Add set-safe-directory input to allow customers to take control. (#770)

* Add set-safe-directory input to allow customers to take control.
2025-10-31 14:21:50 +08:00 · 2022-04-20 21:37:43 -04:00
parent dcd71f6466
commit 0ffe6f9c55
11 changed files with 144 additions and 32 deletions
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -19,7 +19,7 @@ export interface IGitAuthHelper {
  configureAuth(): Promise<void>
  configureGlobalAuth(): Promise<void>
  configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(repositoryPath?: string): Promise<string>
+  configureTempGlobalConfig(): Promise<string>
  removeAuth(): Promise<void>
  removeGlobalConfig(): Promise<void>
 }
@ -81,7 +81,7 @@ class GitAuthHelper {
    await this.configureToken()
  }

-  async configureTempGlobalConfig(repositoryPath?: string): Promise<string> {
+  async configureTempGlobalConfig(): Promise<string> {
    // Already setup global config
    if (this.temporaryHomePath?.length > 0) {
      return path.join(this.temporaryHomePath, '.gitconfig')
@ -121,21 +121,6 @@ class GitAuthHelper {
    )
    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)

-    // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-    // Otherwise all git commands we run in a container fail
-    core.info(
-      `Adding working directory to the temporary git global config as a safe directory`
-    )
-    await this.git
-      .config(
-        'safe.directory',
-        repositoryPath ?? this.settings.repositoryPath,
-        true,
-        true
-      )
-      .catch(error => {
-        core.info(`Failed to initialize safe directory with error: ${error}`)
-      })
    return newGitConfigPath
  }

--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -40,7 +40,24 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
  try {
    if (git) {
      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      await authHelper.configureTempGlobalConfig()
+      if (settings.setSafeDirectory) {
+        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+        // Otherwise all git commands we run in a container fail
+        await authHelper.configureTempGlobalConfig()
+        core.info(
+          `Adding repository directory to the temporary git global config as a safe directory`
+        )
+
+        await git
+          .config('safe.directory', settings.repositoryPath, true, true)
+          .catch(error => {
+            core.info(
+              `Failed to initialize safe directory with error: ${error}`
+            )
+          })
+
+        stateHelper.setSafeDirectory()
+      }
    }

    // Prepare existing directory, otherwise recreate
@ -249,7 +266,21 @@ export async function cleanup(repositoryPath: string): Promise<void> {
  // Remove auth
  const authHelper = gitAuthHelper.createAuthHelper(git)
  try {
-    await authHelper.configureTempGlobalConfig(repositoryPath)
+    if (stateHelper.PostSetSafeDirectory) {
+      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+      // Otherwise all git commands we run in a container fail
+      await authHelper.configureTempGlobalConfig()
+      core.info(
+        `Adding repository directory to the temporary git global config as a safe directory`
+      )
+
+      await git
+        .config('safe.directory', repositoryPath, true, true)
+        .catch(error => {
+          core.info(`Failed to initialize safe directory with error: ${error}`)
+        })
+    }
+
    await authHelper.removeAuth()
  } finally {
    await authHelper.removeGlobalConfig()
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@ -78,4 +78,9 @@ export interface IGitSourceSettings {
   * Organization ID for the currently running workflow (used for auth settings)
   */
  workflowOrganizationId: number | undefined
+
+  /**
+   * Indicates whether to add repositoryPath as safe.directory in git global config
+   */
+  setSafeDirectory: boolean
 }
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@ -122,5 +122,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Workflow organization ID
  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()

+  // Set safe.directory in git global config.
+  result.setSafeDirectory =
+    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
  return result
 }
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@ -11,6 +11,12 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
  (process.env['STATE_repositoryPath'] as string) || ''

+/**
+ * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
+ */
+export const PostSetSafeDirectory =
+  (process.env['STATE_setSafeDirectory'] as string) === 'true'
+
 /**
 * The SSH key path for the POST action. The value is empty during the MAIN action.
 */
@ -51,6 +57,13 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
  )
 }

+/**
+ * Save the sef-safe-directory input so the POST action can retrieve the value.
+ */
+export function setSafeDirectory() {
+  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
+}
+
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {