GitHub Action incapable of pushing due to "unsafe repository" error

Question

I have a private GitHub repository that has a GitHub Action that pushes files which are created at the Action's runtime to the repository. Since yesterday (2022-04-12), the Action fails at the following step:

    - name: Push data to repo
      uses: github-actions-x/commit@v2.8
      with:
        push-branch: 'main'
        commit-message: 'Add current data'
        force-add: 'true'
        files: *.zip
        name: autoupdate

Running this step triggers the following error message:

Command line: | /usr/bin/git checkout -B main
Stderr:       | fatal: unsafe repository ('/github/workspace' is owned by someone else)
              | To add an exception for this directory, call:
              | 
              |     git config --global --add safe.directory /github/workspace

Based on the error message I added the following to my GitHub Action:

    - name: Fix issue with repository ownership
      run: |
        git config --global --add safe.directory /home/runner/work/vksm/vksm
        git config --global --add safe.directory /github/workspace

I have also added /home/runner/work/vksm/vksm as I was not sure if /github/workspace in the error message is meant as a generic path or not. /home/runner/work/vksm/vksm is where the checkout step puts the repository when the Action runs: /usr/bin/git init /home/runner/work/vksm/vksm

The whole sequence of steps is as follows:

 steps:
    - name: Checkout the repository
      uses: actions/checkout@v2

    - name: Fix issue with repository ownership
      run: |
        git config --global --add safe.directory /home/runner/work/vksm/vksm
        git config --global --add safe.directory /github/workspace

    - name: Set up Python 3.9
      uses: actions/setup-python@v2
      ...

    - name: Install dependencies
      run: |
        pip install requests
        
    - name: Run Python script
      run: |
        python script.py

    - name: Push data to repo
      uses: github-actions-x/commit@v2.8
      ...

However, the error still occurs.

This questions is possibly related to Cannot add parent directory to safe.directory on git.

Ruslan Novikov · Answer 1 · 2022-04-16T19:58:21.137

6

Windows 10

In my case "Unsafe repository is owned by someone else" resolved by command in mention folder

Use takeown from the command prompt to take ownership a folder, all its subfolders and files recursively.

takeown.exe /f . /r

This works well, but if you don't run your command line console as administrator it may fail for files you don't own.

edited Apr 16 '22 at 19:58

answered Apr 13 '22 at 12:41

Ruslan Novikov

1,320
15
21

Works like a charm in Windows 11. In my case, admin privileges weren't necessary. – Fernando Santos May 09 '22 at 03:56

score 3 · Accepted Answer · answered Apr 13 '22 at 16:06

3

This is happening because of a security vulnerability. The error is thrown inside the docker container before you can execute the git config commands to fix the unsafe repository problem. You need to modify the entrypoint of the docker container to execute the git command. You can check this link for details about the vulnerability.

A temporary workaround until git/action owners make a change could be to fork/clone the action that uses docker and modify it with something like this.

#!/bin/bash

set -o pipefail

# config
# ...

# Fix the unsafe repo error which was introduced by the CVE-2022-24765 git patches
git config --global --add safe.directory /github/workspace
#...

You can take a look at the comments in this issue for some ideas about a workaround.

answered Apr 13 '22 at 16:06

dgokcin

66
4

1

I keep seeing this, but have multiple instances where docker is not even in the mix. – Hal Burgiss Apr 15 '22 at 15:48
While this can happen without Docker in the mix, it can obviously happen inside a container as well. But wouldn't it be better to have the user in the docker container take ownership of the local repository instead of tagging the directory as safe? Is there any use case where this might not be approriate? – nvidot May 22 '22 at 21:12
Updating the push action did it for me. – Fuhrmanator Jun 30 '22 at 15:27

score 1 · Answer 3 · answered Apr 17 '22 at 12:12

1

I added the whole path to the current project:

git config --global --add safe.directory '/home/user/AndroidStudioProjects/MyRepoNameInc'

Then performed the push

git commit -m "first commit"

answered Apr 17 '22 at 12:12

Jose Antonio

840
14
25

score 0 · Answer 4 · answered Apr 18 '22 at 10:16

I had this issue with GitLab runner. spent hours doing everything. At last, it started to work after updating .gtlab-ci.yml .

Folder permissions were as below

/var/www/html/project - www-data:www-data

/var/www/html/projcect/.git - gitlab-runner:www-data

Updated script as below.

script:
    - git config --global --add safe.directory /var/www/html/phase-3/public-ui

GitHub Action incapable of pushing due to "unsafe repository" error

4 Answers4