From 0ffe6f9c5599e73776da5b7f113e994bc0a76ede Mon Sep 17 00:00:00 2001 From: Tingluo Huang Date: Wed, 20 Apr 2022 21:37:43 -0400 Subject: [PATCH] Add set-safe-directory input to allow customers to take control. (#770) * Add set-safe-directory input to allow customers to take control. --- .github/workflows/test.yml | 38 ++++++++++++++++++++++++ README.md | 5 ++++ __test__/git-auth-helper.test.ts | 3 +- __test__/input-helper.test.ts | 1 + action.yml | 3 ++ dist/index.js | 51 ++++++++++++++++++++++++-------- src/git-auth-helper.ts | 19 ++---------- src/git-source-provider.ts | 35 ++++++++++++++++++++-- src/git-source-settings.ts | 5 ++++ src/input-helper.ts | 3 ++ src/state-helper.ts | 13 ++++++++ 11 files changed, 144 insertions(+), 32 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2fc85ebac..0e77c5741 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -205,3 +205,41 @@ jobs: path: basic - name: Verify basic run: __test__/verify-basic.sh --archive + + test-git-container: + runs-on: ubuntu-latest + container: bitnami/git:latest + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v3 + with: + path: v3 + + # Basic checkout using git + - name: Checkout basic + uses: ./v3 + with: + ref: test-data/v2/basic + - name: Verify basic + run: | + if [ ! -f "./basic-file.txt" ]; then + echo "Expected basic file does not exist" + exit 1 + fi + + # Verify .git folder + if [ ! -d "./.git" ]; then + echo "Expected ./.git folder to exist" + exit 1 + fi + + # Verify auth token + git config --global --add safe.directory "*" + git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main + + # needed to make checkout post cleanup succeed + - name: Fix Checkout v3 + uses: actions/checkout@v3 + with: + path: v3 \ No newline at end of file diff --git a/README.md b/README.md index b185d46b8..7619c06a7 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,11 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl # # Default: false submodules: '' + + # Add repository path as safe.directory for Git global config by running `git + # config --global --add safe.directory ` + # Default: true + set-safe-directory: '' ``` diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts index 80ccbcb47..a6731c2b4 100644 --- a/__test__/git-auth-helper.test.ts +++ b/__test__/git-auth-helper.test.ts @@ -777,7 +777,8 @@ async function setup(testName: string): Promise { sshKey: sshPath ? 'some ssh private key' : '', sshKnownHosts: '', sshStrict: true, - workflowOrganizationId: 123456 + workflowOrganizationId: 123456, + setSafeDirectory: true } } diff --git a/__test__/input-helper.test.ts b/__test__/input-helper.test.ts index a31b11cfa..1a8e5c96d 100644 --- a/__test__/input-helper.test.ts +++ b/__test__/input-helper.test.ts @@ -85,6 +85,7 @@ describe('input-helper tests', () => { expect(settings.repositoryName).toBe('some-repo') expect(settings.repositoryOwner).toBe('some-owner') expect(settings.repositoryPath).toBe(gitHubWorkspace) + expect(settings.setSafeDirectory).toBe(true) }) it('qualifies ref', async () => { diff --git a/action.yml b/action.yml index 1bf8bea47..96c535ef7 100644 --- a/action.yml +++ b/action.yml @@ -68,6 +68,9 @@ inputs: When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are converted to HTTPS. default: false + set-safe-directory: + description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory ` + default: true runs: using: node16 main: dist/index.js diff --git a/dist/index.js b/dist/index.js index c86f0509a..c7bc6957b 100644 --- a/dist/index.js +++ b/dist/index.js @@ -3592,7 +3592,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.setSshKnownHostsPath = exports.setSshKeyPath = exports.setRepositoryPath = exports.SshKnownHostsPath = exports.SshKeyPath = exports.RepositoryPath = exports.IsPost = void 0; +exports.setSafeDirectory = exports.setSshKnownHostsPath = exports.setSshKeyPath = exports.setRepositoryPath = exports.SshKnownHostsPath = exports.SshKeyPath = exports.PostSetSafeDirectory = exports.RepositoryPath = exports.IsPost = void 0; const coreCommand = __importStar(__webpack_require__(431)); /** * Indicates whether the POST action is running @@ -3602,6 +3602,10 @@ exports.IsPost = !!process.env['STATE_isPost']; * The repository path for the POST action. The value is empty during the MAIN action. */ exports.RepositoryPath = process.env['STATE_repositoryPath'] || ''; +/** + * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action. + */ +exports.PostSetSafeDirectory = process.env['STATE_setSafeDirectory'] === 'true'; /** * The SSH key path for the POST action. The value is empty during the MAIN action. */ @@ -3631,6 +3635,13 @@ function setSshKnownHostsPath(sshKnownHostsPath) { coreCommand.issueCommand('save-state', { name: 'sshKnownHostsPath' }, sshKnownHostsPath); } exports.setSshKnownHostsPath = setSshKnownHostsPath; +/** + * Save the sef-safe-directory input so the POST action can retrieve the value. + */ +function setSafeDirectory() { + coreCommand.issueCommand('save-state', { name: 'setSafeDirectory' }, 'true'); +} +exports.setSafeDirectory = setSafeDirectory; // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic. // This is necessary since we don't have a separate entry point. if (!exports.IsPost) { @@ -6572,7 +6583,7 @@ class GitAuthHelper { yield this.configureToken(); }); } - configureTempGlobalConfig(repositoryPath) { + configureTempGlobalConfig() { var _a, _b; return __awaiter(this, void 0, void 0, function* () { // Already setup global config @@ -6608,14 +6619,6 @@ class GitAuthHelper { // Override HOME core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`); this.git.setEnvironmentVariable('HOME', this.temporaryHomePath); - // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail - // Otherwise all git commands we run in a container fail - core.info(`Adding working directory to the temporary git global config as a safe directory`); - yield this.git - .config('safe.directory', repositoryPath !== null && repositoryPath !== void 0 ? repositoryPath : this.settings.repositoryPath, true, true) - .catch(error => { - core.info(`Failed to initialize safe directory with error: ${error}`); - }); return newGitConfigPath; }); } @@ -7352,7 +7355,18 @@ function getSource(settings) { try { if (git) { authHelper = gitAuthHelper.createAuthHelper(git, settings); - yield authHelper.configureTempGlobalConfig(); + if (settings.setSafeDirectory) { + // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail + // Otherwise all git commands we run in a container fail + yield authHelper.configureTempGlobalConfig(); + core.info(`Adding repository directory to the temporary git global config as a safe directory`); + yield git + .config('safe.directory', settings.repositoryPath, true, true) + .catch(error => { + core.info(`Failed to initialize safe directory with error: ${error}`); + }); + stateHelper.setSafeDirectory(); + } } // Prepare existing directory, otherwise recreate if (isExisting) { @@ -7500,7 +7514,17 @@ function cleanup(repositoryPath) { // Remove auth const authHelper = gitAuthHelper.createAuthHelper(git); try { - yield authHelper.configureTempGlobalConfig(repositoryPath); + if (stateHelper.PostSetSafeDirectory) { + // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail + // Otherwise all git commands we run in a container fail + yield authHelper.configureTempGlobalConfig(); + core.info(`Adding repository directory to the temporary git global config as a safe directory`); + yield git + .config('safe.directory', repositoryPath, true, true) + .catch(error => { + core.info(`Failed to initialize safe directory with error: ${error}`); + }); + } yield authHelper.removeAuth(); } finally { @@ -17303,6 +17327,9 @@ function getInputs() { (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'; // Workflow organization ID result.workflowOrganizationId = yield workflowContextHelper.getOrganizationId(); + // Set safe.directory in git global config. + result.setSafeDirectory = + (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'; return result; }); } diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index 385142a61..8a1c7c379 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -19,7 +19,7 @@ export interface IGitAuthHelper { configureAuth(): Promise configureGlobalAuth(): Promise configureSubmoduleAuth(): Promise - configureTempGlobalConfig(repositoryPath?: string): Promise + configureTempGlobalConfig(): Promise removeAuth(): Promise removeGlobalConfig(): Promise } @@ -81,7 +81,7 @@ class GitAuthHelper { await this.configureToken() } - async configureTempGlobalConfig(repositoryPath?: string): Promise { + async configureTempGlobalConfig(): Promise { // Already setup global config if (this.temporaryHomePath?.length > 0) { return path.join(this.temporaryHomePath, '.gitconfig') @@ -121,21 +121,6 @@ class GitAuthHelper { ) this.git.setEnvironmentVariable('HOME', this.temporaryHomePath) - // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail - // Otherwise all git commands we run in a container fail - core.info( - `Adding working directory to the temporary git global config as a safe directory` - ) - await this.git - .config( - 'safe.directory', - repositoryPath ?? this.settings.repositoryPath, - true, - true - ) - .catch(error => { - core.info(`Failed to initialize safe directory with error: ${error}`) - }) return newGitConfigPath } diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts index 09132296b..545a7a3bd 100644 --- a/src/git-source-provider.ts +++ b/src/git-source-provider.ts @@ -40,7 +40,24 @@ export async function getSource(settings: IGitSourceSettings): Promise { try { if (git) { authHelper = gitAuthHelper.createAuthHelper(git, settings) - await authHelper.configureTempGlobalConfig() + if (settings.setSafeDirectory) { + // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail + // Otherwise all git commands we run in a container fail + await authHelper.configureTempGlobalConfig() + core.info( + `Adding repository directory to the temporary git global config as a safe directory` + ) + + await git + .config('safe.directory', settings.repositoryPath, true, true) + .catch(error => { + core.info( + `Failed to initialize safe directory with error: ${error}` + ) + }) + + stateHelper.setSafeDirectory() + } } // Prepare existing directory, otherwise recreate @@ -249,7 +266,21 @@ export async function cleanup(repositoryPath: string): Promise { // Remove auth const authHelper = gitAuthHelper.createAuthHelper(git) try { - await authHelper.configureTempGlobalConfig(repositoryPath) + if (stateHelper.PostSetSafeDirectory) { + // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail + // Otherwise all git commands we run in a container fail + await authHelper.configureTempGlobalConfig() + core.info( + `Adding repository directory to the temporary git global config as a safe directory` + ) + + await git + .config('safe.directory', repositoryPath, true, true) + .catch(error => { + core.info(`Failed to initialize safe directory with error: ${error}`) + }) + } + await authHelper.removeAuth() } finally { await authHelper.removeGlobalConfig() diff --git a/src/git-source-settings.ts b/src/git-source-settings.ts index 19f46513d..6fa3960fd 100644 --- a/src/git-source-settings.ts +++ b/src/git-source-settings.ts @@ -78,4 +78,9 @@ export interface IGitSourceSettings { * Organization ID for the currently running workflow (used for auth settings) */ workflowOrganizationId: number | undefined + + /** + * Indicates whether to add repositoryPath as safe.directory in git global config + */ + setSafeDirectory: boolean } diff --git a/src/input-helper.ts b/src/input-helper.ts index 40e6de44e..8c2f90157 100644 --- a/src/input-helper.ts +++ b/src/input-helper.ts @@ -122,5 +122,8 @@ export async function getInputs(): Promise { // Workflow organization ID result.workflowOrganizationId = await workflowContextHelper.getOrganizationId() + // Set safe.directory in git global config. + result.setSafeDirectory = + (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE' return result } diff --git a/src/state-helper.ts b/src/state-helper.ts index 3c657b1dd..2db79f9d4 100644 --- a/src/state-helper.ts +++ b/src/state-helper.ts @@ -11,6 +11,12 @@ export const IsPost = !!process.env['STATE_isPost'] export const RepositoryPath = (process.env['STATE_repositoryPath'] as string) || '' +/** + * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action. + */ +export const PostSetSafeDirectory = + (process.env['STATE_setSafeDirectory'] as string) === 'true' + /** * The SSH key path for the POST action. The value is empty during the MAIN action. */ @@ -51,6 +57,13 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) { ) } +/** + * Save the sef-safe-directory input so the POST action can retrieve the value. + */ +export function setSafeDirectory() { + coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true') +} + // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic. // This is necessary since we don't have a separate entry point. if (!IsPost) {