git log is empty

[tushar-deepsource]

Using the following method to checkout:

steps:
- name: Checkout code
  uses: actions/checkout@v2
  with:
    fetch-depth: 50
    ref: ${{ github.event.pull_request.head.sha }}

The git directory (/github/workspace) gets into this state:

• $GITHUB_SHA is not the same as what actions/checkout is showing.
• git log is empty
• git rev-list --all is empty
• $GITHUB_REF is refs/pull/123/merge
• Checking out to a commit fails with the same error as fatal: detected dubious ownership in repository at #1048:

fatal: detected dubious ownership in repository at '/github/workspace'
To add an exception for this directory, call:

	git config --global --add safe.directory /github/workspace

The suggested command doesn't work because that would need higher privilege.

This changed recently, within the past couple days -- git log didn't use to be empty before.

[cory-miller]

Could you try an older release to see if v2.6.0 caused an issue (v2 is just an alias to the latest)?

uses: actions/checkout@v2.5.0

I'm not able to reproduce this so far. If you could add some logs or a workflow example I can take a look.

[tusharsadhwani]

@cory-miller I've narrowed it down to this: when a GitHub action tries to run git commands on the repo cloned via the checkout action, it fails. This seems like the behaviour change in the latest git itself, due to the user cloning the repo being different from the user trying to read it (as actions run in a container).

It seems to be due to #766, and the workaround of adding a step that puts

[safe]
directory = /github/workspace

inside .gitconfig in the folder that will be mounted as /github/home in the action seems to solve the problem.

[oalders]

I'm seeing issues with safe.directory as well. I bumped to @v3 of checkout and I see the following in the logs:

Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /__w/HTTP-Message/HTTP-Message
Deleting the contents of '/__w/HTTP-Message/HTTP-Message'

Later on I get:

fatal: detected dubious ownership in repository at '/__w/HTTP-Message/HTTP-Message'
To add an exception for this directory, call:

	git config --global --add safe.directory /__w/HTTP-Message/HTTP-Message

https://github.com/libwww-perl/HTTP-Message/actions/runs/3825324809/jobs/6508226477

Not sure if the global git config is in the directory that's getting deleted?

As a stopgap, I've got it working right by running git config after the initial checkout step and before any further git commands are run:

      - uses: actions/checkout@v3
      - name: Allow for file ownership conflicts with Docker and GitHub Actions
        run: git config --global --add safe.directory '*'

[jiridanek]

@oalders I'm having the same problem in https://github.com/skupperproject/skupper-router/actions/runs/3951927345/jobs/6766390478, the error message there is not shown, but I debugged it and saw that it says

$ git status
fatal: detected dubious ownership in repository at '/__w/skupper-router/skupper-router'
To add an exception for this directory, call:

	git config --global --add safe.directory /__w/skupper-router/skupper-router

My workaround is doing a chown

      - uses: actions/checkout@v3

      - name: Take ownership of the checkout directory (Git CVE-2022-24765)
        run: chown --recursive --reference=/ .

[oalders]

I should add that for pre-built Docker containers that I'm using in my workflows, I've added

git config --system --add safe.directory '*'

to the Dockerfile. Doing it via --global didn't seem to work when using the checkout action, so I resorted to --system.