DIAG v2: Windows ACL + GIT_TRACE2 for Cygwin submodule trust check

EliahKagan · claude · EliahKagan · commit 28460859e0a0 · 2026-05-08T02:53:34.000-04:00
Second-pass diagnostic to complement `claude/cygwin-diag-ownership` (commit
`d3442e55`). Adds a pwsh step that runs `Get-Acl`/`icacls` on each path
to capture Windows-side ACL details (owner SID, inheritance flags), and a
Cygwin step that captures `getent passwd`, `mount` flags, GIT-related
environment variables, `git config --list --show-origin --show-scope`, and
`GIT_TRACE2=1 GIT_TRACE_SETUP=1` output for `git rev-parse --show-toplevel`
on each fixture (with the gitdb/smmap entries stripped from
`safe.directory` to reproduce the failing state).

Strips the 256-job `reproduce-safe-dir` matrix to keep CI burden minimal.

This branch should be deleted once the data is captured.

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/cygwin-test.yml b/.github/workflows/cygwin-test.yml
@@ -67,6 +67,128 @@ jobs:
       run: |
         ./init-tests-after-clone.sh
 
+    - name: Diagnose v2 — Windows ACL inspection (icacls, Get-Acl)
+      shell: pwsh
+      if: always()
+      run: |
+        $repo = "D:\a\GitPython\GitPython"
+        $paths = @(
+          $repo,
+          "$repo\.git",
+          "$repo\git\ext\gitdb",
+          "$repo\git\ext\gitdb\.git",
+          "$repo\.git\modules\gitdb",
+          "$repo\git\ext\gitdb\gitdb\ext\smmap",
+          "$repo\git\ext\gitdb\gitdb\ext\smmap\.git",
+          "$repo\.git\modules\gitdb\modules\smmap"
+        )
+        foreach ($p in $paths) {
+          Write-Host "==== $p"
+          if (Test-Path -LiteralPath $p) {
+            $item = Get-Item -LiteralPath $p -Force
+            Write-Host "Type: $(if ($item.PSIsContainer) {'Directory'} else {'File'})"
+            $acl = Get-Acl -LiteralPath $p
+            Write-Host "Owner: $($acl.Owner)"
+            Write-Host "Group: $($acl.Group)"
+            Write-Host "Sddl:  $($acl.Sddl)"
+            Write-Host "Access:"
+            $acl.Access | Format-Table IdentityReference, AccessControlType, FileSystemRights, IsInherited, InheritanceFlags, PropagationFlags -AutoSize
+            Write-Host "icacls output:"
+            icacls $p
+          } else {
+            Write-Host "(does not exist)"
+          }
+          Write-Host ""
+        }
+
+    - name: Diagnose v2 — Cygwin GIT_TRACE2, mount, system gitconfig, env
+      run: |
+        set +e
+        echo "==================================================================="
+        echo "Cygwin user identity"
+        echo "==================================================================="
+        whoami
+        id
+        echo
+        echo "==================================================================="
+        echo "Cygwin: getent passwd <user>"
+        echo "==================================================================="
+        getent passwd "$(whoami)" 2>&1
+        echo
+        echo "==================================================================="
+        echo "Cygwin: mount points (look for ntsec/acl flags)"
+        echo "==================================================================="
+        mount
+        echo
+        echo "==================================================================="
+        echo "Git: env-related to config"
+        echo "==================================================================="
+        env | grep -iE 'GIT|HOME' | sort
+        echo
+        echo "==================================================================="
+        echo "Git: full safe.directory at all config scopes"
+        echo "==================================================================="
+        echo "system:"
+        git config --system --get-all safe.directory 2>&1
+        echo "global:"
+        git config --global --get-all safe.directory 2>&1
+        echo "(no --local since not in any single repo)"
+        echo
+        echo "==================================================================="
+        echo "Git: which gitconfig file"
+        echo "==================================================================="
+        git config --list --show-origin --show-scope 2>&1 | head -40
+        echo
+        echo "==================================================================="
+        echo "Real-path comparison (Cygwin realpath)"
+        echo "==================================================================="
+        for path in \
+          "$(pwd)" \
+          "$(pwd)/.git" \
+          "$(pwd)/git/ext/gitdb" \
+          "$(pwd)/git/ext/gitdb/.git" \
+          "$(pwd)/.git/modules/gitdb" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
+          "$(pwd)/.git/modules/gitdb/modules/smmap"; do
+          echo "--- $path"
+          echo "  realpath: $(realpath "$path" 2>&1)"
+          echo "  cygpath -w: $(cygpath -w "$path" 2>&1)"
+          echo "  cygpath -W: $(cygpath -W 2>&1) (Cygwin Windows dir)"
+        done
+        echo
+        echo "==================================================================="
+        echo "GIT_TRACE2 of rev-parse on each fixture (with restricted safe.directory)"
+        echo "==================================================================="
+        # Strip the fix's safe.directory entries to reproduce the failing state.
+        SAVED="$(git config --global --get-all safe.directory)"
+        git config --global --unset-all safe.directory
+        echo "$SAVED" | grep -v 'git/ext/gitdb' | while read -r entry; do
+          [ -n "$entry" ] && git config --global --add safe.directory "$entry"
+        done
+        echo "Restricted safe.directory:"
+        git config --global --get-all safe.directory
+        echo
+        for fixture in \
+          "$(pwd)" \
+          "$(pwd)/git/ext/gitdb" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap"; do
+          echo "----------------- $fixture -----------------"
+          GIT_TRACE2=1 GIT_TRACE_SETUP=1 git -C "$fixture" rev-parse --show-toplevel 2>&1 | head -80
+          echo "(rc=$?)"
+          echo
+        done
+        # Restore.
+        git config --global --unset-all safe.directory
+        echo "$SAVED" | while read -r entry; do
+          [ -n "$entry" ] && git config --global --add safe.directory "$entry"
+        done
+        echo
+        echo "==================================================================="
+        echo "End diagnostic v2"
+        echo "==================================================================="
+        true
+
     - &git-identity
       name: Set git user identity and command aliases for the tests
       run: |
@@ -103,34 +225,3 @@ jobs:
     - name: Test with pytest (${{ matrix.additional-pytest-args }})
       run: |
         pytest --color=yes -p no:sugar --instafail -vv ${{ matrix.additional-pytest-args }}
-
-  reproduce-safe-dir:
-    strategy:
-      matrix:
-        run: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256]
-      fail-fast: false
-
-    runs-on: windows-latest
-
-    env: *cygwin-env
-
-    defaults: *cygwin-defaults
-
-    steps:
-    - *force-lf
-    - *checkout
-    - *install-cygwin
-    - *verbose-output
-    - *safe-directory
-    - *prepare-repo
-    - *git-identity
-    - *setup-venv
-    - *update-pypa
-    - *install-deps
-
-    - name: Run submodule tests
-      run: |
-        python -m pytest -vv \
-          test/test_docs.py::Tutorials::test_submodules \
-          test/test_repo.py::TestRepo::test_submodules \
-          test/test_submodule.py::TestSubmodule::test_root_module
