From a0eb51f8eae59bee349b223614f6844e160c10de Mon Sep 17 00:00:00 2001 From: Marcus Wirtz Date: Tue, 21 Apr 2026 11:32:17 +0200 Subject: [PATCH] fix: fix adding safe-directory in container --- .github/workflows/test.yml | 1 - __test__/verify-worktree.sh | 3 --- src/git-source-provider.ts | 54 ++++++++++++++++++++++++++++--------- src/git-source-settings.ts | 5 ++++ src/input-helper.ts | 1 + 5 files changed, 47 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0383c88..52d6475 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -314,7 +314,6 @@ jobs: fi # Verify auth token - git config --global --add safe.directory "*" git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main # needed to make checkout post cleanup succeed diff --git a/__test__/verify-worktree.sh b/__test__/verify-worktree.sh index 3a4d3e4..8f12284 100755 --- a/__test__/verify-worktree.sh +++ b/__test__/verify-worktree.sh @@ -15,9 +15,6 @@ fi cd "$CHECKOUT_PATH" -# Add safe directory for container environments -git config --global --add safe.directory "*" 2>/dev/null || true - # Show the includeIf configuration echo "Git config includeIf entries:" git config --list --show-origin | grep -i include || true diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts index ec87178..fe21476 100644 --- a/src/git-source-provider.ts +++ b/src/git-source-provider.ts @@ -44,20 +44,14 @@ export async function getSource(settings: IGitSourceSettings): Promise { if (git) { authHelper = gitAuthHelper.createAuthHelper(git, settings) if (settings.setSafeDirectory) { - // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail - // Otherwise all git commands we run in a container fail - await authHelper.configureTempGlobalConfig() - core.info( - `Adding repository directory to the temporary git global config as a safe directory` + await addSafeDirectory(settings.repositoryPath, git) + const containerPath = getContainerRepositoryPath( + settings.repositoryPath, + settings.githubWorkspacePath ) - - await git - .config('safe.directory', settings.repositoryPath, true, true) - .catch(error => { - core.info( - `Failed to initialize safe directory with error: ${error}` - ) - }) + if (containerPath && containerPath !== settings.repositoryPath) { + await addSafeDirectory(containerPath, git) + } stateHelper.setSafeDirectory() } @@ -373,3 +367,37 @@ async function getGitCommandManager( return undefined } } + +async function addSafeDirectory( + safeDirectory: string, + git: IGitCommandManager +): Promise { + core.info(`Adding '${safeDirectory}' to the git global config as a safe directory`) + await git.config('safe.directory', safeDirectory, true, true).catch(error => { + core.info(`Failed to initialize safe directory with error: ${error}`) + }) +} + +function getContainerRepositoryPath( + repositoryPath: string, + githubWorkspace?: string +): string { + if (!githubWorkspace) { + return '' + } + + let relativeRepositoryPath = path.relative(githubWorkspace, repositoryPath) + if (!relativeRepositoryPath || relativeRepositoryPath === '.') { + return '/github/workspace' + } + + if ( + relativeRepositoryPath.startsWith('..') || + path.isAbsolute(relativeRepositoryPath) + ) { + return '' + } + + relativeRepositoryPath = relativeRepositoryPath.replace(/\\/g, '/') + return path.posix.join('/github/workspace', relativeRepositoryPath) +} diff --git a/src/git-source-settings.ts b/src/git-source-settings.ts index 4e41ac3..c7950df 100644 --- a/src/git-source-settings.ts +++ b/src/git-source-settings.ts @@ -1,4 +1,9 @@ export interface IGitSourceSettings { + /** + * The workflow workspace path + */ + githubWorkspacePath?: string + /** * The location on disk where the repository will be placed */ diff --git a/src/input-helper.ts b/src/input-helper.ts index 059232f..d2d21e6 100644 --- a/src/input-helper.ts +++ b/src/input-helper.ts @@ -14,6 +14,7 @@ export async function getInputs(): Promise { throw new Error('GITHUB_WORKSPACE not defined') } githubWorkspacePath = path.resolve(githubWorkspacePath) + result.githubWorkspacePath = githubWorkspacePath core.debug(`GITHUB_WORKSPACE = '${githubWorkspacePath}'`) fsHelper.directoryExistsSync(githubWorkspacePath, true)