Add CWD to Git's safe.directory with cml ci
#974
Conversation
|
I feel this is a pretty safe fix considering how the tools are used. (talking about the linked rationale for the actions/checkout fix) |
|
Agreed. The only other alternative I can think of would be creating an ephemeral home directory with a copy of the global Git configuration, like in actions/checkout#762. 🙃 |
0x2b3bfa0
force-pushed
the
git-safe-directory
branch
from
a6eda61
to
1bec6b5
Compare
|
Not worth delaying the fix seeking perfection, but it's far from ideal. Mainly because the CML constructor already does many things it shouldn't. |
Should we enumerate them and fix them? |
|
I haven't tried testing this within the GitHub Actions context, but is the expected output from a local test, see: #!/bin/bash
git clone git@github.com:iterative/cml.git
pushd cml
git checkout git-safe-directory
npm install
docker build -t cml-local:latest .
popd
docker run --rm -it -v $PWD/cml:/home/runner cml-local:latest node ./bin/cml.js ci
rm -rf ./cml
|
|
Yes, we can do a factory to solve that error or less formal enforce to call an init method, I never liked the last idea |
|
Or, alternatively, treat |
There was a problem hiding this comment.
thanks @0x2b3bfa0 for addressing this! Looks go to me it that works as a temp fix :) Let's merge (comments are not critical, esp if it's a short term fix).
Mid term:
- do we know what are the security implications of this? What was the angle of a possible attack in the first place, can it be applied in this case with some carefully crafted PR or something?
- do we need tests for this? or do we wait for checkout action to fix it on their end? Put a comment or create a ticket for this?
Co-authored-by: Ivan Shcheklein <shcheklein@gmail.com>
I would wait for GitHub Actions to fix it. Let's track any further feedback on #984. |
Fixes #970 in a rather awkward way. See this upstream pull request for the rationale for not fixing this on
actions/checkoutby writing the global configuration: