From a7747e8670cb9bc92a28f3a20d07708c171a1b09 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Wed, 17 May 2023 22:08:12 +0200 Subject: [PATCH] ci: fix check kernel patches job MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Currently the check fails due to the following error: warning: Not a git repository. Use --no-index to compare two paths outside a working tree usage: git diff --no-index [] Thats likely caused by commit 1cb8cdbf0723 ("ci: use new buildbot worker images with Debian 11") which contains a patched Git version with CVE security fixes introduced in DLA-3239-2: Multiple issues were found in Git, a distributed revision control system. An attacker may cause other local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell. Note: Due to new security checks, access to repositories owned and accessed by different local users may now be rejected by Git; in case changing ownership is not practical, git displays a way to bypass these checks using the new "safe.directory" configuration entry. So lets opt-out of this new behavior by setting `safe.directory=*` and thus force Git to consider all Git repositories as safe regardless of their owner, since we need to trust those sources anyway and it should be likely more robust solution, then fiddling with filesystem permissions. Fixes: 1cb8cdbf0723 ("ci: use new buildbot worker images with Debian 11") References: https://www.debian.org/lts/security/2022/dla-3239-2 Signed-off-by: Petr Å tetiar --- .github/workflows/check-kernel-patches.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/check-kernel-patches.yml b/.github/workflows/check-kernel-patches.yml index bed70dbd19..4ad35e6250 100644 --- a/.github/workflows/check-kernel-patches.yml +++ b/.github/workflows/check-kernel-patches.yml @@ -85,6 +85,10 @@ jobs: run: | chown -R buildbot:buildbot openwrt + - name: Opt-out from Git stricter repository ownership checks + run: | + git config --global --add safe.directory '*' + - name: Initialization environment run: | TARGET=$(echo ${{ inputs.target }} | cut -d "/" -f 1) -- 2.30.2