diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a781b290f..d09b8a53a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,8 +73,9 @@ jobs: restore-keys: | ${{runner.os}}-go- - name: Test code + # for file.allow thing see https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html run: | - PARALLEL_TOTAL=${{ matrix.parallelism }} PARALLEL_INDEX=${{ matrix.index }} go test pkg/integration/deprecated/*.go + git config --global protocol.file.allow always && PARALLEL_TOTAL=${{ matrix.parallelism }} PARALLEL_INDEX=${{ matrix.index }} go test pkg/integration/deprecated/*.go integration-tests: runs-on: ubuntu-latest name: "Integration Tests" diff --git a/pkg/integration/components/runner.go b/pkg/integration/components/runner.go index d25f3795c..11b34db11 100644 --- a/pkg/integration/components/runner.go +++ b/pkg/integration/components/runner.go @@ -144,6 +144,7 @@ func createFixture(test *IntegrationTest, paths Paths) error { shell.RunCommand(`git config user.email "CI@example.com"`) shell.RunCommand(`git config user.name "CI"`) shell.RunCommand(`git config commit.gpgSign false`) + shell.RunCommand(`git config protocol.file.allow always`) test.SetupRepo(shell) diff --git a/test/integration/submoduleAdd/setup.sh b/test/integration/submoduleAdd/setup.sh index 47c92bd27..35a139f79 100644 --- a/test/integration/submoduleAdd/setup.sh +++ b/test/integration/submoduleAdd/setup.sh @@ -11,6 +11,11 @@ git init git config user.email "CI@example.com" git config user.name "CI" +# see https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html +# NOTE: I don't think this actually works if it's only applied to the repo. +# On CI we set the global setting, but given it's a security concern I don't want +# people to do that for their locals. +git config protocol.file.allow always echo test1 > myfile1 git add . diff --git a/test/integration/submoduleEnter/setup.sh b/test/integration/submoduleEnter/setup.sh index 307593a71..a38c6045b 100644 --- a/test/integration/submoduleEnter/setup.sh +++ b/test/integration/submoduleEnter/setup.sh @@ -26,5 +26,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule" diff --git a/test/integration/submoduleRemove/setup.sh b/test/integration/submoduleRemove/setup.sh index 2525abf31..cd5b3ce64 100644 --- a/test/integration/submoduleRemove/setup.sh +++ b/test/integration/submoduleRemove/setup.sh @@ -23,5 +23,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule" diff --git a/test/integration/submoduleReset/setup.sh b/test/integration/submoduleReset/setup.sh index 2525abf31..cd5b3ce64 100644 --- a/test/integration/submoduleReset/setup.sh +++ b/test/integration/submoduleReset/setup.sh @@ -23,5 +23,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule"