwxr-xr-x 6 runner docker 4096 Apr 13 06:13 .
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 ..
drwxr-xr-x 8 runner docker 4096 Apr 13 06:13 .git
-rw-r--r-- 1 runner docker   66 Apr 13 06:13 .gitattributes
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 .github
-rw-r--r-- 1 runner docker  300 Apr 13 06:13 README.md
...

$ ls -la ..
drwxr-xr-x 3 runner docker 4096 Apr 13 06:13 .
drwxr-xr-x 6 runner root   4096 Apr 13 06:13 ..
drwxr-xr-x 6 runner docker 4096 Apr 13 06:13 reponame

Note the repeated "reponame" in the path, but this should not be a problem.

[stefanb]

Not sure where the /github/workspace comes from as the code is in /home/runner/work/reponame/reponame

[stefanb]

$ ls -la '/github/workspace'
ls: cannot access '/github/workspace': No such file or directory

[stefanb]

Tried setting both
git config --global --add safe.directory /home/runner/work/reponame
and
git config --global --add safe.directory /github/workspace
with no luck

[chenzaichun]

From the Dockerfile, there's no running user defined, so it use root as default, but the directory ownership is runner:docker.

I test with docker build and run it and shows:

 docker run -it --rm commit:v1 sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

If github action use user (runner), we cloud add it and run entrypoint with runner.

[stefanb]

FYI, I also tried with local config:
git config --local --add safe.directory /github/workspace
just before github-actions-x/commit step in hopes it would be persisted in the local repository config, which should then be also used inside the docker container, but that didn't have any effect.

[stefanb]

Tried also

env:
  GIT_CEILING_DIRECTORIES: '/home/runner/work/reponame'

and

env:
  GIT_CEILING_DIRECTORIES: '/github/workspace'

both with no effect, even though GIT_CEILING_DIRECTORIES was listed in the command line to docker.

Also getting this error as well.