“Detected dubious ownership” issue when using php-actions/composer@v6 #120
Description
I am experiencing an issue when using the php-actions/composer action with the following configuration in a GitHub Actions pipeline:
- name: Cache Composer dependencies
uses: actions/cache@v4
with:
path: '/tmp/composer-cache'
key: "${{ runner.os }}-${{ hashFiles('**/composer.lock') }}"
- name: Install Composer
uses: php-actions/composer@v6
with:
php_version: 8.1
ssh_key: '${{ secrets.SSH_KEY }}'
ssh_key_pub: '${{ secrets.SSH_KEY_PUB }}'The issue occurs during the Install Composer step, showing the following error message:
fatal: detected dubious ownership in repository at '/tmp/composer-cache/vcs/git-github.com-<specific-repository>.git'
To add an exception for this directory, call:
git config --global --add safe.directory /tmp/composer-cache/vcs/git-github.com-<specific-repository>.git
Details:
- The issue is caused by Git version 2.35.2, which introduced this “safe directory” feature to improve security.
- Manually adding the directories as safe.directory temporarily solved the issue, but this is not scalable.
- Using git config --global --add safe.directory '*' was considered, but it poses a potential security risk.
- Changing ownership with chown did not work to resolve the ownership problem.
Question:
Is there a recommended way to handle this “dubious ownership” issue more efficiently, or could an enhancement be made to the php-actions/composer action to manage this scenario?