fix: Fix malformed safe.directory in workflows
What does this MR do and why?
The DAP workload runner injects its own Git configuration into the container environment, including GIT_CONFIG_KEY_0=safe.directory with GIT_CONFIG_VALUE_0=${CI_PROJECT_DIR}. However, ${CI_PROJECT_DIR} is passed as a literal string (not expanded), which causes Git to emit a warning: safe.directory '${CI_PROJECT_DIR}' not absolute error and ultimately fail with a fatal detected dubious ownership error.
Before this fix, the ENV GIT_CONFIG_PARAMETERS="'safe.directory=*'" set in the Docker image was sufficient to suppress the ownership check, because Git commands ran directly in the container and inherited that environment variable. However, when the SRT (sandbox runtime) wraps Git commands via bwrap, it inherits the runner's injected environment — which does not include GIT_CONFIG_PARAMETERS — so the malformed ${CI_PROJECT_DIR} value was the only safe.directory config Git saw, causing the ownership check to fail fatally and breaking tools like ListDirectory.
This MR fixes the root cause on the Rails side by changing GIT_CONFIG_VALUE_0 from the unexpanded literal '${CI_PROJECT_DIR}' to '*' in StartWorkflowService, so that safe.directory is always set to a valid, absolute glob that Git accepts regardless of how the environment is inherited.
References
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Check out this branch
- Create an agent config file (or simply replace the default image locally)
# .gitlab/duo/agent-config.yml
image: registry.gitlab.com/gitlab-org/duo-workflow/default-docker-image/workflow-generic-image-hardened:407ecb94or
diff --git a/ee/app/services/ai/duo_workflows/start_workflow_service.rb b/ee/app/services/ai/duo_workflows/start_workflow_service.rb
index 65be3aa195df..e98903eec6ef 100644
--- a/ee/app/services/ai/duo_workflows/start_workflow_service.rb
+++ b/ee/app/services/ai/duo_workflows/start_workflow_service.rb
@@ -3,7 +3,7 @@
module Ai
module DuoWorkflows
class StartWorkflowService
- IMAGE_PATH = "gitlab-org/duo-workflow/default-docker-image/workflow-generic-image:v0.0.6"
+ IMAGE_PATH = "gitlab-org/duo-workflow/default-docker-image/workflow-generic-image-hardened:407ecb94"
DUO_CLI_VERSION = "8.86.0"
DWS_STANDARD_CONTEXT_CATEGORY = "agent_platform_standard_context"- Start a Duo Developer flow on a work item using the UI button
- Confirm that
ListDirectoryActionHandlerexecutes without any problem - (Optional) checkout the master branch and repeat the steps, to confirm the original bug
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.