summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMassimiliano Culpo <massimiliano.culpo@gmail.com>2022-04-13 13:10:00 +0200
committerMassimiliano Culpo <massimiliano.culpo@gmail.com>2022-04-14 11:08:17 +0200
commit5e0eb1f887e481a97cdf169fe9615ec3dea65d68 (patch)
tree65e7ab5c7d9128880796f67f285dd85c9ceb5b8a
parent7cd7b38cb8aa46f57064206ae1f070bfc1db04fd (diff)
downloadspack-5e0eb1f887e481a97cdf169fe9615ec3dea65d68.tar.gz
spack-5e0eb1f887e481a97cdf169fe9615ec3dea65d68.tar.bz2
spack-5e0eb1f887e481a97cdf169fe9615ec3dea65d68.tar.xz
spack-5e0eb1f887e481a97cdf169fe9615ec3dea65d68.zip
CI: avoid issues with Ubuntu patched git by adding safe.directory (#30042)
Ubuntu patched git v2.25.1 with a security fix that also introduced a breaking change, so v2.25.1 behaves like v2.35.2 with respect to the use cases in CVE-2022-24765
-rw-r--r--.github/workflows/bootstrap.yml32
1 files changed, 28 insertions, 4 deletions
diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml
index 5b3e237b0c..b5fee5f5aa 100644
--- a/.github/workflows/bootstrap.yml
+++ b/.github/workflows/bootstrap.yml
@@ -59,6 +59,14 @@ jobs:
bzip2 curl file g++ gcc gfortran git gnupg2 gzip \
make patch unzip xz-utils python3 python3-dev tree \
cmake bison
+ - name: Work around CVE-2022-24765
+ run: |
+ # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces
+ # a breaking behavior. See:
+ # - https://github.blog/2022-04-12-git-security-vulnerability-announced/
+ # - https://github.com/actions/checkout/issues/760
+ # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog
+ git config --global --add safe.directory /__w/spack/spack
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2
- name: Setup repo and non-root user
run: |
@@ -171,7 +179,15 @@ jobs:
apt-get install -y \
bzip2 curl file g++ gcc patchelf gfortran git gzip \
make patch unzip xz-utils python3 python3-dev tree
- - uses: actions/checkout@v2
+ - name: Work around CVE-2022-24765
+ run: |
+ # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces
+ # a breaking behavior. See:
+ # - https://github.blog/2022-04-12-git-security-vulnerability-announced/
+ # - https://github.com/actions/checkout/issues/760
+ # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog
+ git config --global --add safe.directory /__w/spack/spack
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: Setup repo and non-root user
run: |
git --version
@@ -200,7 +216,15 @@ jobs:
bzip2 curl file g++ gcc patchelf gfortran git gzip \
make patch unzip xz-utils python3 python3-dev tree \
gawk
- - uses: actions/checkout@v2
+ - name: Work around CVE-2022-24765
+ run: |
+ # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces
+ # a breaking behavior. See:
+ # - https://github.blog/2022-04-12-git-security-vulnerability-announced/
+ # - https://github.com/actions/checkout/issues/760
+ # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog
+ git config --global --add safe.directory /__w/spack/spack
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: Setup repo and non-root user
run: |
git --version
@@ -225,7 +249,7 @@ jobs:
brew install tree
# Remove GnuPG since we want to bootstrap it
sudo rm -rf /usr/local/bin/gpg
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: Bootstrap GnuPG
run: |
source share/spack/setup-env.sh
@@ -241,7 +265,7 @@ jobs:
brew install gawk tree
# Remove GnuPG since we want to bootstrap it
sudo rm -rf /usr/local/bin/gpg
- - uses: actions/checkout@v2
+ - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: Bootstrap GnuPG
run: |
source share/spack/setup-env.sh