Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

“Detected dubious ownership” issue when using php-actions/composer@v6 #120

Open
victorwads opened this issue Nov 5, 2024 · 5 comments
Open

“Detected dubious ownership” issue when using php-actions/composer@v6 #120

victorwads opened this issue Nov 5, 2024 · 5 comments

Comments

@victorwads
Copy link

I am experiencing an issue when using the php-actions/composer action with the following configuration in a GitHub Actions pipeline:

- name: Cache Composer dependencies
  uses: actions/cache@v4
  with:
    path: '/tmp/composer-cache'
    key: "${{ runner.os }}-${{ hashFiles('**/composer.lock') }}"

- name: Install Composer
  uses: php-actions/composer@v6
  with:
    php_version: 8.1
    ssh_key: '${{ secrets.SSH_KEY }}'
    ssh_key_pub: '${{ secrets.SSH_KEY_PUB }}'

The issue occurs during the Install Composer step, showing the following error message:

fatal: detected dubious ownership in repository at '/tmp/composer-cache/vcs/git-github.com-<specific-repository>.git'
To add an exception for this directory, call:

    git config --global --add safe.directory /tmp/composer-cache/vcs/git-github.com-<specific-repository>.git

Details:

  • The issue is caused by Git version 2.35.2, which introduced this “safe directory” feature to improve security.
  • Manually adding the directories as safe.directory temporarily solved the issue, but this is not scalable.
  • Using git config --global --add safe.directory '*' was considered, but it poses a potential security risk.
  • Changing ownership with chown did not work to resolve the ownership problem.

Question:

Is there a recommended way to handle this “dubious ownership” issue more efficiently, or could an enhancement be made to the php-actions/composer action to manage this scenario?
@mikemanger
Copy link

I think this is related to composer/composer#12158 so it might be an upstream issue.

I'm still testing but I think we got around this by using https/zips for the repository vcs urls.

@g105b
Copy link
Member

g105b commented Nov 18, 2024

Let's keep this issue open for a while until the upstream fix makes its way down. I think your comments are all correct, but maybe we won't need to change anything for the https/zip suggestion if this has been fixed in composer?

@mikemanger
Copy link

No fix yet but some more discussion here composer/composer#12192

Not my wheelhouse but passing the scope/context to the action might be a workaround? At least that seems to be what happens in a lot of actions.

@mikemanger
Copy link

Locking composer to 2.8.1 is probably the easiest workaround I've found.

      - name: Install PHP dependencies
        uses: php-actions/composer@v6
        with:
          # ...
          # Lock composer to working version.
          # See https://github.com/php-actions/composer/issues/120
          version: 2.8.1

@Stubbs
Copy link

Stubbs commented Nov 22, 2024

I also got round this by removing composer caching from my build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Stubbs @mikemanger @g105b @victorwads