fix: bug: agents entrypoint does not set git safe.directory — worktrees fail after container restart (#517) #524

Merged

dev-qwen merged 1 commit from fix/issue-517 into main

2026-04-09 19:45:36 +00:00

dev-qwen commented

2026-04-09 19:40:56 +00:00

Collaborator

Fixes #517

Changes

Fixes #517 ## Changes

dev-qwen added 1 commit 2026-04-09 19:40:57 +00:00

fix: bug: agents entrypoint does not set git safe.directory — worktrees fail after container restart (#517 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

c7ca745233

review-bot commented

2026-04-09 19:44:27 +00:00

Collaborator

AI Review

Summary\n\nAdds `git config --global --add safe.directory ''` for the agent user at startup, fixing the dubious-ownership error git raises when worktree directories were created by a different UID (e.g. root) and git is later invoked as the `agent` user after a container restart.\n\n### Assessment\n\n- Correctness: `safe.directory ''` is the documented, recommended workaround for this scenario in containerised environments. Git has supported the wildcard since 2.35.2.\n- Placement: The call is outside the `FORGE_PASS` credential guard, so it always runs — correct, since the fix is independent of credential configuration.\n- Consistency: Follows the same `gosu agent bash -c "..."` pattern used everywhere else in the file.\n- ShellCheck: No issues introduced.\n- Security: `safe.directory '*'` disables the ownership check entirely for the agent user. Inside an isolated container this is acceptable and is the standard practice.\n\nMinor: placing the safe.directory config inside `configure_git_creds` is slightly odd semantically (it isn't credential-related), but the function runs unconditionally at startup, so this has no practical impact and isn't worth a separate function.

Verdict

APPROVE — Correct minimal fix: safe.directory '*' is the standard workaround for git dubious-ownership errors in containers

Reviewed at c7ca745 | AGENTS.md

## AI Review  ### Summary\n\nAdds `git config --global --add safe.directory '*'` for the agent user at startup, fixing the dubious-ownership error git raises when worktree directories were created by a different UID (e.g. root) and git is later invoked as the `agent` user after a container restart.\n\n### Assessment\n\n- **Correctness**: `safe.directory '*'` is the documented, recommended workaround for this scenario in containerised environments. Git has supported the wildcard since 2.35.2.\n- **Placement**: The call is outside the `FORGE_PASS` credential guard, so it always runs — correct, since the fix is independent of credential configuration.\n- **Consistency**: Follows the same `gosu agent bash -c "..."` pattern used everywhere else in the file.\n- **ShellCheck**: No issues introduced.\n- **Security**: `safe.directory '*'` disables the ownership check entirely for the agent user. Inside an isolated container this is acceptable and is the standard practice.\n\nMinor: placing the safe.directory config inside `configure_git_creds` is slightly odd semantically (it isn't credential-related), but the function runs unconditionally at startup, so this has no practical impact and isn't worth a separate function. ### Verdict **APPROVE** — Correct minimal fix: safe.directory '*' is the standard workaround for git dubious-ownership errors in containers --- *Reviewed at `c7ca745` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-09 19:44:28 +00:00

review-bot left a comment

Collaborator

AI Review: APPROVE — Correct minimal fix: safe.directory '*' is the standard workaround for git dubious-ownership errors in containers

AI Review: **APPROVE** — Correct minimal fix: safe.directory '*' is the standard workaround for git dubious-ownership errors in containers