-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fatal: detected dubious ownership in repository at #6775
Comments
Hi @AllanOricil we will take a look, thanks. |
@igorboskovic3 I've set all my workflows to run on |
Hi @AllanOricil, unfortunately you cannot set an old build version, just current one. |
@igorboskovic3 |
Hello @AllanOricil, we have noticed that the "checkoutv3" action uses a git version that is already installed no matter in the container or in the runner. Below you can find our simple workflow, which went successfully.
From this small experiment, you can see that container and runner have different versions. of git. Please pay close attention to your rights in the container and the git version installed in your container as well. It seems like the issue does not directly relate to a runner, so we will close the issue for now. Feel free to reach us if you have any questions. |
@Alexey-Ayupov @igorboskovic3 I did not change anything in any of my workflows since yesterday and this issue started. There is something wrong somewhere and I cant figure out what is it... |
@Alexey-Ayupov @igorboskovic3 could this action be the reason? I run it after running git checkout. I need it, because inside my workflow I create commits and tags. |
I ran this workflow, and again I had the same problem ...
jobs:
validate-changes:
name: Validate Metadata Changes
environment: dev
runs-on: ubuntu-20.04
container:
image: ghcr.io/vodafoneis/salesforce-build-image:main
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 2
- name: Print Git Version
run: |
git --version
touch a.txt
git add .
git commit -m "test"
|
@igorboskovic3 @Alexey-Ayupov tell me it is not a bug somewhere... |
It is something on my image. I dont know what is it yet, but I just used an image from 7 days ago, and it is working again. will check all my dependencies and then I come back here to tell you what I found. |
Hi @AllanOricil . Thank you for not giving up on searching for root cause. It would be great if you provide your findings. |
These are the only diffs between my images. IMAGE 1 => is the one which I have no issues So, since there aren't any other changes, I have no clue what is causing the problem. Would you like to have access to both images? That may help you to find the real issue. |
@AllanOricil |
@benzsuankularb @Alexey-Ayupov @igorboskovic3 In the image below, every commit represents a new container image build. I used the image from Why did I choose that one? I just picked up the image from the week where all my workflows were not facing that issue. I just don't know why changing the image fixed my problem, as the only changes between both images are these To prove I did not change anything else on my workflows, but the container images only, here is are some images which you can see the only changes I did on the workflow were the container refs This is my docker file: FROM node:14
RUN apt-get update -y \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends gnupg apt-utils apt-transport-https curl git openssh-client ca-certificates jq bc gettext xmlstarlet bash python3 libxml2 libxml2-utils \
&& rm -rf /var/lib/apt/lists/*
# add an apt repository of chrome
# google-chrome.list will be overwritten by installing google-chrome-stabe
RUN curl -fsSL https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
RUN echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null
# install several packages for CI
RUN apt-get update -y \
&& apt-get install -y --no-install-recommends wget gnupg google-chrome-stable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst fonts-freefont-ttf libxss1 gh \
&& rm -rf /var/lib/apt/lists/*
ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/google-chrome
COPY setup_npm_global_config.sh /
COPY global_node_dependencies_installer.sh /
COPY package.json /
RUN chmod +x /setup_npm_global_config.sh
RUN chmod +x /global_node_dependencies_installer.sh
RUN /setup_npm_global_config.sh
RUN /global_node_dependencies_installer.sh
RUN sfdx plugins:link /usr/local/lib/node_modules/sfdx-git-delta
ENV SFDX_AUTOUPDATE_DISABLE=false
ENV SFDX_JSON_TO_STDOUT=true
ENV SFDX_USE_GENERIC_UNIX_KEYCHAIN=true
ENV SFDX_DOMAIN_RETRY=true
ENV SFDX_PROJECT_AUTOUPDATE_DISABLE_FOR_PACKAGE_CREATE=true
ENV SFDX_PROJECT_AUTOUPDATE_DISABLE_FOR_PACKAGE_VERSION_CREATE=true
ENV SFDX_DISABLE_DNS_CHECK=true
ENV SHELL /bin/bash
COPY scripts/ scripts/
RUN echo 'y'
RUN sfdx --version
RUN sf --version
RUN sfdx plugins --core
RUN vlocity -v
RUN sfdx sgd:source:delta -h
RUN gh --version |
I am having the same issue and haven't done any changes. I can see that this issue has been closed with no solution |
this is fixed by using |
this isn't a fix for all scenarios |
@igorboskovic3 @Alexey-Ayupov could you please reopen this and investigate more. Another random guy reported this in Reddit. |
@igorboskovic3 @Alexey-Ayupov I believe the issue comes from this debian updgrade Do you have any ideas how I can set this in the dockerfile? |
This post also thinks this debian upgrade is the cause of the problem |
@Alexey-Ayupov @igorboskovic3 I HAVE FINALLY SORTED THIS ISSUE. I built an image which does not upgrade git packages to For those that are not using docker images in your workflows, you are probably facing the same issue because the official runners might have upgraded their git package with this security patch. And because you can't change the official runners, your only option is to create a docker image or your own runner, and then ensure the installed git version does not include this security patch mentioned here https://phabricator.wikimedia.org/T325128. In my case, I just had to do the following: FROM node:14
RUN apt-mark hold git
RUN apt-mark hold git-man |
Thanks @AllanOricil ! |
@Nicoowr this does not work when using containers. I tried it already |
The release action now fails with: actions/runner-images#6775, and needs a workaround to fix the issue. Co-authored-by: Yusuke Tsutsumi <yusuke@tsutsumi.io>
Based on this comment: actions/runner-images#6775 (comment)
Reopen this, lol, @Alexey-Ayupov. |
FFR: actions/runner#2033 (comment) Just use the users option to solve the issue. |
In new git versions git actions will fail if there is a mismatch between files and root dir permissions: actions/runner-images#6775 This is a workaround that will set the workdir as a safedir to ignore permissions mismatches
fatal: detected dubious ownership in repository at actions/runner-images#6775
fatal: detected dubious ownership in repository at actions/runner-images#6775
Description
I started seeing this error yesterday
It does not make sense, because the checkout action is already running the suggested git command to set the repo as safe
What could the issue be in this case?
Platforms affected
Runner images affected
Image version and build link
Is it regression?
yes. Version: 20221125.1 https://github.com/VodafoneIS/sf-metadata/actions/runs/3601296318/jobs/6066928420
Expected behavior
Since
actions/checkout@v3
already run/usr/bin/git config --global --add safe.directory /__w/sf-metadata/sf-metadata
I was not expecting to have issues with safe directories.Actual behavior
Repro steps
The text was updated successfully, but these errors were encountered: