fix: fix adding safe-directory in container

.github/workflows/test.yml

@@ -314,7 +314,6 @@ jobs:
           fi
 
           # Verify auth token
-          git config --global --add safe.directory "*"
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed

__test__/verify-worktree.sh

@@ -15,9 +15,6 @@ fi
 
 cd "$CHECKOUT_PATH"
 
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
 # Show the includeIf configuration
 echo "Git config includeIf entries:"
 git config --list --show-origin | grep -i include || true

src/git-source-provider.ts

@@ -44,20 +44,14 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     if (git) {
       authHelper = gitAuthHelper.createAuthHelper(git, settings)
       if (settings.setSafeDirectory) {
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
+        await addSafeDirectory(settings.repositoryPath, git, authHelper)
+        const containerPath = getContainerRepositoryPath(
+          settings.repositoryPath,
+          settings.githubWorkspacePath
         )
-
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
+        if (containerPath && containerPath !== settings.repositoryPath) {
+          await addSafeDirectory(containerPath, git, authHelper)
+        }
 
         stateHelper.setSafeDirectory()
       }
@@ -333,18 +327,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
   const authHelper = gitAuthHelper.createAuthHelper(git)
   try {
     if (stateHelper.PostSetSafeDirectory) {
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
+      await addSafeDirectory(repositoryPath, git, authHelper)
     }
 
     await authHelper.removeAuth()
@@ -373,3 +356,39 @@ async function getGitCommandManager(
     return undefined
   }
 }
+
+async function addSafeDirectory(
+  safeDirectory: string,
+  git: IGitCommandManager,
+  authHelper: gitAuthHelper.IGitAuthHelper
+): Promise<void> {
+  await authHelper.configureTempGlobalConfig()
+  core.info(`Adding '${safeDirectory}' to the git global config as a safe directory`)
+  await git.config('safe.directory', safeDirectory, true, true).catch(error => {
+    core.info(`Failed to initialize safe directory with error: ${error}`)
+  })
+}
+
+function getContainerRepositoryPath(
+  repositoryPath: string,
+  githubWorkspace?: string
+): string {
+  if (!githubWorkspace) {
+    return ''
+  }
+
+  let relativeRepositoryPath = path.relative(githubWorkspace, repositoryPath)
+  if (!relativeRepositoryPath || relativeRepositoryPath === '.') {
+    return '/github/workspace'
+  }
+
+  if (
+    relativeRepositoryPath.startsWith('..') ||
+    path.isAbsolute(relativeRepositoryPath)
+  ) {
+    return ''
+  }
+
+  relativeRepositoryPath = relativeRepositoryPath.replace(/\\/g, '/')
+  return path.posix.join('/github/workspace', relativeRepositoryPath)
+}

src/git-source-settings.ts

@@ -1,4 +1,9 @@
 export interface IGitSourceSettings {
+  /**
+   * The workflow workspace path
+   */
+  githubWorkspacePath?: string
+
   /**
    * The location on disk where the repository will be placed
    */

src/input-helper.ts

@@ -14,6 +14,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
     throw new Error('GITHUB_WORKSPACE not defined')
   }
   githubWorkspacePath = path.resolve(githubWorkspacePath)
+  result.githubWorkspacePath = githubWorkspacePath
   core.debug(`GITHUB_WORKSPACE = '${githubWorkspacePath}'`)
   fsHelper.directoryExistsSync(githubWorkspacePath, true)