From 38454004218bb7f92a7e15f401d89f174f338c67 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 2 Aug 2023 12:13:44 +0200 Subject: [PATCH] .copr: Replace chown call with standard workflow safe.directory setting As a user this isn't necessary, and potentially dangerous when running this as root. This is a workaround which is specific to running containers in GitHub workflows, so configure git there. --- .copr/make-srpm.sh | 4 ---- .github/workflows/build.yml | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.copr/make-srpm.sh b/.copr/make-srpm.sh index 7aff3d4ef2..ed4a42e112 100755 --- a/.copr/make-srpm.sh +++ b/.copr/make-srpm.sh @@ -14,10 +14,6 @@ EXPANDER_URL=https://github.com/fedora-selinux/macro-expander rpm -q rpm-build git-core -# Ensure that the git directory is owned by us to appease Git's -# anti-CVE-2022-24765 measures. -chown $(id -u):$(id -g) "$rootdir" - base_head_id="$(git -C "$rootdir" rev-parse HEAD)" base_short_head_id="${base_head_id:0:7}" base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 83fb294fdb..5b75a22a0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,8 @@ jobs: steps: - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)' - uses: actions/checkout@v2 + # https://github.blog/2022-04-12-git-security-vulnerability-announced/ + - run: git config --global --add safe.directory /__w/ - run: make -C .copr srpm outdir="$PWD" - name: Store the SRPM as an artifact uses: actions/upload-artifact@v2