Remove GIT_CONFIG_GLOBAL=/dev/null from Duo Workflow git hardening

Andras Herczegrequested to merge
598725-remove-git-config-global-dev-null into master

What does this MR do and why?

Removes GIT_CONFIG_GLOBAL: '/dev/null' from the git environment variables injected into Duo Workflow workload jobs in StartWorkflowService.

Since 18.11 (!226743 (merged)), this hardening caused the runner's git config --global http.<host>.sslCAInfo write during get_sources to silently go to /dev/null. As a result, git clone failed with OpenSSL error 20 on any self-managed instance using custom or self-signed CAs. Normal CI/CD jobs were unaffected, only Duo Workflow workload pipelines hit this.

This is the minimal fix: the /dev/null global config is removed so the runner's sslCAInfo write lands in a real config file again.

Changes

  • ee/app/services/ai/duo_workflows/start_workflow_service.rb: drop the GIT_CONFIG_GLOBAL: '/dev/null' entry.
  • ee/spec/services/ai/duo_workflows/start_workflow_service_spec.rb: remove the corresponding assertion.

How to validate locally

Setup SSL

  1. Update the gdk.yml and generate certificates (see)
  2. Register a runner with the certificate (see Option for SSL users (expand))

Verify the problem

Without checking out this branch, run any workflow. It should fail with:

[...]
Fetching changes with git depth set to 1...
Initialized empty Git repository in /builds/gitlab-org/duo/.git/
Created fresh repository.
fatal: unable to access 'https://gdk.test:3443/gitlab-org/duo.git/': SSL certificate problem: unable to get local issuer certificate

Verify the changes

  1. Checkout 598725-remove-git-config-global-dev-null
  2. Start a workflow
  3. The workflow shouldn't show the SSL error (there's a potential duo-cli error later on, but that shouldn't concern this MR)
Fetching changes with git depth set to 1...
Reinitialized existing Git repository in /builds/gitlab-org/duo/.git/
Created fresh repository.
From https://gdk.test:3443/gitlab-org/duo
 * [new ref]         3c968241c16576185f3d34a455e5fc7270dfa243 -> refs/pipelines/1035
Checking out 3c968241 as detached HEAD (ref is refs/workloads/17e66006c9d)...
Skipping Git submodules setup
Executing "step_script" stage of the job script

Relates to #598725 (closed)

Edited by Andras Herczeg

Merge request reports