Fix Git safe.directory errors across all roles (Git 2.35+)

[Copilot]

Git 2.35+ enforces safe.directory protections, causing fatal: detected dubious ownership errors during deployments when git operations run under users that don't match directory ownership.

Changes

Added two tasks before git operations in affected roles:

1. Ownership enforcement

- name: Ensure code directory ownership is correct for git
  become: yes
  file:
    path: "{{ app_code_dir }}"
    owner: "{{ app_user }}"
    group: "{{ app_user }}"
    recurse: yes

2. Idempotent safe.directory configuration

- name: Mark code directory as safe for git
  become: yes
  become_user: "{{ app_user }}"
  shell: >
    git config --global --get-all safe.directory | grep -qx "{{ app_code_dir }}" ||
    git config --global --add safe.directory "{{ app_code_dir }}"
  changed_when: false

Roles Updated

• edxapp (tasks/deploy.yml) - edx-platform checkouts
• forum (tasks/deploy.yml) - cs_comments_service checkouts
• tableau (tasks/main.yml) - tableau repo checkouts
• git_clone (tasks/main.yml) - shared git handler; also fixed existing safe.directory task to run as repo_owner instead of root

The git_clone changes fix 20+ services indirectly: analytics_api, blockstore, credentials, discovery, ecommerce, insights, registrar, mfe, and all other services using edx_service/edx_django_service.

Notes

• Uses role-specific variables throughout (e.g., {{ edxapp_user }}, {{ forum_code_dir }})
• Safe.directory check prevents duplicate entries on repeated runs
• Backwards compatible; no changes to existing git operation logic

Original prompt

We are seeing Git "dubious ownership" / safe.directory errors across many applications managed by the edx/configuration repository, not just edxapp.

Example error (from edxapp, but similar patterns are appearing elsewhere):

TASK [edxapp : git clean after checking out edx-platform] **********************
fatal: [10.4.11.213]: FAILED! => {
  "changed": true,
  "cmd": "cd /edx/app/edxapp/edx-platform && git -c safe.directory='/edx/app/edxapp/edx-platform' clean -xdf",
  "delta": "0:00:00.003380",
  "end": "2026-02-18 11:42:14.074786",
  "rc": 128,
  "start": "2026-02-18 11:42:14.071406"
}
STDERR:
 fatal: detected dubious ownership in repository at '/edx/app/edxapp/edx-platform'
 To add an exception for this directory, call:
   git config --global --add safe.directory /edx/app/edxapp/edx-platform
MSG: non-zero return code

The underlying cause is consistent: newer Git versions (2.35+) enforce safe.directory protections and refuse to operate in repositories where the effective user running git does not match expected ownership or where the directory hierarchy appears unsafe. Our Ansible roles in edx/configuration perform GitHub checkouts for multiple apps (edxapp, and others) and then run git operations (e.g., git clean, git pull, etc.), which are now failing under these protections.

We already have a targeted PR in-flight for edxapp, but we now want a more global, systematic fix that applies to all apps defined in edx/configuration that check out code from GitHub and run git commands.

Goals for this PR:

1. Implement a global pattern in edx/configuration for safely handling Git checkouts for all app roles that pull code from GitHub and then run git commands.

2. Target branch: master.

3. The solution should be:

   • Robust and idempotent.
   • Expressed using existing variables (e.g., {{ app_user }}, {{ app_code_dir }}, or the role-specific equivalents like {{ edxapp_user }}, {{ edxapp_code_dir }}) instead of hard-coded usernames or paths.
   • Backwards compatible: safe to apply on existing hosts without disrupting current deployments.

4. Implementation strategy (to be reflected in code changes):

   For each applicable role / play that manages a Git checkout for an app (including but not limited to edxapp), do the following before any git operations (checkout, pull, clean, etc.):

   a. Ensure correct ownership of the code directory

   • Add an Ansible file task to enforce appropriate ownership on the app's code directory. For example, in pseudo-code:

     - name: Ensure {{ app_name }} code directory ownership is correct for git
       become: yes
       file:
         path: "{{ app_code_dir }}"   # or role-specific var, e.g. {{ edxapp_code_dir }}
         owner: "{{ app_user }}"      # or {{ edxapp_user }}
         group: "{{ app_user }}"
         recurse: yes

   • This should be placed before any git tasks (e.g., git clean, git pull, or custom command/shell tasks invoking git) that operate on the app's code directory.

   b. Mark the directory as safe for Git for the app user

   • For environments where Git may still consider the repo "dubious" due to higher-level directory ownership or other security heuristics, explicitly configure safe.directory for the app's code directory, executed as the app user:

     - name: Mark {{ app_name }} code directory as safe for git
       become: yes
       become_user: "{{ app_user }}"   # or role-specific var
       command: >
         git config --global --add safe.directory "{{ app_code_dir }}"
       changed_when: false

   • This ensures Git can operate on that repository for the app user without triggering rc: 128 errors due to safe.directory checks.

5. Scope of changes:

   • Identify all roles and tasks in edx/configuration that:

     • Clone or pull application code from GitHub (e.g., edxapp, ecommerce, discovery, credentials, or any others defined in the repo), and
     • Run git commands on those directories (via git, command, shell, or specific Ansible git modules).

   • For each such app/role, add tasks implementing (4a) and (4b) using the role's existing variables for user and code directory.

   • If there is a shared or common pattern (for example, a base role or helper tasks included by multiple app roles for Git checkouts), prefer implementing the logic in that shared place to avoid duplication; otherwise, implement per-role.

6. Documentation and comments:

   • In each new task or in a shared role/task file, add a brief comment explaining that the logic is to mitigate Git's safe.directory / "dubious ownership" protections introduced in newer Git versions.

7. Testing / validation expectations:

   • Ensure that Ansible syntax is valid and that tasks respect existing variable names and patterns.
   • Where possible, align with existing tests or sanity checks in the repository (if ...

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.