Configure repository for compatibility with modern Git versions in release build containers

per1234 · per1234 · commit a14dd9390f3f · 2024-11-11T19:00:46.000-08:00
`DistTasks.yml` contains the tasks used to produce the release builds of the project for each of the host targets. The
builds are produced in Docker containers.

A regression was introduced in several of the tasks at the time the project's Go version was bumped to 1.21.5. As a
security measure (see CVE-2022-24765), starting from 2.30.3 Git requires the repository folder to be owned by the
operating system user's account. Due to it having been checked out outside the container, the repository does not meet
this requirement inside the container. An older version of Git was installed in the Go 1.18.3 Docker image, so this was
not a problem before the bump, but a newer version is used in the Go 1.21.5 containers, which causes some tasks to fail:

```
error obtaining VCS status: exit status 128
  Use -buildvcs=false to disable VCS stamping.
Error: failed building for linux/armv6: exit status 1
failed building for linux/armv6: exit status 1
task: Failed to run task "dist:Linux_ARMv6": exit status 1
```

The solution is to configure Git to allow the use of the repository, despite the "dubious ownership" of its folder. This
is done via the `safe.directory` Git configuration variable.
diff --git a/DistTasks.yml b/DistTasks.yml
@@ -131,11 +131,12 @@ tasks:
     desc: Builds Linux ARMv6 binaries
     dir: "{{.DIST_DIR}}"
     cmds:
+      # "git config safe.directory" is required until this is fixed https://github.com/elastic/golang-crossbuild/issues/232
       - |
         docker run -v `pwd`/..:/home/build -w /home/build \
         -e CGO_ENABLED=1 \
         {{.CONTAINER}}:{{.CONTAINER_TAG}} \
-        --build-cmd "{{.BUILD_COMMAND}}" \
+        --build-cmd "git config --global --add safe.directory /home/build && {{.BUILD_COMMAND}}" \
         -p "{{.BUILD_PLATFORM}}"
 
         tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
@@ -201,11 +202,12 @@ tasks:
     desc: Builds Mac OS X 64 bit binaries
     dir: "{{.DIST_DIR}}"
     cmds:
+      # "git config safe.directory" is required until this is fixed https://github.com/elastic/golang-crossbuild/issues/232
       - |
         docker run -v `pwd`/..:/home/build -w /home/build \
         -e CGO_ENABLED=1 \
         {{.CONTAINER}}:{{.CONTAINER_TAG}} \
-        --build-cmd "{{.BUILD_COMMAND}}" \
+        --build-cmd "git config --global --add safe.directory /home/build && {{.BUILD_COMMAND}}" \
         -p "{{.BUILD_PLATFORM}}"
 
         tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
@@ -235,11 +237,12 @@ tasks:
     desc: Builds Mac OS X ARM64 binaries
     dir: "{{.DIST_DIR}}"
     cmds:
+      # "git config safe.directory" is required until this is fixed https://github.com/elastic/golang-crossbuild/issues/232
       - |
         docker run -v `pwd`/..:/home/build -w /home/build \
         -e CGO_ENABLED=1 \
         {{.CONTAINER}}:{{.CONTAINER_TAG}} \
-        --build-cmd "{{.BUILD_COMMAND}}" \
+        --build-cmd "git config --global --add safe.directory /home/build && {{.BUILD_COMMAND}}" \
         -p "{{.BUILD_PLATFORM}}"
 
         tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
