Cannot run git commands in CI due to dubious ownership in repository

[biltongza]

Describe the bug

I have some code to get the current commit hash and time in my build process. Specifically, I am using SvelteKit and I fetch the commit details in the vite.config.js file.

For a while, this has been silently broken on my site and I have not been able to reproduce the issue locally. After adding some logging to my build process I found that the git commands to fetch these details do not execute successfully because the Azure/static-web-apps-deploy@v1 is getting mounted in the build container (which seems to mess up directory ownership) and the directory is not marked as a safe directory in git.

status: 'rejected',
    reason: Error: Command failed: git describe --tags || git rev-parse --short HEAD
    fatal: detected dubious ownership in repository at '/github/workspace'
    To add an exception for this directory, call:
    
    	git config --global --add safe.directory /github/workspace

I think an easy way to fix it would be for the container to run git config --global --add safe.directory /github/workspace before actually running the build.

Github workflow file:

name: Azure Static Web Apps CI/CD

on:
  workflow_dispatch:
  push:
    branches:
      - master
    paths:
      - frontend/**

jobs:
  build_and_deploy_job:
    runs-on: ubuntu-latest
    name: Build and Deploy Job
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: true

      - name: Deploy
        id: builddeploy
        uses: Azure/static-web-apps-deploy@v1
        with:
          azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ICY_BUSH_07607F803 }}
          repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
          action: "upload"
          ###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
          # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
          app_location: "frontend" # App source code path
          api_location: "frontend/build/server" # Api source code path - optional
          output_location: "build/static"
          skip_app_build: false
          ###### End of Repository/Build Configurations ######

To Reproduce
Steps to reproduce the behavior:

1. Create a sveltekit project
2. Add replace the contents of the vite.config.js file with the following:

import { sveltekit } from '@sveltejs/kit/vite';
import { exec } from 'child_process';
import { promisify } from 'util';

// Get current tag/commit and last commit date from git
const pexec = promisify(exec);
const promises = (
  await Promise.allSettled([
    pexec('git describe --tags || git rev-parse --short HEAD'),
    pexec('git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M"'),
  ])
);
console.log('VITE CONFIG: promises', promises);

const [version, lastmod] = promises.map(v => JSON.stringify(v.value?.stdout.trim()));
console.log(`VITE CONFIG: commit hash`, version);
console.log(`VITE CONFIG: commit time`, lastmod);

/** @type {import('vite').UserConfig} */
const config = {
        plugins: [sveltekit({})],
        server: {
                port: 5000
        },
        define: {
                __VERSION__: version,
                __LASTMOD__: lastmod,
        },
};

export default config;

3. Run the build locally, it succeeds and logs the current commit hash and time
4. Run the build on github actions, it produces the following output:

VITE CONFIG: promises [
  {
    status: 'rejected',
    reason: Error: Command failed: git describe --tags || git rev-parse --short HEAD
    fatal: detected dubious ownership in repository at '/github/workspace'
    To add an exception for this directory, call:
    
    	git config --global --add safe.directory /github/workspace
    fatal: detected dubious ownership in repository at '/github/workspace'
    To add an exception for this directory, call:
    
    	git config --global --add safe.directory /github/workspace
    
        at ChildProcess.exithandler (node:child_process:419:12)
        at ChildProcess.emit (node:events:514:28)
        at maybeClose (node:internal/child_process:1091:16)
        at Socket.<anonymous> (node:internal/child_process:449:11)
        at Socket.emit (node:events:514:28)
        at Pipe.<anonymous> (node:net:323:12) {
      code: 128,
      killed: false,
      signal: null,
      cmd: 'git describe --tags || git rev-parse --short HEAD',
      stdout: '',
      stderr: "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
        'To add an exception for this directory, call:\n' +
        '\n' +
        '\tgit config --global --add safe.directory /github/workspace\n' +
        "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
        'To add an exception for this directory, call:\n' +
        '\n' +
        '\tgit config --global --add safe.directory /github/workspace\n'
    }
  },
  {
    status: 'rejected',
    reason: Error: Command failed: git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M"
    fatal: detected dubious ownership in repository at '/github/workspace'
    To add an exception for this directory, call:
    
    	git config --global --add safe.directory /github/workspace
    
        at ChildProcess.exithandler (node:child_process:419:12)
        at ChildProcess.emit (node:events:514:28)
        at maybeClose (node:internal/child_process:1091:16)
        at Socket.<anonymous> (node:internal/child_process:449:11)
        at Socket.emit (node:events:514:28)
        at Pipe.<anonymous> (node:net:323:12) {
      code: 128,
      killed: false,
      signal: null,
      cmd: 'git log -1 --format=%cd --date=format:"%Y-%m-%d %H:%M"',
      stdout: '',
      stderr: "fatal: detected dubious ownership in repository at '/github/workspace'\n" +
        'To add an exception for this directory, call:\n' +
        '\n' +
        '\tgit config --global --add safe.directory /github/workspace\n'
    }
  }
]
VITE CONFIG: commit hash undefined
VITE CONFIG: commit time undefined

My personal repo experiencing this issue: https://github.com/biltongza/ldam.co.za
Affected CI run: https://github.com/biltongza/ldam.co.za/actions/runs/6145310617/job/16672439301

Expected behavior
Git commands run normally.

Additional context
See actions/runner-images#6775 for more details, it appears to be a result of a CVE in git.

[kfiles]

I have run into the same issue. I am deploying the Hugo app cstate (https://github.com/cstate/cstate), which gets the last-modified info from git history for displaying incident history.

As @biltongza says, since the container is mounting the git directory from outside, it really needs to run the git command to trust the directory as the first step in its containerized workflow.

[biltongza]

I forgot I logged this issue, but I also found a workaround. It turns out that you can specify pre build commands via an environment variable. You can add this to your workflow:

env:
    PRE_BUILD_COMMAND: git config --global --add safe.directory /github/workspace

Not sure where the "public" documentation for static web apps on this is, but since it uses Oryx under the hood, this is at least mentioned here: https://github.com/microsoft/Oryx/blob/d37b2225a252ab2c04b4726024d047cf01ea1318/doc/runtimes/nodejs.md?plain=1#L45