fix: add git safe.directory and refactor git config to shell script to resolve dubious ownership error#39771
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…e_outputs job Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Added |
…iner entrypoint Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot use GITHUB_SERVER_URL instead of GIT_SERVER_URL |
…ials step Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in commit
|
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Results: GitHub MCP: ✅, Web Fetch: ✅, File Write: ✅, Bash: ✅, Build: ❌. Overall: FAIL. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 27718402567Core #1-12: ✅ all passed Overall: PARTIAL (1 skipped) — Claude engine nominal! 🚀 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude
| env: | ||
| REPO_NAME: ${{ github.repository }} | ||
| SERVER_URL: ${{ github.server_url }} | ||
| GITHUB_REPOSITORY: ${{ github.repository }} |
There was a problem hiding this comment.
Smoke test: standardizing on GITHUB_REPOSITORY/GITHUB_SERVER_URL env names is a nice consistency improvement. ✅
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | ||
| git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | ||
| echo "Git configured with standard GitHub Actions identity" | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_git_credentials.sh" |
There was a problem hiding this comment.
Smoke test: extracting git config to a shared script reduces duplication across lock files. 👍
|
Smoke Test: Codex - 27718402592 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
PR titles only:
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke pass notes left inline.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot
|
Smoke Tests 27718503421:\n• "Suppress ANSI installer colors in CI and explicit no-color environments": ✅\n• "Revert safe-outputs MCP transport to agent-job HTTP sidecar": ✅\n• Serena find_symbol: ❌\n• Other tests (Playwright, curl, file, discussion, build): ✅\nOverall: FAIL\ncc Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
The
create_pull_requestsafe output in the Instructions Janitor (and any workflow usingcreate_pull_request) fails when git rejects operations due to "detected dubious ownership in repository" — triggered when the repository directory is owned by a different user than the one executing git commands in the safe_outputs job runner environment.Changes
actions/setup/sh/configure_git_credentials.sh(new) — canonical POSIX sh-compatible shell script that sets git identity (github-actions[bot]), addssafe.directoryfrom${GITHUB_WORKSPACE}, and configures the remote URL when all required authentication credentials (GITHUB_REPOSITORY,GITHUB_SERVER_URL,GITHUB_TOKEN/GIT_TOKEN) are present. Auth is silently skipped when any credential is absent, so the same script is safe to run inside the safeoutputs container (which intentionally does not receiveGITHUB_SERVER_URL)actions/setup/sh/start_safe_outputs_mcp.sh(new) — POSIXshentrypoint script for thegh-aw-nodecontainer; callsconfigure_git_credentials.shviashand thenexecs the safe-outputs MCP server node processpkg/workflow/git_configuration_steps.go— refactored "Configure Git credentials" step to callbash "${RUNNER_TEMP}/gh-aw/actions/configure_git_credentials.sh"(affects agent job, publish_assets, repo_memory, experiments jobs)pkg/workflow/compiler_safe_outputs_steps.go— same refactoring in both the single-repo (buildConsolidatedCheckoutSteps) and multi-repo (buildMultiRepoCheckoutSteps) git config step generators; the multi-repo case still appends inline per-subdirectory remote URL lines after the script callpkg/workflow/mcp_renderer_builtin.go— container entrypoint for thegh-aw-nodecontainer is set tosh "${RUNNER_TEMP}/gh-aw/safeoutputs/start_safe_outputs_mcp.sh";GITHUB_SERVER_URLis intentionally not included in the safeoutputs MCP containerenv_varsto prevent the container from accessing that secret —configure_git_credentials.shdetects the missing variable and skips remote URL authentication automaticallyactions/setup/setup.sh— copies bothconfigure_git_credentials.shandstart_safe_outputs_mcp.shto${RUNNER_TEMP}/gh-aw/safeoutputs/so they are accessible inside the container's mounted volumeactions/setup/js/Dockerfile.safe-outputs-mcp— onlygitis installed viaapk;bashis not required since the entrypoint runs undershmake recompileThe generated "Configure Git credentials" step now calls the shared script:
The
gh-aw-nodecontainer entrypoint runsstart_safe_outputs_mcp.shviashat startup. That script callsconfigure_git_credentials.sh(which configures git identity andsafe.directorybut skips remote authentication sinceGITHUB_SERVER_URLis not passed to the container) and then launches the MCP server. Main workflow steps (agent job, publish_assets, repo_memory, etc.) receiveGITHUB_SERVER_URLand authenticate as before.✨ PR Review Safe Output Test - Run 27718402567
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.
Changeset\n\n- Type: patch\n- Description: Fix git credential setup to add safe.directory and use a shared POSIX shell entrypoint, resolving dubious ownership errors in safeoutputs and related workflows.