(WIP) Workaround for git upstream change ref 8959555ce (v0.03)

See https://github.blog/2022-04-12-git-security-vulnerability-announced/ we're running as: uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal) See actions/checkout#47 Change-Id: Ib7ad629180ea26ca3a8a04160aded62af5bb9108
sipwise · Apr 15, 2022 · d933b0f · d933b0f
1 parent a7f0d41
commit d933b0f
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 1 deletion.
diff --git a/.github/actions/debpkg-sid/entrypoint.sh b/.github/actions/debpkg-sid/entrypoint.sh
@@ -6,6 +6,23 @@ echo "*** Starting execution of '$0' ***"
 echo "** Installing build dependencies **"
 apt-get -y build-dep .
 
+echo "Debug: file listing (before)"
+find . -ls
+
+if [[ $(pwd) == /github/workspace ]] ; then
+  echo "Adjusting permissions of /github/workspace"
+  chown -R root:root /github/workspace
+
+  echo "Marking safe.directory"
+  git config --global --add safe.directory '*'
+
+  cat ~/.gitconfig || true
+fi
+
+echo "Debug: file listing (after)"
+find . -ls
+
+
 echo "** Building Debian package **"
 dpkg-buildpackage
 

diff --git a/.github/workflows/debpkg.yml b/.github/workflows/debpkg.yml
@@ -38,6 +38,12 @@ jobs:
     - name: Checkout source
       uses: actions/checkout@v2
 
+    - name: User information
+      run: id
+
+    - name: File listing
+      run: find . -ls
+
     - name: Execute Docker debpkg action
       uses: ./.github/actions/debpkg-sid
 

diff --git a/Makefile b/Makefile
@@ -61,5 +61,6 @@ perlcheck:
 
 test:
 	mkdir -p $(RESULTS)
+	id || true
 	cd t ; py.test-3 --junit-xml=$(RESULTS)/pytest.xml -vv -l
 # EOF
diff --git a/t/fixtures/programs.py b/t/fixtures/programs.py
@@ -1,5 +1,6 @@
 import pytest
 from os import getuid
+import os
 from pathlib import Path
 import subprocess
 import sys
@@ -147,18 +148,36 @@ def process_pool(env, cfg, git):
         src = cfg.get("ngcpcfg", key_base)
         copy_tree(src, src, dst_pool)
         cfg.set("ngcpcfg", key_base, str(dst_pool))
+
+        print("debugging: running as user {}".format(getuid()))
+        print("debugging: directory listing: {}".format(os.system("ls -la")))
+        print("debugging: git info: {}".format(git))
+        print("debugging: setting global safe.directory: {}".format(os.system("git config --global --add safe.directory '*'")))
+        print("debugging: setting ngcpctl_dir safe.directory: {}".format(os.system("git config --global --add safe.directory '%s'" % ngcpctl_dir)))
+        print("debugging: setting user.email: {}".format(os.system("git config --global user.email 'testrunner@example.com'")))
+        print("debugging: setting user.name: {}".format(os.system("git config --global user.name 'Github Action Runner'")))
+        print("debugging: gitconfig info: {}".format(os.system("cat $HOME/.gitconfig")))
+
+        if os.getuid() == 0 and os.getenv("GITHUB_RUN_ID"):
+            print("hello github :-/")
+            os.chown(ngcpctl_dir, 0, 0)
+            print("debugging: directory listing afterwards: {}".format(os.system("ls -la")))
+
         ex, out, err = git.add("templates")
         assert ex == 0
         # print("{}\nstdout:\n{}stderr:{}\n".format("git add", out, err))
         env[key_base] = cfg.get("ngcpcfg", key_base)
         # for now we only support TEMPLATE_POOL_BASE
         env["SERVICES_POOL_BASE"] = env[key_base]
         cfg.set("ngcpcfg", "SERVICES_POOL_BASE", str(dst_pool))
+
         # each CONFIG_TOOL dir has to be a git repository
         for dir in cfg.get("ngcpcfg", "CONFIG_POOL").split(' '):
             dir_path = Path(outdir).joinpath(dir[1:])
             print("create empty git repository at {}".format(dir_path))
             gitrepo.extract_archive(str(EMPTY_GIT), dir_path)
+            print("debugging: directory listing: {}".format(os.system("ls -la")))
+            # print("debugging: setting safe.directory: {}".format(os.system("git config --global --add safe.directory '%s'" % dir_path)))
 
     def process_conf(env, cfg, git):
         base = Path(cfg.get("ngcpcfg", "NGCPCTL_MAIN"))
@@ -201,6 +220,7 @@ def prepare_conf(env={}):
         with gitrepo.in_folder(ngcpctl_dir) as git:
             git.config("user.email", "fake@pytest.fake")
             git.config("user.name", "pytest")
+            git.config("--global --add safe.directory", "*")
             process_conf(testenv, config, git)
             # generate NGCPCFG with config values
             testenv["NGCPCFG"] = gen_cfg(config, ngcpctl_dir)
@@ -296,4 +316,4 @@ def run(helper, *args, env={}):
         )
         return result
 
-    return run
+    return run
diff --git a/t/test_git.py b/t/test_git.py
@@ -12,6 +12,8 @@ def test_add_file_to_default_repo(cli, gitrepo):
         # configure git user
         git.config("--local", "user.email", "me@example.com")
         git.config("--local", "user.name", "pytest robot")
+        # FIXME?
+        git.config("--global", "--add", "safe.directory", git.root)
         print("Using git {}".format(git.version))
 
         # git status
@@ -39,6 +41,9 @@ def test_add_file_to_default_repo(cli, gitrepo):
 def test_status_output(cli, gitrepo):
     # we mock an existing repository by loading it from the default archive
     with gitrepo.from_archive(gitrepo.default) as git:
+        # FIXME?
+        git.config("--global", "--add", "safe.directory", git.root)
+
         # now we work with "existing" repository with path given in git.root
         with gitrepo.in_folder(git.root) as git:
             ex, out, err = git.status()