Cirrus: Fix ownership of repos. to keep git happy

Newer versions of git are much more pedantic about who owns the
repository files.  When setting up to run rootless, prior to this
commit, the repo. ownership was changed from root.  This causes
all subsequent git-operations as root to fail:

    ```
    fatal: unsafe repository ('<$GOSRC>' is owned by someone else)
    ```

Fix this by re-ordering operations, such that the change in ownership is
done immediately before executing as a user.  Also disable the
git-ownership check on the source repository assuming the CI environment
is disposable.

Signed-off-by: Chris Evich <cevich@redhat.com>

3 files changed, 12 insertions, 4 deletions

diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index d068ba66d..5d58042a5 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -169,10 +169,6 @@ setup_rootless() {
     groupadd -g $rootless_gid $ROOTLESS_USER
     useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER
 
-    # We also set up rootless user for image-scp tests (running as root)
-    if [[ $PRIV_NAME = "rootless" ]]; then
-        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
-    fi
     echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless
 
     mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh"
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index 832339d07..101270703 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -449,6 +449,13 @@ if [[ "$PRIV_NAME" == "rootless" ]] && [[ "$UID" -eq 0 ]]; then
     # https://github.com/containers/podman/issues/10857
     rm -rf /var/lib/cni
 
+    # This must be done at the last second, otherwise `make` calls
+    # in setup_environment (as root) will balk about ownership.
+    msg "Recursively chowning \$GOPATH and \$GOSRC to $ROOTLESS_USER"
+    if [[ $PRIV_NAME = "rootless" ]]; then
+        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+    fi
+
     req_env_vars ROOTLESS_USER
     msg "Re-executing runner through ssh as user '$ROOTLESS_USER'"
     msg "************************************************************"
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index cf53dfcc8..e3eb46783 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -42,6 +42,8 @@ cp hack/podman-registry /bin
 _gc='git config --file /root/.gitconfig'
 $_gc user.email "TMcTestFace@example.com"
 $_gc user.name "Testy McTestface"
+# Bypass git safety/security checks when operating in a throwaway environment
+git config --system --add safe.directory $GOSRC
 
 # Ensure that all lower-level contexts and child-processes have
 # ready access to higher level orchestration (e.g Cirrus-CI)
@@ -304,6 +306,9 @@ case "$TEST_FLAVOR" in
         # Guarantee the docker daemon can't be started, even by accident
         rm -vf $(type -P dockerd)
 
+        msg "Recursively chowning source to $ROOTLESS_USER"
+        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+
         msg "Obtaining necessary gitlab-runner testing bits"
         slug="gitlab.com/gitlab-org/gitlab-runner"
         helper_fqin="registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-latest-pwsh"