-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ongoing CI issues on main
#12719
Comments
The tests are failing due to git/git@7b70e9e, which was released in (latest) git 2.45.1. actions/runner-images@e11ab1f#diff-5c04a529d3c8adf7a5f23afe544071dad1853e281c9c7b44cd8d626b6c57444dR51 is the commit/change bumping the docs about the Git version in GitHub Actions' CI. |
We should be able to set /cc @sbidoul since this is a VCS-specific issue and he's one of the our resident experts. |
I'm not completely clear what the precise behaviour change in git is, and what their intended resolution for users is. From what I can understand, it sounds like the issue is that if you have a partial clone, then a As this seems to be realed to a CVE, I'm not convinced we should be setting the "ignore the risks" flag in our CI, much less expect our users to do so. But I'm definitely not a specialist here, so while I'm interested in what the issue is about, I'll defer to @sbidoul over how we fix it. |
Expert = the one still around who has fiddled the most with pip's VCS code base 😅 Thanks for the investigation @pradyunsg. I can reproduce the test failures locally with git 2.45.1. I just tried At first sight, and if I interpret the hints from git/git@7b70e9e and the CVE, it might be the problem is with local git repos that are themselves partial clone. This can be reproduced with
An editable install such as So the issue may not impact many pip users in practice. Time will tell. Setting GIT_NO_LAZY_FETCH=0 in our CI seems like a valid short term solution to me, while we investigate if a better approach exists (maybe declaring the local git repos in our tests as safe or something). |
Not quite, if I'm understanding the CVE correctly. It's rather that, when you clone with |
True. |
I think the local repository is used as an example and, based on 2d35b80, it seems to me that git has effectively disabled-by-default the reason that we'd adopted That seems like a thing to consider for us, and to evaluate if this feature should continue to be a thing. |
I'm not sure about that yet. According to my preliminary tests (see #12719 (comment)), a local partial clone is necessary to reproduce the issue. Installing from a remote repo with |
Filing an issue to track the issues we're seeing with CI on
main
.The text was updated successfully, but these errors were encountered: