mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Jenkinsfile: add workaround for CVE-2022-24765
git published an advisory Yesterday, which (as a counter-measure)
requires the git repository's directory to be owned by the current
user, and otherwise produce an error:
fatal: unsafe repository ('/workspace' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /workspace
The DCO check is run within a container, which is running as `root`
(to allow packages to be installed), but because of this, the user
does not match the files that are bind-mounted from the host (as they
are checked out by Jenkins, using a different user).
To work around this issue, this patch configures git to consider the
`/workspace` directory as "safe". We configure it in the `--system`
configuration so that it takes effect for "all users" inside the
container.
More details on the advisory can be found on GitHub's blog:
https://github.blog/2022-04-12-git-security-vulnerability-announced/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit efe03aa2d8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
086a3fa036
commit
a80884126b
1 changed files with 1 additions and 1 deletions
2
Jenkinsfile
vendored
2
Jenkinsfile
vendored
|
|
@ -52,7 +52,7 @@ pipeline {
|
|||
-v "$WORKSPACE:/workspace" \
|
||||
-e VALIDATE_REPO=${GIT_URL} \
|
||||
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
|
||||
alpine sh -c 'apk add --no-cache -q bash git openssh-client && cd /workspace && hack/validate/dco'
|
||||
alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
|
||||
'''
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue