Git safe.directory — next steps

[0x2b3bfa0]

This issue is a follow–up of #974 (review) and some of the surrounding comments.

Security

TL;DR CVE-2022-24765 — the vulnerability safe.directory prevents — doesn't quite apply to GitHub Actions workflows. I still have to edit this section and include an extended explanation, but I'm too lazy and have more important things in the backlog.

Tests

We may want to add some tests for this, although our current test suite is not versatile enough to do it cleanly.

Improvements

• Create an ephemeral ~/.gitconfig for every cml run and delete it afterwards, instead of permanently modifying the user's global configuration. See Enforce safe directory actions/checkout#762 for an implementation example.
• Make changes permanent only when running cml ci (similar to what we do now)

Resolution

If your job pushes to git or something after checkout, that will continue to fail. We need to figure out how to address this at an ecosystem level, outside of the checkout action. — actions/checkout#762 (comment)

GitHub acknowledges that git operations other than actions/checkout are still broken. There is still hope of this issue being fixed upstream in the mid term.

References

Issue and fix on iterative/cml

• CML initialization is broken on GH in container mode #970
• Add CWD to Git's safe.directory with cml ci #974

Issue and fix on actions/checkout

• fatal: unsafe repository (REPO is owned by someone else) with ubuntu 20.04 container actions/checkout#760
• Enforce safe directory actions/checkout#762

Git release highlights

• https://github.blog/2022-01-24-highlights-from-git-2-35
• https://github.blog/2022-04-18-highlights-from-git-2-36

Vulnerability

• https://github.blog/2022-04-12-git-security-vulnerability-announced
• https://nvd.nist.gov/vuln/detail/CVE-2022-24765

[0x2b3bfa0]

Existing behavior is good enough, closing as completed