[BUG] git clone issue on newest Git version

[SaschaSchwarze0]

Is there an existing issue for this?

• I have searched the existing issues

Kubernetes Version

No response

Shipwright Version

No response

Current Behavior

Git recently introduced new security features that prevent hooks to be automatically invoked during git clone. This affects git-lfs, see git-lfs/git-lfs#5749. As a consequence, our unit tests that use git-lfs are also broken. See https://github.com/shipwright-io/build/actions/runs/9250581194/job/25446913912?pr=1610#step:5:38.

Expected Behavior

git-lfs should be functional

Steps To Reproduce

No response

Anything else?

No response

[SaschaSchwarze0]

My proposal:

• We set the GIT_CLONE_PROTECTION_ACTIVE=false environment variable using Ginkgo for the test case that uses git-lfs
• I propose to also add GIT_CLONE_PROTECTION_ACTIVE=false to the step template of the Git step. The container image is based on the git version coming from RedHat UBI which is older. But eventually, we will also have that problem there. I think that it is safe that we disable the protection because we run git clone in a very isolated environment = a container running as non-root without any privileges in a Kubernetes cluster.

[qu1queee]

@MaheshRKumawat will take this

[qu1queee]

I worked on this together with @MaheshRKumawat . The issue is not present anymore, so we encourage existing PRs to rerun the unit test:

What happened?

We were running on an ubuntu 20240516.1 image. This image comes with Git 2.45.1 see here. The latest CI runs for unit-test are running a newest ubuntu 20240603.1 image, this one comes with Git 2.45.2, see here. Now that we understand the delta, when looking at the changelog for Git 2.45.2, we see the following:

clone: drop the protections where hooks aren't run

This explains why the issue does not longer exists. For reference, here an example of the failing unit tests:

Git Resource Some tests mutate or depend on git configurations. They must run sequentially to avoid race-conditions. Test that require git configurations cloning repositories with Git Large File Storage [It] should Git clone a repository to the specified target directory
/home/runner/work/build/build/cmd/git/main_test.go:502

  [FAILED] Unexpected error:
      <*main.ExitError | 0xc000341080>: 
      fatal: active `post-checkout` hook found during `git clone`:
      	/tmp/git3063540752/.git/hooks/post-checkout
      For security reasons, this is disallowed by default.
      If this is intentional and the hook should actually be run, please
      run the command again with `GIT_CLONE_PROTECTION_ACTIVE=false`
      warning: Clone succeeded, but checkout failed.
      You can inspect what was checked out with 'git status'
      and retry with 'git restore --source=HEAD :/' (exit code 128)
      {