Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

“Detected dubious ownership” issue when using php-actions/composer@v6 #120

Open
victorwads opened this issue Nov 5, 2024 · 5 comments
Open

“Detected dubious ownership” issue when using php-actions/composer@v6 #120

victorwads opened this issue Nov 5, 2024 · 5 comments

Comments

@victorwads
Copy link

I am experiencing an issue when using the php-actions/composer action with the following configuration in a GitHub Actions pipeline:

- name: Cache Composer dependencies
  uses: actions/cache@v4
  with:
    path: '/tmp/composer-cache'
    key: "${{ runner.os }}-${{ hashFiles('**/composer.lock') }}"

- name: Install Composer
  uses: php-actions/composer@v6
  with:
    php_version: 8.1
    ssh_key: '${{ secrets.SSH_KEY }}'
    ssh_key_pub: '${{ secrets.SSH_KEY_PUB }}'

The issue occurs during the Install Composer step, showing the following error message:

fatal: detected dubious ownership in repository at '/tmp/composer-cache/vcs/git-github.heygears.com-<specific-repository>.git'
To add an exception for this directory, call:

    git config --global --add safe.directory /tmp/composer-cache/vcs/git-github.heygears.com-<specific-repository>.git

Details:

  • The issue is caused by Git version 2.35.2, which introduced this “safe directory” feature to improve security.
  • Manually adding the directories as safe.directory temporarily solved the issue, but this is not scalable.
  • Using git config --global --add safe.directory '*' was considered, but it poses a potential security risk.
  • Changing ownership with chown did not work to resolve the ownership problem.

Question:

Is there a recommended way to handle this “dubious ownership” issue more efficiently, or could an enhancement be made to the php-actions/composer action to manage this scenario?
@mikemanger
Copy link

I think this is related to composer/composer#12158 so it might be an upstream issue.

I'm still testing but I think we got around this by using https/zips for the repository vcs urls.

@g105b
Copy link
Member

g105b commented Nov 18, 2024

Let's keep this issue open for a while until the upstream fix makes its way down. I think your comments are all correct, but maybe we won't need to change anything for the https/zip suggestion if this has been fixed in composer?

@mikemanger
Copy link

No fix yet but some more discussion here composer/composer#12192

Not my wheelhouse but passing the scope/context to the action might be a workaround? At least that seems to be what happens in a lot of actions.

@mikemanger
Copy link

Locking composer to 2.8.1 is probably the easiest workaround I've found.

      - name: Install PHP dependencies
        uses: php-actions/composer@v6
        with:
          # ...
          # Lock composer to working version.
          # See https://github.com/php-actions/composer/issues/120
          version: 2.8.1

@Stubbs
Copy link

Stubbs commented Nov 22, 2024

I also got round this by removing composer caching from my build.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Stubbs @mikemanger @g105b @victorwads