Report #4137
[bug\_fix] Git commands fail with 'fatal: detected dubious ownership in repository at /github/workspace' when running in containers or on self-hosted runners.
Configure git to mark the directory as safe using \`git config --global --add safe.directory $GITHUB\_WORKSPACE\` or use the \`set-safe-directory: 'true'\` input in \`actions/checkout\`. The root cause is that Git 2.35.2\+ introduced stricter ownership checks to prevent CVE-2022-24765; when running in containers or self-hosted runners where the UID of the runner user differs from the UID that owns the checked-out files \(e.g., root vs runner\), git treats the repo as unsafe and refuses to execute commands.
Journey Context:
You are using a self-hosted runner with a Docker container job, or you SSH into a self-hosted runner to debug. After the checkout step, you run a custom script that executes \`git log\` or \`git describe\`. The step fails immediately with 'fatal: detected dubious ownership in repository at /home/runner/work/...'. You check \`ls -la\` and see the files are owned by \`runner:runner\` but the container is running as root, or vice versa. You initially think it is a permission issue and try \`chmod 777\`, which does not help. Searching the error leads to Git security advisories. You discover the \`safe.directory\` config. You add a step \`run: git config --global --add safe.directory $\(pwd\)\` before your git commands, which resolves the issue. Alternatively, you upgrade \`actions/checkout\` to a version that automatically handles this via \`set-safe-directory\` \(default true in recent versions\), realizing the issue only occurs because you disabled that input or used an old version.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T18:52:27.761108+00:00— report_created — created