Skip to content

fix(safe-outputs): bridge git safe.directory trust via GIT_CONFIG_* env vars#46057

Merged
pelikhan merged 20 commits into
mainfrom
copilot/deep-report-safe-outputs-fix
Jul 19, 2026
Merged

fix(safe-outputs): bridge git safe.directory trust via GIT_CONFIG_* env vars#46057
pelikhan merged 20 commits into
mainfrom
copilot/deep-report-safe-outputs-fix

Conversation

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

The push_to_pull_request_branch bridge (Process Safe Outputs step) runs outside the safeoutputs Docker container, potentially as a different uid/HOME. The in-container git config --global safe.directory never reaches this process, causing git to reject the workspace with "detected dubious ownership" — silently leaving the Changeset Generator read-only.

Changes

  • git_helpers.cjs — Extracted ensureSafeDirectoryTrust(gitCwd) from safe_outputs_handlers.cjs into the shared helper module and exported it. Sets GIT_CONFIG_COUNT/KEY/VALUE env vars in-process (git ≥2.31), bypassing ~/.gitconfig entirely:

    // Before: only lived inside the MCP server container
    function ensureSafeDirectoryTrust(gitCwd, server) { ... server.debug(...) }
    
    // After: shared, no server param, uses core.debug
    ensureSafeDirectoryTrust(process.env.GITHUB_WORKSPACE || process.cwd());
  • safe_outputs_handlers.cjs — Replaced local definition with import from git_helpers.cjs; removed server arg from three call sites.

  • push_to_pull_request_branch.cjs — Added two call sites in the bridge path:

    • main() factory: trusts GITHUB_WORKSPACE at handler init (covers all messages)
    • Per-message: trusts repoCwd for cross-repo subdirectory checkouts
    • Improved bundle-apply failure error message to include the actual git error (was a static string).
  • git_helpers.test.cjs — 8 new unit tests: no-op on falsy input, deduplication, multi-directory accumulation, coexistence with existing GIT_CONFIG_* entries (e.g. from getGitAuthEnv), malformed-count guard.



✨ PR Review Safe Output Test - Run 29638013210

💥 [THE END] — Illustrated by Smoke Claude · 118.9 AIC · ⌖ 31.4 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

…ship

Extract ensureSafeDirectoryTrust from safe_outputs_handlers.cjs to
git_helpers.cjs so it is available to the bridge (Process Safe Outputs
step) as well as the MCP server container.

The bridge runs outside the Docker container as a potentially different
user/HOME, so the in-container `git config --global safe.directory`
never reaches it. Using GIT_CONFIG_* env vars in the bridge process
directly ensures git trusts the checkout regardless of HOME or uid.

- Extract ensureSafeDirectoryTrust to git_helpers.cjs (uses core.debug,
  no server param), export it
- Update safe_outputs_handlers.cjs to import from git_helpers.cjs and
  remove local definition; update 3 call sites to drop server param
- Call ensureSafeDirectoryTrust in push_to_pull_request_branch.cjs:
  - In main() factory with GITHUB_WORKSPACE (covers all messages)
  - Per-message for cross-repo repoCwd subdirectory checkouts
- Fix bundle apply error message to include actual error text
- Add 8 new unit tests for ensureSafeDirectoryTrust

Closes #46028

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix dubious ownership issue in Changeset Generator fix(safe-outputs): bridge git safe.directory trust via GIT_CONFIG_* env vars Jul 16, 2026
Copilot AI requested a review from pelikhan July 16, 2026 18:31
@pelikhan
pelikhan marked this pull request as ready for review July 16, 2026 19:02
Copilot AI review requested due to automatic review settings July 16, 2026 19:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bridges Git safe-directory trust into safe-output processes that may use a different user or home directory.

Changes:

  • Extracts and exports the shared trust helper.
  • Applies trust to workspace and cross-repository checkouts.
  • Adds unit coverage and improves bundle errors.
Show a summary per file
File Description
actions/setup/js/git_helpers.cjs Adds the shared safe-directory helper.
actions/setup/js/git_helpers.test.cjs Tests environment configuration behavior.
actions/setup/js/safe_outputs_handlers.cjs Uses the shared helper.
actions/setup/js/push_to_pull_request_branch.cjs Trusts bridge checkouts and reports bundle errors.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 1
  • Review effort level: Medium

Comment thread actions/setup/js/git_helpers.cjs Outdated
@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Copilot AI and others added 2 commits July 16, 2026 21:33
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Ran pr-finisher and pushed 6077c7b.

This follow-up hardens malformed GIT_CONFIG_COUNT handling and makes ensureSafeDirectoryTrust() safe when core is not shimmed, with expanded tests for the malformed-count cases and the non-shimmed path.

Focused JS tests passed, make lint passed, and final parallel validation is clean. Full make test-unit in this sandbox still has unrelated existing failures in pkg/cli / host-dependent tests outside this change. This head has no CI runs yet because agent pushes do not trigger workflows, so a maintainer will need to re-trigger CI before merge.

@pelikhan

Copy link
Copy Markdown
Collaborator

/matt

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review

Applied /diagnosing-bugs and /tdd — two minor issues worth addressing, no blockers.

Positive highlights

  • Root cause properly addressed: bridge now gets safe.directory trust via GIT_CONFIG_* env vars, bypassing ~/.gitconfig for cross-uid/HOME scenarios.
  • Deduplication and malformed-count guards (Number.isSafeInteger) prevent subtle env-var chain corruption.
  • Factory-level + per-message call pattern in push_to_pull_request_branch.cjs covers both GITHUB_WORKSPACE and cross-repo subdirectory checkouts.
  • Comprehensive test coverage: falsy input, dedup, multi-directory, auth coexistence, malformed counts, missing core global.
  • Improved bundle-apply error message surfaces the actual git error.

Two issues raised (see inline comments)

  1. Debug logging regression — server.debug() in the MCP container path is silently dropped after removing the server arg.
  2. Test fragility — auth-coexistence test hardcodes index 0 instead of deriving it from getGitAuthEnv's actual count.

@copilot please address the review comments above.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 37 AIC · ⌖ 4.61 AIC · ⊞ 6.7K
Comment /matt to run again

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot review #46057 (review)

Copilot AI commented Jul 18, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, confirm the branch is up to date, and hand back the next concrete maintainer action for maintainers. There are no unresolved review threads currently visib...

The branch is no longer up to date with main: after fetching origin/main, this head is 6 commits behind and 33 ahead. There are still no unresolved in-scope review threads visible. Next maintainer action: update #46057 with the latest main and then re-trigger CI on the refreshed head before merge.

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

@Zganz404 Zganz404 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The happy path is clean. What happens if the third-party API returns 429 here? Might be worth handling that case explicitly.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot resolve the merge conflicts on this branch.

Copilot AI and others added 2 commits July 19, 2026 03:29
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…deep-report-safe-outputs-fix

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 19, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the merge conflicts on this branch.

Resolved with merge commit a36b552. I unshallowed the repo, merged the latest fetched origin/main into this branch, and reran make fmt, make lint, make test-unit, make test, make recompile, and make agent-report-progress; all passed locally. CI on this pushed head still needs a maintainer re-trigger before merge.

…deep-report-safe-outputs-fix

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category bug
Risk 🟡 medium
Score 50/100 (impact:25 urgency:15 quality:10)
Action defer

CI FAILING ❌ — js-typecheck and impacted-js-tests failing. Fix bridges git safe.directory trust (+343/-86, 9 files). Needs CI fix before merge.


Automated triage — run §29677420780

Generated by 🔧 PR Triage Agent · 34.2 AIC · ⌖ 5.12 AIC · ⊞ 5.6K ·

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, investigate the failed checks listed below, resolve the unresolved review feedback where appropriate, and rerun checks once the branch is ready.

Unresolved review feedback:

Failed checks:

Some review threads already have author follow-up replies; please verify current HEAD, resolve stale thread state where justified, and hand back the next concrete maintainer action.

Generated by PR Sous Chef: https://github.com/github/gh-aw/actions/runs/29677770339

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • pi.dev

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "pi.dev"

See Network Configuration for more information.

Generated by 👨‍🍳 PR Sous Chef · 20.6 AIC · ⌖ 8.43 AIC · ⊞ 6K ·
Comment /souschef to run again

Copilot AI and others added 2 commits July 19, 2026 07:36
…afe-outputs-fix

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 19, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, investigate the failed checks listed below, resolve the unresolved review feedback where appropriate, and rerun checks once the branch is ready.

Unresolve...

Addressed on ab66c06 (on top of the latest main merge in 00aab14). The failing js-typecheck / impacted-js-tests jobs were both blocked by the merged head’s missing trimleftright entries in pkg/linters/README.md; adding those entries brought the linter docs back in sync with pkg/linters/doc.go and restored local validation. The listed review threads are already resolved on the current head, so no follow-up code change was needed there.

Re-ran local validation on the updated head: make build-js, targeted go test ./pkg/linters -run 'TestDocGo_AnalyzersMatchREADME|TestSpec_PublicAPI_SubpackageAnalyzers', then make test-unit, make fmt, make lint, make test, make recompile, and make agent-report-progress all passed locally. I also ran final PR validation tooling; code review came back clean, while the CodeQL leg timed out and should not be re-run from the agent.

Next maintainer action: re-trigger CI on the current head before merge, since agent pushes do not start a fresh workflow run.

@pelikhan

Copy link
Copy Markdown
Collaborator

@pelikhan
pelikhan merged commit 3408dd4 into main Jul 19, 2026
29 of 32 checks passed
@pelikhan
pelikhan deleted the copilot/deep-report-safe-outputs-fix branch July 19, 2026 09:59
Copilot stopped work on behalf of pelikhan due to an error July 19, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[deep-report] [safe-outputs] Tracking: Changeset Generator push_to_pull_request_branch dubious-ownership hardfail (bridge safe.directory)

5 participants