From 197115cb471c79e6b640fc66ed695ffa21b8c2a8 Mon Sep 17 00:00:00 2001 From: Andrew Bayer Date: Wed, 13 Apr 2022 10:28:26 -0400 Subject: [PATCH] Fix git-init for Git 2.35.2 https://github.blog/2022-04-12-git-security-vulnerability-announced/ was announced and then fixed in Git 2.35.2. This ends up creating issues like https://github.com/actions/checkout/issues/760, where the directory the git repo lives isn't owned by the same user performing the git operations. This does appear to be affecting us - see https://tekton-releases.appspot.com/build/tekton-prow/pr-logs/pull/tektoncd_pipeline/4750/pull-tekton-pipeline-integration-tests/1514143139193950210/ for example, which has the telltale error message of `fatal: unsafe repository ('/workspace/go/src/github.com/GoogleContainerTools/skaffold' is owned by someone else)`. This is an attempt to fix that by having `git-init` call `git config --global --add safe.directory [repo dir]` before fetching, etc. Signed-off-by: Andrew Bayer --- pkg/git/git.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/git/git.go b/pkg/git/git.go index 734a5152859..0023d18252e 100644 --- a/pkg/git/git.go +++ b/pkg/git/git.go @@ -93,8 +93,16 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error { if err := os.Chdir(spec.Path); err != nil { return fmt.Errorf("failed to change directory with path %s; err: %w", spec.Path, err) } - } else if _, err := run(logger, "", "init"); err != nil { - return err + if _, err := run(logger, "", "config", "--add", "--global", "safe.directory", spec.Path); err != nil { + return err + } + } else { + if _, err := run(logger, "", "init"); err != nil { + return err + } + if _, err := run(logger, "", "config", "--add", "--global", "safe.directory", "/"); err != nil { + return err + } } if err := configSparseCheckout(logger, spec); err != nil { return err