actions-ecosystem/action-get-latest-tag

fatal: unsafe repository ('/github/workspace' is owned by someone else)

Closed this issue · 4 comments

romanzipp commented

What happened

I was just executing a workflow with the action-get-latest-tag task from a tag push trigger (tag 1.4.0) as every time but it keeps failing. I didn't notice any changes to this repository so there's a good chance this is isn't a bug with the action itself (but maybe a deprecation?).

Possibly caused by CVE-2022-24765 mitigation

What you expected to happen

The action should fetch the latest tag without failing.

How to reproduce it

  • Create workflow with actions-ecosystem/action-get-latest-tag@v1 actions
  • Execute via push tag trigger

Environment

Workflow

name: "Deploy: Production"

on:
  push:
    tags: [ "*" ]

env:
  ENVIRONMENT: production

jobs:
  preflight:
    name: "Preflight"
    runs-on: ubuntu-latest
    outputs:
      latest_tag: ${{ steps.latest-tag.outputs.tag }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - id: latest-tag
        name: Find latest tag
        uses: actions-ecosystem/action-get-latest-tag@v1

Logs

Run actions-ecosystem/action-get-latest-tag@v1
  with:
    semver_only: false
    initial_version: v0.0.0
    with_initial_version: true
  env:
    ENVIRONMENT: production

/usr/bin/docker run
--name REDACTED_REDACTED
--label REDACTED
--workdir /github/workspace
--rm 
-e ENVIRONMENT             -e REPOSITORY_PREFIX     -e INPUT_SEMVER_ONLY  -e INPUT_INITIAL_VERSION -e INPUT_WITH_INITIAL_VERSION 
-e HOME                    -e GITHUB_JOB            -e GITHUB_REF         -e GITHUB_SHA            -e GITHUB_REPOSITORY 
-e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID         -e GITHUB_RUN_NUMBER  -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT 
-e GITHUB_ACTOR            -e GITHUB_WORKFLOW       -e GITHUB_HEAD_REF    -e GITHUB_BASE_REF       -e GITHUB_EVENT_NAME 
-e GITHUB_SERVER_URL       -e GITHUB_API_URL        -e GITHUB_GRAPHQL_URL -e GITHUB_REF_NAME       -e GITHUB_REF_PROTECTED 
-e GITHUB_REF_TYPE         -e GITHUB_WORKSPACE      -e GITHUB_ACTION      -e GITHUB_EVENT_PATH     -e GITHUB_ACTION_REPOSITORY 
-e GITHUB_ACTION_REF       -e GITHUB_PATH           -e GITHUB_ENV         -e GITHUB_STEP_SUMMARY   -e RUNNER_OS 
-e RUNNER_ARCH             -e RUNNER_NAME           -e RUNNER_TOOL_CACHE  -e RUNNER_TEMP           -e RUNNER_WORKSPACE 
-e ACTIONS_RUNTIME_URL     -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL  -e GITHUB_ACTIONS=true   -e CI=true 
-v "/var/run/docker.sock":"/var/run/docker.sock" 
-v "/home/runner/work/_temp/_github_home":"/github/home" 
-v "/home/runner/work/_temp/_github_workflow":"/github/workflow" 
-v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" 
-v "/home/runner/work/REDACTED/REDACTED":"/github/workspace" REDACTED:REDACTED

fatal: unsafe repository ('/github/workspace' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /github/workspace
IvanDimanov-MoveDigital commented

I was able to reproduce this bug a couple of times this morning.
Looking forward for a fix 🙂

  • 👍1
IvanDimanov-MoveDigital commented

I've successfully used Find Latest Tag as a substitution for Action Get Latest Tag

krisztian-sala commented

Example for replacing this action:

- uses: oprypin/find-latest-tag@v1
        id: tag
        continue-on-error: true
        with:
          repository: "MY-ORG/${{ github.event.repository.name }}"
          releases-only: true
          prefix: 'v'