From a499345400278c33bc51015509ee7304360e5338 Mon Sep 17 00:00:00 2001
From: Florian Warzecha <liketechnik@disroot.org>
Date: Mon, 18 Jul 2022 18:07:38 +0200
Subject: [PATCH] fix: git safe repo directory for docker image (#16)

* tooling: git safe repo directory for docker image

Fixes an issue introduced with a recent git update
(https://github.blog/2022-04-12-git-security-vulnerability-announced/)
with a common workaround (https://github.com/actions/checkout/pull/762,
https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else,
https://github.com/actions/checkout/issues/760),
by marking the /data directory inside the container as safe for git
during the container build.

* tooling: point git to directory instead of disabling security features

Easier to maintain version of 7c2b552a6e32d6da81ebcaa4f285a0a41fd81b92
that additionally does not fiddle with security sensitive settings.

* style(Makefile): docker git env into separate variable

* tooling: extract repo location inside container into variable

* tooling: replace missing hardcoded /data with variable

Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>

* tooling(delete-rem-tags): pass git commit info (#19)

* tooling(delete-rem-tags): pass git commit info

Passes git author information via environment variables into the docker
container, in order to ensure commits done by the script have correct
author information.

* tooling(delete-rem-tags): pass git full commit info

Pass not only author information, but committer information too, since
git seems to be *sometimes* unhappy with only author information, for
whatever reason.

* tooling: makefile formatting

Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>

* tooling: makefile formatting

Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>

* tooling: makefile formatting

Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>

Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>
---
 Makefile | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/Makefile b/Makefile
index 52fe0d02..34f862fe 100644
--- a/Makefile
+++ b/Makefile
@@ -30,17 +30,30 @@
 ## set to the folder of the current .tex file. When called directly, we
 ## need to first change-dir to this folder.
 ifneq ($(DOCKER), false)
-DOCKER_IMAGE      = alpine-pandoc-hugo
-DOCKER_COMMAND    = docker run --rm -i
-DOCKER_USER       = -u "$(shell id -u):$(shell id -g)"
-DOCKER_VOLUME     = -v "$(shell pwd):/data" -w "/data"
-DOCKER_TEX_VOLUME = -v "$(dir $(realpath $<)):/data" -w "/data"
-
-PANDOC        = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="pandoc"                $(DOCKER_IMAGE)
-HUGO          = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="hugo"                  $(DOCKER_IMAGE)
-DOT           = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="dot"                   $(DOCKER_IMAGE)
-LATEX         = $(DOCKER_COMMAND) $(DOCKER_TEX_VOLUME) $(DOCKER_USER) --entrypoint="latex"                 $(DOCKER_IMAGE)
-DELETE_SCRIPT = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="/opt/delete-script.rb" $(DOCKER_IMAGE)
+DOCKER_REPO_MNTPOINT = /data
+DOCKER_IMAGE         = alpine-pandoc-hugo
+DOCKER_COMMAND       = docker run --rm -i
+DOCKER_USER          = -u "$(shell id -u):$(shell id -g)"
+DOCKER_VOLUME        = -v "$(shell pwd):$(DOCKER_REPO_MNTPOINT)" -w "$(DOCKER_REPO_MNTPOINT)"
+DOCKER_TEX_VOLUME    = -v "$(dir $(realpath $<)):$(DOCKER_REPO_MNTPOINT)" -w "$(DOCKER_REPO_MNTPOINT)"
+# GIT_DIR ensures that git works with the repository
+# no matter the owning user of the directory.
+# see https://github.com/Compilerbau/CB-Lecture-Bachelor/pull/16 for the discussion
+# around this specific workaround and
+# https://github.blog/2022-04-12-git-security-vulnerability-announced/ &
+# https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else
+# for a general overview of the issue.
+DOCKER_GIT_ENV = --env GIT_DIR="$(DOCKER_REPO_MNTPOINT)/.git"               \
+                 --env GIT_AUTHOR_NAME="$(shell git config user.name)"      \
+                 --env GIT_AUTHOR_EMAIL="$(shell git config user.email)"    \
+                 --env GIT_COMMITTER_NAME="$(shell git config user.name)"   \
+                 --env GIT_COMMITTER_EMAIL="$(shell git config user.email)"
+
+PANDOC        = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="pandoc"                                  $(DOCKER_IMAGE)
+HUGO          = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="hugo"                                    $(DOCKER_IMAGE)
+DOT           = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="dot"                                     $(DOCKER_IMAGE)
+LATEX         = $(DOCKER_COMMAND) $(DOCKER_TEX_VOLUME) $(DOCKER_USER) --entrypoint="latex"                                   $(DOCKER_IMAGE)
+DELETE_SCRIPT = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="/opt/delete-script.rb" $(DOCKER_GIT_ENV) $(DOCKER_IMAGE)
 else
 PANDOC        = pandoc
 HUGO          = hugo