Mark source repos as safe in install-ansible-role

Our install-ansible-role role is used to install the cloud launcher and puppet ansbible roles on bridge. It does this by cloning the zuul repos for these roles into the appropriate ansible role path location. Recent versions of git will not clone repos owned by different users by default due to security concerns. This breaks install-ansible-role because zuul owns the zuul repos and install-ansible-role is cloning as root. In this case we do trust the zuul repos though so we mark them as safe directories in the root .gitconfig file. Change-Id: I0cc4a011bbfb484fcc2ccf0d8b1d254c01fc03d6
2024-06-03 11:21:43 -07:00 · 2024-06-03 11:21:43 -07:00 · ed9aae01c3
commit ed9aae01c3
parent f01ae8a271
1 changed files with 10 additions and 0 deletions
--- a/playbooks/roles/install-ansible-roles/tasks/main.yaml
+++ b/playbooks/roles/install-ansible-roles/tasks/main.yaml
@ -1,3 +1,13 @@
+- name: Mark source side of clone as safe
+  # This goes into a config file with many entries so we cannot set
+  # a creates attribute on this task. However, subsequent runs of this
+  # command seem to noop if the entries are already present so the impact
+  # is low.
+  command: git config --global safe.directory '{{ ansible_role_src_root }}/src/opendev.org/opendev/ansible-role-{{ ansible_role }}'
+  loop: '{{ ansible_roles }}'
+  loop_control:
+    loop_var: ansible_role
+
 - name: Install ansible roles to /etc/ansible/roles
  git:
    repo: '{{ ansible_role_src_root }}/src/opendev.org/opendev/ansible-role-{{ ansible_role }}'