Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow post-checkout scripts to run during CI dependency builds #749

Closed
wants to merge 2 commits into from
Closed

Allow post-checkout scripts to run during CI dependency builds #749

wants to merge 2 commits into from

Conversation

DavidHuber-NOAA
Copy link
Collaborator

Description

This tells git to allow post-checkout scripts to run during dependency building, which was disabled by default for security reasons in recent versions.

Resolves #748

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

CI ran successfully after commit.

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • New and existing tests pass with my changes

AlexanderRichert-NOAA
AlexanderRichert-NOAA approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@AlexanderRichert-NOAA AlexanderRichert-NOAA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To state the (possibly) obvious, this will make it all the more important to be careful to not clone sketchy repos that might do malicious or otherwise unwanted things with their Git hooks... But for the software used and foreseeably used in these workflows, I don't see this being a problem.

@AlexanderRichert-NOAA
Copy link
Contributor

In the case of the crtm one that was causing issues, it's a hook that checks to see whether git-lfs is available.

@RussTreadon-NOAA
Copy link
Contributor

The unsafe behavior @AlexanderRichert-NOAA mentions concerns me. I am not familiar with git workflows. Is turning off protections via GIT_CLONE_PROTECTION_ACTIVE=false limited to https://github.com/JCSDA/spack.git?

Why didn't we need to set GIT_CLONE_PROTECTION_ACTIVE=false in the past? What changed?

@DavidHuber-NOAA
Copy link
Collaborator Author

@RussTreadon-NOAA It appears that this issue will be fixed soon by Git. As mentioned here, git-lfs (which CRTM uses) requires a post-checkout hook. Git will whitelist git-lfs soon so that the GIT_CLONE_PROTECTION_ACTIVE flag does not need to be set to False. We could wait until the new version of git is released and try to run a CI build at that point instead of merging this PR.

@RussTreadon-NOAA
Copy link
Contributor

Thank you @DavidHuber-NOAA for sharing this. If the change will be implemented soon, my preference is to wait. We only have two active GSI PRs, excluding this one, at present. If we merge this PR into develop, we'll need to unmerge it via a subsequent PR later. What do @AlexanderRichert-NOAA and you think?

@DavidHuber-NOAA
Copy link
Collaborator Author

I'm good with waiting.

@DavidHuber-NOAA
Copy link
Collaborator Author

I believe this issue has been resolved by git now. I'm reverting the changes to allow CI to rerun.

@DavidHuber-NOAA
Copy link
Collaborator Author

CI passed, closing this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderRichert-NOAA AlexanderRichert-NOAA AlexanderRichert-NOAA approved these changes

@RussTreadon-NOAA RussTreadon-NOAA Awaiting requested review from RussTreadon-NOAA

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CI builds fail due to new security measures
3 participants
@DavidHuber-NOAA @AlexanderRichert-NOAA @RussTreadon-NOAA