### Summary The `release beta` job has started failing with: ``` fatal: detected dubious ownership in repository at '/builds/gitlab-runner' ``` Example failing job: https://gitlab.com/gitlab-org/charts/gitlab-runner/-/jobs/14312941954 ### Root cause The job runs `git describe --long` to compose the beta chart version. Git's [CVE-2022-24765](https://github.blog/open-source/git/git-security-vulnerabilities-announced/#cve-2022-24765) protection refuses to operate when the working tree's UID differs from the process UID. In the Kubernetes executor this is the normal case: `init-permissions` runs as root and the build container runs as a different user. The failure started after the `gitlab-charts-build-base-helm-3.7` image picked up a git version that enforces this check. ### Impact Every push to `main` that triggers the beta release path fails. Beta chart artifacts are not being published to the S3 repository. ### Proposed fix Add `git config --global --add safe.directory "$CI_PROJECT_DIR"` as the first script step before any git invocation. Scoped to the one path the runner populated, idempotent, confined to the ephemeral build container — the canonical CI fix for this break. Avoids the broader `safe.directory = '*'` form which would defeat the protection wholesale. ### Out of scope Replacing `git describe --long` with `${CI_COMMIT_SHORT_SHA}` would remove the git dependency entirely, but changes the beta version string format (`<count>-g<sha>` → just `<sha>`). Worth a separate discussion; not bundled here to keep blast radius minimal.