From 491dc071875372041885c79b25d18afcd8cc732a Mon Sep 17 00:00:00 2001
From: Jan Nanista <jan.jakub.nanista@gmail.com>
Date: Tue, 2 Apr 2024 10:26:11 -0700
Subject: [PATCH] fix: Fix permission issues in containerized workflows

---
 .../workflows/actions/setup-environment/action.yaml    | 10 ++++++++++
 .github/workflows/reusable-publish.yaml                |  9 +++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/actions/setup-environment/action.yaml b/.github/workflows/actions/setup-environment/action.yaml
index 87999b9ec..490b3c50e 100644
--- a/.github/workflows/actions/setup-environment/action.yaml
+++ b/.github/workflows/actions/setup-environment/action.yaml
@@ -3,6 +3,16 @@ description: Setup node & package manager, checkout code
 runs:
   using: "composite"
   steps:
+    # Workaround for dubious ownership problem inside a containerized workflow
+    #
+    # See https://github.com/actions/runner-images/issues/6775
+    #
+    # A possible solution to investigate is to use the 1001 user
+    # https://github.com/actions/runner/issues/2033#issuecomment-1598547465
+    - name: Mark workspace directory as safe
+      shell: bash
+      run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
+
     - uses: pnpm/action-setup@v2
       name: Install pnpm
       with:
diff --git a/.github/workflows/reusable-publish.yaml b/.github/workflows/reusable-publish.yaml
index db59bb80c..c14aa1d7f 100644
--- a/.github/workflows/reusable-publish.yaml
+++ b/.github/workflows/reusable-publish.yaml
@@ -72,7 +72,12 @@ jobs:
           # in HOME folder and if it doesn't find one there it will create one
           #
           # Since we want to make sure it uses our .npmrc we'll just point it
-          # to our workspace root (which, in our container, is the /app directory)
-          HOME: /app
+          # to our workspace root (which, in a workflow that uses a container, is put under __w directory)
+          #
+          # Here we need to use the ${GITHUB_WORKSPACE} environment variable instead
+          # of the context value ${{ github.workspace }}
+          #
+          # See more here https://github.com/actions/runner/issues/2058
+          HOME: ${GITHUB_WORKSPACE}
           GITHUB_TOKEN: ${{ secrets.LAYERZERO_BOT_GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLISHER }}