Jenkinsfile: add workaround for CVE-2022-24765

git published an advisory Yesterday, which (as a counter-measure) requires the git repository's directory to be owned by the current user, and otherwise produce an error: fatal: unsafe repository ('/workspace' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /workspace The DCO check is run within a container, which is running as `root` (to allow packages to be installed), but because of this, the user does not match the files that are bind-mounted from the host (as they are checked out by Jenkins, using a different user). To work around this issue, this patch configures git to consider the `/workspace` directory as "safe". We configure it in the `--system` configuration so that it takes effect for "all users" inside the container. More details on the advisory can be found on GitHub's blog: https://github.blog/2022-04-12-git-security-vulnerability-announced/ Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit efe03aa2d8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-13 15:58:55 +02:00 · 2022-04-13 15:58:55 +02:00 · a80884126b
parent 086a3fa036
commit a80884126b
1 changed files with 1 additions and 1 deletions
--- a/2
+++ b/2
@ -52,7 +52,7 @@ pipeline {
                  -v "$WORKSPACE:/workspace" \
                  -e VALIDATE_REPO=${GIT_URL} \
                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                  alpine sh -c 'apk add --no-cache -q bash git openssh-client && cd /workspace && hack/validate/dco'
+                  alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
                '''
            }
        }