From 1b4f1b80b4c4a75cfa27313994637e71f92c22a8 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Fri, 28 Feb 2025 09:42:14 +0100
Subject: [PATCH] GitLab CI: add git safe dir for project root

The GitLab CI runner mounts the $CI_PROJECT_DIR git project root from
the outside but does not align the ownership of that directory with the
user of the docker container. By that, git does not allow to perform any
operation on that repository.

As this is a well-known case, we mark that directory as a safe dir if
running in GitLab CI.

Xref: https://github.com/siemens/kas/pull/141
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/libcmds.py         | 18 ++++++++++++------
 tests/conftest.py      |  1 +
 tests/test_commands.py |  1 +
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/kas/libcmds.py b/kas/libcmds.py
index e1ef8bac..62561c39 100644
--- a/kas/libcmds.py
+++ b/kas/libcmds.py
@@ -310,13 +310,19 @@ def _setup_gitconfig(self):
                 if os.environ.get('GIT_CREDENTIAL_USEHTTPPATH', False):
                     config['credential']['useHttpPath'] = \
                         os.environ.get('GIT_CREDENTIAL_USEHTTPPATH')
-            # in GitLab CI, add ssh -> https rewrites if no config is present
-            ci_server = os.environ.get('CI_SERVER_HOST', None)
-            if get_context().managed_env == ME.GITLAB_CI and ci_server and \
-                    not self._ssh_config_present() and \
+
+            if get_context().managed_env == ME.GITLAB_CI and \
                     not os.path.exists(gitconfig_host):
-                logging.debug('Adding GitLab CI ssh -> https rewrites')
-                self._setup_gitlab_ci_ssh_rewrite(config)
+                ci_project_dir = os.environ.get('CI_PROJECT_DIR', False)
+                if ci_project_dir:
+                    logging.debug('Adding git safe.directory %s',
+                                  ci_project_dir)
+                    config.add_value('safe', 'directory', ci_project_dir)
+
+                ci_server = os.environ.get('CI_SERVER_HOST', None)
+                if ci_server and not self._ssh_config_present():
+                    logging.debug('Adding GitLab CI ssh -> https rewrites')
+                    self._setup_gitlab_ci_ssh_rewrite(config)
             config.write()
 
     def execute(self, ctx):
diff --git a/tests/conftest.py b/tests/conftest.py
index 0d2aa5ce..07514a5a 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -39,6 +39,7 @@
     'SSH_AUTH_SOCK',
     'CI_SERVER_HOST',
     'CI_JOB_TOKEN',
+    'CI_PROJECT_DIR',
     'GITLAB_CI',
     'GITHUB_ACTIONS',
     'REMOTE_CONTAINERS'
diff --git a/tests/test_commands.py b/tests/test_commands.py
index 531f9d9b..a9448f39 100644
--- a/tests/test_commands.py
+++ b/tests/test_commands.py
@@ -98,6 +98,7 @@ def test_checkout_with_ci_rewrite(monkeykas, tmpdir):
         mp.setenv('GITLAB_CI', 'true')
         mp.setenv('CI_SERVER_HOST', 'github.com')
         mp.setenv('CI_JOB_TOKEN', 'not-needed')
+        mp.setenv('CI_PROJECT_DIR', '/build')
         kas.kas(['checkout', 'test-url-rewrite.yml'])