Detected dubious ownership in repository

[marcospassos]

Describe the bug
I started seeing this error today:

Version of codeclimate-action you're using
v3.2.0

Expected behavior
Not error.

Config:

      - uses: paambaati/codeclimate-action@v3.2.0
        env:
          CC_TEST_REPORTER_ID: ${{ secrets.CODECLIMATE_TESTREPORTER_ID }}
        with:
          coverageCommand: sed -i "s~$(pwd)/~~" phpunit-coverage.xml
          coverageLocations: ./phpunit-coverage.xml:clover

[paambaati]

Related – actions/runner-images#6775

This seems to be caused by old (or perhaps mismatched) versions of the runner. There are conflicting reports so it is unclear (for now) what the exact root cause is.

[paambaati]

@marcospassos What OS and runner version is your action using?

[marcospassos]

OS: ubuntu-latest
Runner version: 2.302.1

[marcospassos]

We have, right now, 100+ packages failing due to this. It's only affecting the codeclimate-action action, so I believe it should have something related to it.

[paambaati]

@marcospassos If this is a blocker, I would recommend removing the action temporarily, as I'm not seeing this elsewhere (including personal projects), and I'm not sure how to debug this, especially when I do not have a reproducible system.

[art-c0der]

@paambaati Catch the same issue

[art-c0der]

UPD:
Reran all checks it passed.
Weird.

[paambaati]

I’m fairly confident that this is (was?) an issue on the GitHub side of things (as I’m seeing similar reports on other projects as well), hence the “external” label.

I’ll wait for @marcospassos to confirm before closing this issue.

[marcospassos]

I'm still facing the same issue in 100+ repositories. No other actions were affected, only the codeclimate-action.

[paambaati]

@marcospassos Can you create an SSCCE for me so I can take a closer look?

[apge-jonathan]

We are seeing a similar issue in all of our installs as well, we had to add a step to download the key from the key server prior to kicking off the action

- run: gpg --keyserver hkp://keys.openpgp.org --recv-keys 9BD9E2DD46DA965A537E5B0A5CBF320243B6FD85

[paambaati]

@apge-jonathan Interesting. Would you mind answering a few questions —

1. did that step fix this issue completely?
2. What key is it?
3. Where did you find this key?
4. How did you arrive at this fix?

[paambaati]

@marcospassos Is this still an issue? If yes, can you try adding a new step in your workflow?

steps:
      - uses: actions/checkout@v3
+     - run: git config --system --add safe.directory '*'

I found these workarounds in actions/checkout#1169 and actions/checkout#1048.

[marcospassos]

Yes, we're still facing this. This workaround worked for us:

  steps:
      - name: Change owner of container working directory
        run: chown root:root .

[paambaati]

Closing this, as this issue is not caused by this library.