Skip to content

“Detected dubious ownership” issue when using php-actions/composer@v6 #120

Description

@victorwads

I am experiencing an issue when using the php-actions/composer action with the following configuration in a GitHub Actions pipeline:

- name: Cache Composer dependencies
  uses: actions/cache@v4
  with:
    path: '/tmp/composer-cache'
    key: "${{ runner.os }}-${{ hashFiles('**/composer.lock') }}"

- name: Install Composer
  uses: php-actions/composer@v6
  with:
    php_version: 8.1
    ssh_key: '${{ secrets.SSH_KEY }}'
    ssh_key_pub: '${{ secrets.SSH_KEY_PUB }}'

The issue occurs during the Install Composer step, showing the following error message:

fatal: detected dubious ownership in repository at '/tmp/composer-cache/vcs/git-github.com-<specific-repository>.git'
To add an exception for this directory, call:

    git config --global --add safe.directory /tmp/composer-cache/vcs/git-github.com-<specific-repository>.git

Details:

  • The issue is caused by Git version 2.35.2, which introduced this “safe directory” feature to improve security.
  • Manually adding the directories as safe.directory temporarily solved the issue, but this is not scalable.
  • Using git config --global --add safe.directory '*' was considered, but it poses a potential security risk.
  • Changing ownership with chown did not work to resolve the ownership problem.

Question:

Is there a recommended way to handle this “dubious ownership” issue more efficiently, or could an enhancement be made to the php-actions/composer action to manage this scenario?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions