I have a private GitHub repository that has a GitHub Action that pushes files which are created at the Action's runtime to the repository. Since yesterday (2022-04-12), the Action fails at the following step:
- name: Push data to repo
uses: github-actions-x/[email protected]
with:
push-branch: 'main'
commit-message: 'Add current data'
force-add: 'true'
files: *.zip
name: autoupdate
Running this step triggers the following error message:
Command line: | /usr/bin/git checkout -B main
Stderr: | fatal: unsafe repository ('/github/workspace' is owned by someone else)
| To add an exception for this directory, call:
|
| git config --global --add safe.directory /github/workspace
Based on the error message I added the following to my GitHub Action:
- name: Fix issue with repository ownership
run: |
git config --global --add safe.directory /home/runner/work/vksm/vksm
git config --global --add safe.directory /github/workspace
I have also added /home/runner/work/vksm/vksm
as I was not sure if /github/workspace
in the error message is meant as a generic path or not. /home/runner/work/vksm/vksm
is where the checkout step puts the repository when the Action runs: /usr/bin/git init /home/runner/work/vksm/vksm
The whole sequence of steps is as follows:
steps:
- name: Checkout the repository
uses: actions/checkout@v2
- name: Fix issue with repository ownership
run: |
git config --global --add safe.directory /home/runner/work/vksm/vksm
git config --global --add safe.directory /github/workspace
- name: Set up Python 3.9
uses: actions/setup-python@v2
...
- name: Install dependencies
run: |
pip install requests
- name: Run Python script
run: |
python script.py
- name: Push data to repo
uses: github-actions-x/[email protected]
...
However, the error still occurs.
This questions is possibly related to Cannot add parent directory to safe.directory on git.
This is happening because of a security vulnerability. The error is thrown inside the docker container before you can execute the git config commands to fix the unsafe repository problem. You need to modify the entrypoint of the docker container to execute the git command. You can check this link for details about the vulnerability.
A temporary workaround until git/action owners make a change could be to fork/clone the action that uses docker and modify it with something like this.
#!/bin/bash
set -o pipefail
# config
# ...
# Fix the unsafe repo error which was introduced by the CVE-2022-24765 git patches
git config --global --add safe.directory /github/workspace
#...
You can take a look at the comments in this issue for some ideas about a workaround.