Skip to content

Test git identity (t) can leak into the repo under concurrent git operations #17

Description

@REPPL

Summary

Three commits in v0.8.0 history are authored t <t@localhost> (0cec455, 82a6df0, 9aa9516 — all CHANGELOG conflict-resolution merge commits). The t identity traces to a test fixture, and it leaked during concurrent git operations. Filing so we prevent recurrence.

Root cause (tracked down)

  • The literal t <t@localhost> identity is set only in cmd/init_github_gate_test.go (its run helper: git config user.name t / user.email t@localhost).
  • That test is isolated — the run helper uses git -C <t.TempDir()>, so the config write targets a temp repo, never the working repo. Every git-config-writing test is likewise scoped: -C <tempdir> in cmd/, or cmd.Dir = <tempdir> + gitIsolatedEnv() in evals/.
  • Confirmed empirically: a normal go test ./... does not change the repo's git config user.name (it stayed correct across runs).
  • The leak happened once, during concurrent git operations: running git worktree add while a background go test was in flight corrupted the working repo's core.bare flag (observed flipping to true). In that corrupted state git lost track of repo boundaries and an isolated test's identity — plus some fixture commits (base, seed, ferry import: ingest bundle) — leaked into the working repo's local config and a worktree branch.

So this is not a plain test-isolation bug (the tests are correctly scoped). It is a git-state-corruption hazard triggered by concurrent heavy git operations on one repo.

Prevention

  1. Operational (primary). Don't run git-mutating operations (git worktree add, merges) concurrently with a go test / tooling run against the same repo. Worth a line in CONTRIBUTING/AGENTS.md, and/or a local guardrail.
  2. Defensive hardening (code). The cmd/ git-invoking test helpers scope the repo (-C <tempdir>) but, unlike the evals/ helpers, do not set an isolated git env (gitIsolatedEnv() — isolated HOME, GIT_CONFIG_GLOBAL, GIT_CONFIG_SYSTEM). Giving the cmd/ helpers the same isolated env is defense-in-depth, and separately fixes a latent issue: those tests currently read the developer's real global gitconfig. (It would not fully prevent the corruption-path leak above, but it shrinks the blast radius and is good hygiene.)

Note

The three t-authored merge commits are permanently in main / the v0.8.0 tag — removing them needs a force-push (against policy), so they remain as cosmetic mis-attribution. The working repo's local git identity has been reset to the correct global identity.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions