chore(ci_visibility): improve git security settings#16552
Conversation
Co-authored-by: gnufede <412857+gnufede@users.noreply.github.com>
Codeowners resolved as |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d5a9b886ee
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Co-authored-by: gnufede <412857+gnufede@users.noreply.github.com>
Co-authored-by: gnufede <412857+gnufede@users.noreply.github.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8840784666
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Co-authored-by: gnufede <412857+gnufede@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
The expected merge time in
|
juanjux
left a comment
There was a problem hiding this comment.
Test lacks typing, but this is typical of our tests, LGTM otherwise.
PR by Bits
View session in Datadog
Comment @DataDog to request changes
Feedback (especially what can be better) welcome in #code-gen-aka-bits-dev-feedback!
Description
Improves Git security settings by replacing the global
safe.directoryconfiguration approach with per-command configuration overrides. Instead of modifying Git's global configuration, the implementation now:-c safe.directory=<repo>for each Git commandThis approach maintains security by limiting safe directory configuration to only the specific repository being accessed on a per-command basis, while avoiding global configuration changes and their associated performance and maintenance overhead.
Testing
Updated two test cases:
test_git_safe_directory_override_added_for_repo_root: Verifies that Git commands include the-c safe.directory=<repo>override for the repository roottest_git_safe_directory_override_skipped_without_repo: Verifies that no override is added when operating outside a Git repositoryRemoved the mocked
_set_safe_directorycall fromtest_extract_git_metadatato test the actual metadata extraction flow with the new override mechanism.Risks
None
Additional Notes
This implementation aligns with the Java tracer's approach (PR 10486) by using repository-specific safe directory configuration rather than a global wildcard or global entries, improving both security posture and Git configuration cleanliness. The per-command override approach ensures that Git security checks remain effective while allowing the tracer to access metadata from repositories in security-restricted environments.
SDTEST-3222