Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Address GitHub workaround for CVE-2022-24765. #83

Merged
merged 1 commit into from
Apr 15, 2022
Merged

fix: Address GitHub workaround for CVE-2022-24765. #83

merged 1 commit into from
Apr 15, 2022

Conversation

rht
Copy link
Contributor

@rht rht commented Apr 14, 2022

This fixes the problem with the following error message:

fatal: unsafe repository ('/github/workspace' is owned by someone else)
To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace

The problem is due to the security fix from the Git security vulnerability
recently announced:
https://github.blog/2022-04-12-git-security-vulnerability-announced/.

Relevant GH issue: actions/checkout#760

@SaschaMann
Copy link

SaschaMann commented Apr 14, 2022
edited
Loading

I don't think this fixes it on its own. I've run a build with actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 which corresponds to v3.0.1 and it failed anyway: https://github.com/JuliaCommunity/zulip-archive/runs/6031508746?check_suite_focus=true

I suspect it might be related to actions/checkout#766

This is not an argument against merging this PR, it should be updated regardless.

@rht
Copy link
Contributor Author

rht commented Apr 14, 2022

I just added the actions/checkout#766 workaround in this PR as well. Currently testing.

@rht rht force-pushed the fix_permission branch 2 times, most recently from 2363d8b to 2957a94 Compare April 15, 2022 06:36
@rht rht changed the title fix: Update GH Actions checkout to v3. fix: Address GitHub workaround for CVE-2022-24765. Apr 15, 2022
@rht
Copy link
Contributor Author

rht commented Apr 15, 2022

I have confirmed that the fix in this PR is necessary. You can see it running successfully in https://github.com/rht/zulip-archive-sample/actions.

@rht
fix: Address GitHub workaround for CVE-2022-24765.
450a9c4 
This commit:
- updates GH Actions checkout to v3
- apply additional work around stated in actions/checkout#766

This fixes the problem with the following error message:
```
fatal: unsafe repository ('/github/workspace' is owned by someone else)
To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace
```

The problem is due to the security fix from the Git security vulnerability
recently announced:
https://github.blog/2022-04-12-git-security-vulnerability-announced/.

Relevant GH issue: actions/checkout#760
@timabbott timabbott merged commit 5da606f into zulip:master Apr 15, 2022
@timabbott
Copy link
Sponsor Member

Merged, thanks @rht and @SaschaMann!

@rht rht deleted the fix_permission branch April 15, 2022 22:50
@SaschaMann SaschaMann mentioned this pull request Apr 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SaschaMann SaschaMann SaschaMann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rht @SaschaMann @timabbott