You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Git recently pushed a change in response to a cve that causes git commands to fail if the parent directory changes ownership from the current directory. Users of this action may see errors like this:
fatal: unsafe repository ('/github/workspace' is owned by someone else)
Alternatively, you can implement one of the workarounds described in the issues linked above or wait for the GitHub Actions team to apply a fix globally.
Why did this happen
Why: This issue was introduced by a change in an upstream dependency that occurred earlier today where git was updated to a version that causes this error in container actions. This docker action utilizes the upstream alpine/git image. Previously, the :latest tag was used to specify the upstream image for this action. As a result of this, every workflow run would rebuild the action with the latest version of the upstream image. This means that, even those who have specified an older version of this action or even pinned to a commit SHA, users will experience this issue.
How we have fixed this
How this was fixed: To correct this issue, we have pinned our upstream images to a specific SHA256 hash to ensure that our upstream dependencies remain stable across workflow runs. This will also help prevent similar issues from occurring in the future. Moving forward, all future releases will remain stable in this manner.
What we have done to improve.
What we've improved: in addition to pinning our upstream dependencies, we've also added added minor-version only tags to the repository, so you may also specify @v0.6, @v0.5, etc in your workflows to receive patch fixes like this automatically. Once this project reaches its 1.0 release, we will maintain the tags in a similar manner at least for major versions.
How to get help
If you are using one of the above patched versions and are still experiencing issues, please review the issues linked at the top of this post. If you are still having issues after reviewing those issues, please make a detailed comment on this thread explaining the unexpected behavior.
Final notes/thoughts
To the best of our knowledge, this action is not directly vulnerable to the attack described in the CVE. However, we encourage all users to read about the cve and how it relates to your usage of git and take any steps necessary to address this issue in your own local environments.
You may also notice the README now suggests using actions/checkout@v3 -- this change is not strictly required -- the previous suggestion for using actions/checkout@v1 still works as well.
Finally, I would like give thanks to @osoderholm who reported this issue to us earlier today and helped contribute the solution to fix this issue and update our documentation, which is included in the latest release (v0.6.0) and master.
The text was updated successfully, but these errors were encountered:
What happened
Git recently pushed a change in response to a cve that causes git commands to fail if the parent directory changes ownership from the current directory. Users of this action may see errors like this:
For additional information, see actions/checkout#766 and actions/checkout#760 and the above linked blog post.
Earlier today, the upstream image used by this action was updated, introducing the problem that affects container-based actions such as
mirror-action
.What you need to do to fix this
While the GitHub Actions team is working on a global fix you can, in the meantime, work around this issue by updating this action to one of the latest versions.
The following versions of this Action contain a fix for this issue:
v0.1.2
,v0.2.3
,v0.3.1
,v0.4.4
,v0.5.1
andv0.6.0
.To apply this fix in your workflow, update your workflow yaml file to use one of the versions above. For example:
Alternatively, you can implement one of the workarounds described in the issues linked above or wait for the GitHub Actions team to apply a fix globally.
Why did this happen
Why: This issue was introduced by a change in an upstream dependency that occurred earlier today where git was updated to a version that causes this error in container actions. This docker action utilizes the upstream
alpine/git
image. Previously, the:latest
tag was used to specify the upstream image for this action. As a result of this, every workflow run would rebuild the action with the latest version of the upstream image. This means that, even those who have specified an older version of this action or even pinned to a commit SHA, users will experience this issue.How we have fixed this
How this was fixed: To correct this issue, we have pinned our upstream images to a specific SHA256 hash to ensure that our upstream dependencies remain stable across workflow runs. This will also help prevent similar issues from occurring in the future. Moving forward, all future releases will remain stable in this manner.
What we have done to improve.
What we've improved: in addition to pinning our upstream dependencies, we've also added added minor-version only tags to the repository, so you may also specify
@v0.6
,@v0.5
, etc in your workflows to receive patch fixes like this automatically. Once this project reaches its 1.0 release, we will maintain the tags in a similar manner at least for major versions.How to get help
If you are using one of the above patched versions and are still experiencing issues, please review the issues linked at the top of this post. If you are still having issues after reviewing those issues, please make a detailed comment on this thread explaining the unexpected behavior.
Final notes/thoughts
To the best of our knowledge, this action is not directly vulnerable to the attack described in the CVE. However, we encourage all users to read about the cve and how it relates to your usage of
git
and take any steps necessary to address this issue in your own local environments.You may also notice the README now suggests using
actions/checkout@v3
-- this change is not strictly required -- the previous suggestion for usingactions/checkout@v1
still works as well.Finally, I would like give thanks to @osoderholm who reported this issue to us earlier today and helped contribute the solution to fix this issue and update our documentation, which is included in the latest release (
v0.6.0
) andmaster
.The text was updated successfully, but these errors were encountered: