git config safe.directory inside docker containers

[EdJoPaTo]

Describe the bug

Recent versions of git require the .git folder to be owned by the same user. (as described here).

The actions/checkout action sets this for the cloned repo (/usr/bin/git config --global --add safe.directory …). Also see actions/checkout#766

Running a container (via uses: docker://…) however switches the user context and all git commands will fail with an error:

fatal: detected dubious ownership in repository at '/github/workspace'
To add an exception for this directory, call:

	git config --global --add safe.directory /github/workspace

Inspecting the docker run command the HOME variable is set and the home inside the container seems to be /github/home which is mapped to /home/runner/work/_temp/_github_home.
Creating the .gitconfig in this location before running the container resolves this problem:

- name: Fix git safe.directory in container
  run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig

As these paths (HOME and PWD inside the container) are not stable and can be changed any time, the git config … logic should be done by the runner executing the docker command as its the only part in the process knowing these paths.

I do not think this is related to the images as the uses: docker:// logic is handled by the runner itself?

To Reproduce
Steps to reproduce the behavior:

Create this minimal workflow and let it run

on:
  push:

jobs:
  fails:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - uses: docker://docker.io/library/alpine:3.14
        with:
          entrypoint: /bin/ash
          args: -c "apk add git && git status"

(See above for the error message of the git command)

Expected behavior

The container should have a .gitconfig to run git commands normally like it is possible without container.
Stuff like the .git folder is mounted to the container too so a user can expect git to work fine.

Runner Version and Platform

Version of your runner? Hosted Runners on GitHub

[nikola-jokic]

Hi @EdJoPaTo,

Thank you for reporting this so clearly! I have applied appropriate labels and added this issue to the backlog ☺️

[mefistotelis]

Got the same issue, though in different scenario. My workaround was to just change owner of the directory after checkout:

jobs:
  ubuntu-gcc:
    runs-on: ubuntu-20.04
    name: "Linux Ubuntu"
    container:
      image: ubuntu:20.04
    env:
      DEBIAN_FRONTEND: noninteractive
      TZ: Etc/UTC
    steps:
      - name: Install GIT
        run: |
          # install GIT, as without it checkout would use REST API
          apt update
          apt install -y \
            git

      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Set ownership
        run: |
          # this is to fix GIT not liking owner of the checkout dir
          chown -R $(id -u):$(id -g) $PWD

[DanRStevens]

I've also encountered this issue when running my Docker images on GitHub Actions, and have been able to reproduce while running my container locally.

This seems to be more generally a problem with running a Docker container as the root user, while having data mounted for a regular user account. When testing locally, I can start my Docker container by adding the flag --user="$(id --user):$(id --group)" to the docker run command, and the error won't be shown. As an added bonus, any output generated by the build in the Docker container and written to the mounted folder will end up having correct ownership on the host system once I've exited the Docker container.

[blafasel42]

When using a github runner, the problem does not occur. I am using a container to run the action in. The same container and workflow config works with github runner but not with a self-hosted runner. Can anyone explain this? There is no .gitconfig in the container in both cases...