From f98b2edae58b1bd34f2ffa0ec214b091fc962ad4 Mon Sep 17 00:00:00 2001 From: Jesse Duffield Date: Sat, 12 Nov 2022 10:18:02 +1100 Subject: [PATCH] fix broken CI (see https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html) try this WIP --- .github/workflows/ci.yml | 3 ++- pkg/integration/components/runner.go | 1 + test/integration/submoduleAdd/setup.sh | 5 +++++ test/integration/submoduleEnter/setup.sh | 2 +- test/integration/submoduleRemove/setup.sh | 2 +- test/integration/submoduleReset/setup.sh | 2 +- 6 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a781b290f..d09b8a53a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,8 +73,9 @@ jobs: restore-keys: | ${{runner.os}}-go- - name: Test code + # for file.allow thing see https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html run: | - PARALLEL_TOTAL=${{ matrix.parallelism }} PARALLEL_INDEX=${{ matrix.index }} go test pkg/integration/deprecated/*.go + git config --global protocol.file.allow always && PARALLEL_TOTAL=${{ matrix.parallelism }} PARALLEL_INDEX=${{ matrix.index }} go test pkg/integration/deprecated/*.go integration-tests: runs-on: ubuntu-latest name: "Integration Tests" diff --git a/pkg/integration/components/runner.go b/pkg/integration/components/runner.go index d25f3795c..11b34db11 100644 --- a/pkg/integration/components/runner.go +++ b/pkg/integration/components/runner.go @@ -144,6 +144,7 @@ func createFixture(test *IntegrationTest, paths Paths) error { shell.RunCommand(`git config user.email "CI@example.com"`) shell.RunCommand(`git config user.name "CI"`) shell.RunCommand(`git config commit.gpgSign false`) + shell.RunCommand(`git config protocol.file.allow always`) test.SetupRepo(shell) diff --git a/test/integration/submoduleAdd/setup.sh b/test/integration/submoduleAdd/setup.sh index 47c92bd27..35a139f79 100644 --- a/test/integration/submoduleAdd/setup.sh +++ b/test/integration/submoduleAdd/setup.sh @@ -11,6 +11,11 @@ git init git config user.email "CI@example.com" git config user.name "CI" +# see https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html +# NOTE: I don't think this actually works if it's only applied to the repo. +# On CI we set the global setting, but given it's a security concern I don't want +# people to do that for their locals. +git config protocol.file.allow always echo test1 > myfile1 git add . diff --git a/test/integration/submoduleEnter/setup.sh b/test/integration/submoduleEnter/setup.sh index 307593a71..a38c6045b 100644 --- a/test/integration/submoduleEnter/setup.sh +++ b/test/integration/submoduleEnter/setup.sh @@ -26,5 +26,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule" diff --git a/test/integration/submoduleRemove/setup.sh b/test/integration/submoduleRemove/setup.sh index 2525abf31..cd5b3ce64 100644 --- a/test/integration/submoduleRemove/setup.sh +++ b/test/integration/submoduleRemove/setup.sh @@ -23,5 +23,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule" diff --git a/test/integration/submoduleReset/setup.sh b/test/integration/submoduleReset/setup.sh index 2525abf31..cd5b3ce64 100644 --- a/test/integration/submoduleReset/setup.sh +++ b/test/integration/submoduleReset/setup.sh @@ -23,5 +23,5 @@ cd .. git clone --bare ./repo other_repo cd repo -git submodule add ../other_repo +git -c protocol.file.allow=always submodule add ../other_repo git commit -am "add submodule"