Fix repository checkout ownership on Linux when running as non-root

[Copilot]

Issue

When the checkout task executes on a Linux agent, repositories can be created with root ownership rather than using the agent's user account. This creates permission issues during the build process and can cause unexpected failures, as shown in the attached image.

Root Cause

When moving or copying directories during repository checkout:

1. The Directory.Move and file copying operations don't preserve the original ownership on Linux
2. If any part of the pipeline elevation process runs with root permissions, the repositories can end up owned by root
3. No explicit ownership repair was being performed after directory operations

Solution

Added proper ownership handling for directories on Linux systems through:

1. Created new EnsureDirectoryOwnership method in IOUtil.cs that:

   • Only runs on Linux platforms
   • Gets the current user and group IDs using the id command
   • Uses chown to set correct ownership recursively
   • Includes proper error handling to avoid breaking builds if chown fails

2. Added ownership repair after key directory operations:

   • In IOUtil.MoveDirectory after moving directories
   • In IOUtil.CopyDirectory after copying directories
   • In BuildDirectoryManager.CreateDirectory after creating new directories

3. Made changes in a platform-agnostic way:

   • Ownership correction only runs on Linux platforms
   • No changes to behavior on Windows or macOS

This ensures that repositories maintain the correct ownership regardless of how they're initially created.

Fixes #5200.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• pkgs.dev.azure.com
  • Triggering command: dotnet build src/Agent.Sdk/Agent.Sdk.csproj (dns block)
• vstsagenttools.blob.core.windows.net
  • Triggering command: curl --retry 10 -fkSL -o /home/REDACTED/work/azure-pipelines-agent/azure-pipelines-agent/_downloads/linux-x64/netcore2x/partial/vso-task-lib.tar.gz REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.