From a1cdbd58f0af27be689230b7d8009d93bc34abca Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sat, 28 Mar 2026 10:46:10 +0100 Subject: [PATCH 01/17] t0001: allow implicit bare repo discovery for aliased-command test 8d1a7448206e (setup.c: create `safe.bareRepository`, 2022-07-14) introduced a setting to restrict implicit bare repository discovery, mitigating a social-engineering attack where an embedded bare repo's hooks get executed unknowingly. To allow for that default to change at some stage in the future, the tests need to be prepared. This commit adjusts a test accordingly that runs `git aliasedinit` from inside a bare repo to verify that aliased commands work there. The test is about alias resolution, not bare repo discovery, so add `test_config_global safe.bareRepository all` to opt in explicitly. Signed-off-by: Johannes Schindelin --- t/t0001-init.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/t0001-init.sh b/t/t0001-init.sh index e4d32bb4d259f6..6bd0a15dac1869 100755 --- a/t/t0001-init.sh +++ b/t/t0001-init.sh @@ -77,6 +77,7 @@ test_expect_success 'plain nested through aliased command' ' ' test_expect_success 'plain nested in bare through aliased command' ' + test_config_global safe.bareRepository all && ( git init --bare bare-ancestor-aliased.git && cd bare-ancestor-aliased.git && From 78744602fb33978a9f674f5f9860c58e7734d2e8 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 20:32:35 +0200 Subject: [PATCH 02/17] t0001: replace `cd`+`git` with `git --git-dir` in `check_config` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), replace `cd && git config` with `git --git-dir= config` so the helper does not rely on implicit bare repository discovery. Signed-off-by: Johannes Schindelin --- t/t0001-init.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t0001-init.sh b/t/t0001-init.sh index 6bd0a15dac1869..db2bf1001f1bd3 100755 --- a/t/t0001-init.sh +++ b/t/t0001-init.sh @@ -20,8 +20,8 @@ check_config () { return 1 fi - bare=$(cd "$1" && git config --bool core.bare) - worktree=$(cd "$1" && git config core.worktree) || + bare=$(git --git-dir="$1" config --bool core.bare) + worktree=$(git --git-dir="$1" config core.worktree) || worktree=unset test "$bare" = "$2" && test "$worktree" = "$3" || { From a4f7a6df516c848936e6952dac8ca02ccb0ac643 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sat, 28 Mar 2026 10:53:36 +0100 Subject: [PATCH 03/17] t0003: use `--git-dir` for bare repo attribute tests The bare repo tests in t0003-attributes.sh currently `cd` into the bare repository inside subshells, relying on implicit discovery. Restructure these tests to pass `--git-dir=bare.git` to the `attr_check` and `attr_check_source` helpers instead. This makes the code much easier to read, and also makes bare repo access explicit, i.e. compatible with an eventual `safe.bareRepository=explicit` default. Signed-off-by: Johannes Schindelin --- t/t0003-attributes.sh | 66 ++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 39 deletions(-) diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh index 582e207aa12eb1..3a34f5dbc24eaa 100755 --- a/t/t0003-attributes.sh +++ b/t/t0003-attributes.sh @@ -346,17 +346,14 @@ test_expect_success 'setup bare' ' test_expect_success 'bare repository: check that .gitattribute is ignored' ' ( - cd bare.git && - ( - echo "f test=f" && - echo "a/i test=a/i" - ) >.gitattributes && - attr_check f unspecified && - attr_check a/f unspecified && - attr_check a/c/f unspecified && - attr_check a/i unspecified && - attr_check subdir/a/i unspecified - ) + echo "f test=f" && + echo "a/i test=a/i" + ) >bare.git/.gitattributes && + attr_check f unspecified --git-dir=bare.git && + attr_check a/f unspecified --git-dir=bare.git && + attr_check a/c/f unspecified --git-dir=bare.git && + attr_check a/i unspecified --git-dir=bare.git && + attr_check subdir/a/i unspecified --git-dir=bare.git ' bad_attr_source_err="fatal: bad --attr-source or GIT_ATTR_SOURCE" @@ -449,41 +446,32 @@ test_expect_success 'diff without repository with attr source' ' ' test_expect_success 'bare repository: with --source' ' - ( - cd bare.git && - attr_check_source foo/bar/f f tag-1 && - attr_check_source foo/bar/a/i n tag-1 && - attr_check_source foo/bar/f unspecified tag-2 && - attr_check_source foo/bar/a/i m tag-2 && - attr_check_source foo/bar/g g tag-2 && - attr_check_source foo/bar/g unspecified tag-1 - ) + attr_check_source foo/bar/f f tag-1 --git-dir=bare.git && + attr_check_source foo/bar/a/i n tag-1 --git-dir=bare.git && + attr_check_source foo/bar/f unspecified tag-2 --git-dir=bare.git && + attr_check_source foo/bar/a/i m tag-2 --git-dir=bare.git && + attr_check_source foo/bar/g g tag-2 --git-dir=bare.git && + attr_check_source foo/bar/g unspecified tag-1 --git-dir=bare.git ' test_expect_success 'bare repository: check that --cached honors index' ' - ( - cd bare.git && - GIT_INDEX_FILE=../.git/index \ - git check-attr --cached --stdin --all <../stdin-all | - sort >actual && - test_cmp ../specified-all actual - ) + GIT_INDEX_FILE=.git/index \ + git --git-dir=bare.git check-attr --cached --stdin --all actual && + test_cmp specified-all actual ' test_expect_success 'bare repository: test info/attributes' ' + mkdir -p bare.git/info && ( - cd bare.git && - mkdir info && - ( - echo "f test=f" && - echo "a/i test=a/i" - ) >info/attributes && - attr_check f f && - attr_check a/f f && - attr_check a/c/f f && - attr_check a/i a/i && - attr_check subdir/a/i unspecified - ) + echo "f test=f" && + echo "a/i test=a/i" + ) >bare.git/info/attributes && + attr_check f f --git-dir=bare.git && + attr_check a/f f --git-dir=bare.git && + attr_check a/c/f f --git-dir=bare.git && + attr_check a/i a/i --git-dir=bare.git && + attr_check subdir/a/i unspecified --git-dir=bare.git ' test_expect_success 'binary macro expanded by -a' ' From 5b6bb1863227cf95700fab4934ec2e1dac9570aa Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sat, 28 Mar 2026 10:59:17 +0100 Subject: [PATCH 04/17] t0056: allow implicit bare repo discovery for `-C` work-tree tests The `git -C c/a.git --work-tree=../a` invocations in t0056-git-C.sh enter what is technically the `.git` directory of a repository to test `-C` combined with `--work-tree`. In doing so, the code relies on implicit discovery of bare repositories, which 8d1a7448206e (setup.c: create `safe.bareRepository`, 2022-07-14) prepared to be prevented by default. These tests verify the interaction between those flags, so changing them to use `--git-dir` would defeat their purpose. So let's just temporarily force-enable implicit discovery of bare repositories, no matter what `safe.bareRepository` defaults to. Signed-off-by: Johannes Schindelin --- t/t0056-git-C.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/t/t0056-git-C.sh b/t/t0056-git-C.sh index 2630e756dab732..6b7122add56b2b 100755 --- a/t/t0056-git-C.sh +++ b/t/t0056-git-C.sh @@ -57,11 +57,13 @@ test_expect_success 'Order should not matter: "--git-dir=a.git -C c" is equivale test_expect_success 'Effect on --work-tree option: "-C c/a.git --work-tree=../a" is equivalent to "--work-tree=c/a --git-dir=c/a.git"' ' rm c/a/a.txt && git --git-dir=c/a.git --work-tree=c/a status >expected && + test_config_global safe.bareRepository all && git -C c/a.git --work-tree=../a status >actual && test_cmp expected actual ' test_expect_success 'Order should not matter: "--work-tree=../a -C c/a.git" is equivalent to "-C c/a.git --work-tree=../a"' ' + test_config_global safe.bareRepository all && git -C c/a.git --work-tree=../a status >expected && git --work-tree=../a -C c/a.git status >actual && test_cmp expected actual From c38f0a68f10df01ee2c99f05d0f33a0a517ffb50 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sat, 28 Mar 2026 11:08:16 +0100 Subject: [PATCH 05/17] t1020: use `--git-dir` instead of subshell for bare repo Replace an unnecessarily complex subshell pattern with a much simpler `--git-dir`-based one. The latter is not only simpler, it also no longer relies on implicit bare repo discovery, which would fail with `safe.bareRepository=explicit`. Signed-off-by: Johannes Schindelin --- t/t1020-subdirectory.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/t/t1020-subdirectory.sh b/t/t1020-subdirectory.sh index 9fdbb2af80e0a8..20d2d306fecdce 100755 --- a/t/t1020-subdirectory.sh +++ b/t/t1020-subdirectory.sh @@ -177,10 +177,7 @@ test_expect_success 'no file/rev ambiguity check inside a bare repo (explicit GI test_expect_success 'no file/rev ambiguity check inside a bare repo' ' test_when_finished "rm -fr foo.git" && git clone -s --bare .git foo.git && - ( - cd foo.git && - git show -s HEAD - ) + git --git-dir=foo.git show -s HEAD ' test_expect_success SYMLINKS 'detection should not be fooled by a symlink' ' From a084c39273ec9e613fe1c6c982700292f5ddb705 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sat, 28 Mar 2026 16:26:02 +0100 Subject: [PATCH 06/17] t1900: avoid using `-C ` for a bare repository To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), add an optional 6th parameter `repo_flag` (defaulting to `-C`) to the `test_repo_info` helper, and use it in the caller that wants to operate on a bare repository. Signed-off-by: Johannes Schindelin --- t/t1900-repo-info.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/t/t1900-repo-info.sh b/t/t1900-repo-info.sh index 39bb77dda0c327..6280da1efb426a 100755 --- a/t/t1900-repo-info.sh +++ b/t/t1900-repo-info.sh @@ -20,6 +20,7 @@ test_repo_info () { repo_name=$3 key=$4 expected_value=$5 + repo_flag=${6:--C} test_expect_success "setup: $label" ' eval "$init_command $repo_name" @@ -27,13 +28,13 @@ test_repo_info () { test_expect_success "lines: $label" ' echo "$key=$expected_value" > expect && - git -C "$repo_name" repo info "$key" >actual && + git $repo_flag "$repo_name" repo info "$key" >actual && test_cmp expect actual ' test_expect_success "nul: $label" ' printf "%s\n%s\0" "$key" "$expected_value" >expect && - git -C "$repo_name" repo info --format=nul "$key" >actual && + git $repo_flag "$repo_name" repo info --format=nul "$key" >actual && test_cmp_bin expect actual ' } @@ -48,7 +49,7 @@ test_repo_info 'bare repository = false is retrieved correctly' \ 'git init' 'nonbare' 'layout.bare' 'false' test_repo_info 'bare repository = true is retrieved correctly' \ - 'git init --bare' 'bare' 'layout.bare' 'true' + 'git init --bare' 'bare' 'layout.bare' 'true' '--git-dir' test_repo_info 'shallow repository = false is retrieved correctly' \ 'git init' 'nonshallow' 'layout.shallow' 'false' From 6a7730cf57b6b5efbc8d0556e19c8117955a74de Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 20:32:12 +0200 Subject: [PATCH 07/17] t2400: explicitly specify bare repo for `git worktree add` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), specify the gitdir specifically in bare-repo `git worktree add` invocations via `--git-dir=.` so Git does not rely on implicit bare repository discovery. While at it, also avoid unnecessary subshells and `cd`ing. This simplifies the logic in a rather pleasant way. Signed-off-by: Johannes Schindelin --- t/t2400-worktree-add.sh | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/t/t2400-worktree-add.sh b/t/t2400-worktree-add.sh index 023e1301c8e68e..0f8c83764705e7 100755 --- a/t/t2400-worktree-add.sh +++ b/t/t2400-worktree-add.sh @@ -171,11 +171,8 @@ test_expect_success 'not die on re-checking out current branch' ' ' test_expect_success '"add" from a bare repo' ' - ( - git clone --bare . bare && - cd bare && - git worktree add -b bare-main ../there2 main - ) + git clone --bare . bare && + git -C bare --git-dir=. worktree add -b bare-main ../there2 main ' test_expect_success 'checkout from a bare repo without "add"' ' @@ -186,15 +183,11 @@ test_expect_success 'checkout from a bare repo without "add"' ' ' test_expect_success '"add" default branch of a bare repo' ' - ( - git clone --bare . bare2 && - cd bare2 && - git worktree add ../there3 main && - cd ../there3 && - # Simple check that a Git command does not - # immediately fail with the current setup - git status - ) && + git clone --bare . bare2 && + git -C bare2 --git-dir=. worktree add ../there3 main && + # Simple check that a Git command does not + # immediately fail with the current setup + git status && cat >expect <<-EOF && init.t EOF From 2905e000c526e6fe7140bec7a7ead152b495db65 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 14:01:24 +0200 Subject: [PATCH 08/17] t2406: use `--git-dir=.` for bare repository worktree repair To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), the test case t2406.10(repair .git file from bare.git) cannot rely on the implicit discovery of thee bare repository. Simply add a `--git-dir=.` to the invocation. The `-C bare.git` argument is still needed so that the `repair` command realizes works on the intended directory. Signed-off-by: Johannes Schindelin --- t/t2406-worktree-repair.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t2406-worktree-repair.sh b/t/t2406-worktree-repair.sh index f5f19b3169384f..cac448b57559c9 100755 --- a/t/t2406-worktree-repair.sh +++ b/t/t2406-worktree-repair.sh @@ -84,7 +84,7 @@ test_expect_success 'repair .git file from bare.git' ' git -C bare.git worktree add --detach ../corrupt && git -C corrupt rev-parse --absolute-git-dir >expect && rm -f corrupt/.git && - git -C bare.git worktree repair && + git -C bare.git --git-dir=. worktree repair && git -C corrupt rev-parse --absolute-git-dir >actual && test_cmp expect actual ' From 9001883e152407464c83227f1e09664d0d8826b5 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 1 Apr 2026 18:10:26 +0200 Subject: [PATCH 09/17] t5503: avoid discovering a bare repository The test case "fetch specific OID with tag following" creates a bare repository and wants to operate on it by changing the working directory and relying on Git's implicit discovery of the bare repository. Once the `safe.bareRepository` default is changed, this is no longer an option. So let's adjust the commands to specify the bare repository explicitly, via `--git-dir`, and avoid changing the working directory. As a bonus, the result is arguably more readable than the original code. Signed-off-by: Johannes Schindelin --- t/t5503-tagfollow.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/t/t5503-tagfollow.sh b/t/t5503-tagfollow.sh index febe44104177e1..6d178d84dde811 100755 --- a/t/t5503-tagfollow.sh +++ b/t/t5503-tagfollow.sh @@ -168,16 +168,13 @@ test_expect_success 'new clone fetch main and tags' ' test_expect_success 'fetch specific OID with tag following' ' git init --bare clone3.git && - ( - cd clone3.git && - git remote add origin .. && - git fetch origin $B:refs/heads/main && + git --git-dir=clone3.git remote add origin "$PWD" && + git --git-dir=clone3.git fetch origin $B:refs/heads/main && - git -C .. for-each-ref >expect && - git for-each-ref >actual && + git for-each-ref >expect && + git --git-dir=clone3.git for-each-ref >actual && - test_cmp expect actual - ) + test_cmp expect actual ' test_done From 6932658411309228d2d670d9b6c2e4be4f17f985 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 20:32:23 +0200 Subject: [PATCH 10/17] t5505: export `GIT_DIR` after `git init --bare` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), export `GIT_DIR=.` right after `git init --bare &&` so subsequent commands access the bare repo explicitly. Signed-off-by: Johannes Schindelin --- t/t5505-remote.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t5505-remote.sh b/t/t5505-remote.sh index e592c0bcde91e9..6d3d8510cae191 100755 --- a/t/t5505-remote.sh +++ b/t/t5505-remote.sh @@ -561,7 +561,7 @@ test_expect_success 'add --mirror && prune' ' mkdir mirror && ( cd mirror && - git init --bare && + git init --bare && GIT_DIR=. && export GIT_DIR && git remote add --mirror -f origin ../one ) && ( @@ -583,7 +583,7 @@ test_expect_success 'add --mirror setting HEAD' ' mkdir headmirror && ( cd headmirror && - git init --bare -b notmain && + git init --bare -b notmain && GIT_DIR=. && export GIT_DIR && git remote add --mirror -f origin ../one && test "$(git symbolic-ref HEAD)" = "refs/heads/main" ) From 2f1e745b551e5cd492389bb20d1252042cde3141 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 20:33:02 +0200 Subject: [PATCH 11/17] t5509: specify bare repository path explicitly When `ls-remote` is told to switch the current working directory to the bare repository `pushee` via `-C pushee`, as part of the `safe.bareRepository` preparation let's append `--git-dir=.` to spell out that this is a bare repository that does not need to be discovered implictly. Signed-off-by: Johannes Schindelin --- t/t5509-fetch-push-namespaces.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/t/t5509-fetch-push-namespaces.sh b/t/t5509-fetch-push-namespaces.sh index 095df1a7535d57..5167c16c1f05e1 100755 --- a/t/t5509-fetch-push-namespaces.sh +++ b/t/t5509-fetch-push-namespaces.sh @@ -88,7 +88,7 @@ test_expect_success 'mirroring a repository using a ref namespace' ' test_expect_success 'hide namespaced refs with transfer.hideRefs' ' GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs=refs/tags \ + git -C pushee --git-dir=. -c transfer.hideRefs=refs/tags \ ls-remote "ext::git %s ." >actual && printf "$commit1\trefs/heads/main\n" >expected && test_cmp expected actual @@ -97,7 +97,7 @@ test_expect_success 'hide namespaced refs with transfer.hideRefs' ' test_expect_success 'check that transfer.hideRefs does not match unstripped refs' ' git -C pushee pack-refs --all && GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs=refs/namespaces/namespace/refs/tags \ + git -C pushee --git-dir=. -c transfer.hideRefs=refs/namespaces/namespace/refs/tags \ ls-remote "ext::git %s ." >actual && printf "$commit1\trefs/heads/main\n" >expected && printf "$commit0\trefs/tags/0\n" >>expected && @@ -107,7 +107,7 @@ test_expect_success 'check that transfer.hideRefs does not match unstripped refs test_expect_success 'hide full refs with transfer.hideRefs' ' GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs="^refs/namespaces/namespace/refs/tags" \ + git -C pushee --git-dir=. -c transfer.hideRefs="^refs/namespaces/namespace/refs/tags" \ ls-remote "ext::git %s ." >actual && printf "$commit1\trefs/heads/main\n" >expected && test_cmp expected actual From c8789bd5423cec3a52dea88b78a7ca541ab9db06 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 1 Apr 2026 19:01:34 +0200 Subject: [PATCH 12/17] t5540/t5541: avoid accessing a bare repository via `-C ` In the `test_http_push_nonff` function both of these test scripts call, there were two Git invocations that assume that bare repositories will always be discovered when the current working directory is inside one. This is unlikely to be true forever because at some stage, the `safe.bareRepository` config is prone to be modified to be safe by default. So let's be safe and specify the bare repository explicitly. Signed-off-by: Johannes Schindelin --- t/lib-httpd.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index 4c76e813e396bf..f15158b2c579c7 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh @@ -259,7 +259,7 @@ test_http_push_nonff () { test_expect_success 'non-fast-forward push fails' ' cd "$REMOTE_REPO" && - HEAD=$(git rev-parse --verify HEAD) && + HEAD=$(git --git-dir=. rev-parse --verify HEAD) && cd "$LOCAL_REPO" && git checkout $BRANCH && @@ -270,7 +270,7 @@ test_http_push_nonff () { ( cd "$REMOTE_REPO" && echo "$HEAD" >expect && - git rev-parse --verify HEAD >actual && + git --git-dir=. rev-parse --verify HEAD >actual && test_cmp expect actual ) ' @@ -284,18 +284,16 @@ test_http_push_nonff () { ' test_expect_${EXPECT_CAS_RESULT} 'force with lease aka cas' ' - HEAD=$( cd "$REMOTE_REPO" && git rev-parse --verify HEAD ) && + HEAD=$(git --git-dir="$REMOTE_REPO" rev-parse --verify HEAD) && test_when_finished '\'' - (cd "$REMOTE_REPO" && git update-ref HEAD "$HEAD") + git --git-dir="$REMOTE_REPO" update-ref HEAD "$HEAD" '\'' && ( cd "$LOCAL_REPO" && git push -v --force-with-lease=$BRANCH:$HEAD origin ) && git rev-parse --verify "$BRANCH" >expect && - ( - cd "$REMOTE_REPO" && git rev-parse --verify HEAD - ) >actual && + git --git-dir="$REMOTE_REPO" rev-parse --verify HEAD >actual && test_cmp expect actual ' } From f09a96e55ddcc95229efe37d2ec495ee40b4110e Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 16:27:35 +0200 Subject: [PATCH 13/17] t5619: wrap `test_commit_bulk` in `GIT_DIR` subshell for bare repo To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), wrap the `test_commit_bulk` call in `(GIT_DIR="$REPO" && export GIT_DIR && test_commit_bulk ...)` because `test_commit_bulk -C` relies on implicit discovery which would fail once the default changes. Signed-off-by: Johannes Schindelin --- t/t5619-clone-local-ambiguous-transport.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh index cce62bf78d3351..3e9aac9015a01d 100755 --- a/t/t5619-clone-local-ambiguous-transport.sh +++ b/t/t5619-clone-local-ambiguous-transport.sh @@ -21,7 +21,7 @@ test_expect_success 'setup' ' echo "secret" >sensitive/secret && git init --bare "$REPO" && - test_commit_bulk -C "$REPO" --ref=main 1 && + (GIT_DIR="$REPO" && export GIT_DIR && test_commit_bulk --ref=main 1) && git -C "$REPO" update-ref HEAD main && git -C "$REPO" update-server-info && From 01ec77c9080dab28afd3f013397abcf498db8798 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 17:46:47 +0200 Subject: [PATCH 14/17] t6020: use `-C` for worktree, `--git-dir` for bare repository To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), adjust a loop that iterated over both a bare (`cloned`) and a non-bare (`unbundled`) repository using the same `-C` flag: the bare repo needs `--git-dir` to avoid implicit discovery, while the non-bare one keeps `-C`. Signed-off-by: Johannes Schindelin --- t/t6020-bundle-misc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t6020-bundle-misc.sh b/t/t6020-bundle-misc.sh index 500c81b8a14237..82df105b47f0bd 100755 --- a/t/t6020-bundle-misc.sh +++ b/t/t6020-bundle-misc.sh @@ -594,9 +594,9 @@ do reflist=$(git for-each-ref --format="%(objectname)") && git rev-list --objects --filter=$filter --missing=allow-any \ $reflist >expect && - for repo in cloned unbundled + for opt in "--git-dir cloned" "-C unbundled" do - git -C $repo rev-list --objects --missing=allow-any \ + git $opt rev-list --objects --missing=allow-any \ $reflist >actual && test_cmp expect actual || return 1 done From 00eaefbf621b96bd400577c4ab8e3ea96cc397f8 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Sun, 29 Mar 2026 20:30:51 +0200 Subject: [PATCH 15/17] t9210: pass `safe.bareRepository=all` to `scalar register` This test expects `scalar register` to discover a bare repo and reject it. Since `scalar` does not support `--git-dir` (that option would not make sense in the context of that command), pass `-c safe.bareRepository=all` to opt into implicit discovery of bare repositories, so the test keeps working once the default changes to `explicit`. Signed-off-by: Johannes Schindelin --- t/t9210-scalar.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t9210-scalar.sh b/t/t9210-scalar.sh index 009437a5f3168f..54513c220b679a 100755 --- a/t/t9210-scalar.sh +++ b/t/t9210-scalar.sh @@ -88,7 +88,7 @@ test_expect_success 'scalar enlistments need a worktree' ' test_when_finished rm -rf bare test && git init --bare bare/src && - ! scalar register bare/src 2>err && + ! scalar -c safe.bareRepository=all register bare/src 2>err && grep "Scalar enlistments require a worktree" err && git init test/src && From 890dfd024dcecf9b006c7ffd3ef9c42b17743640 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 1 Apr 2026 22:06:35 +0200 Subject: [PATCH 16/17] t9700: stop relying on implicit bare repo discovery Currently, the "alternate bare repo" test case relies on Git discovering non-bare and bare repositories alike. However, the automatic discovery of bare repository represents a weakness that leaves Git users vulnerable. To that end, the `safe.bareRepository` config was introduced, but out of backwards-compatibility concerns, the default is not yet secure. To prepare for that default to switch to the secure one, where bare repositories are never discovered automatically but instead must be specified explicitly, let's do exactly that in this test case: specify it explicitly, via setting the environment variable `GIT_DIR`. Signed-off-by: Johannes Schindelin --- t/t9700/test.pl | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/t/t9700/test.pl b/t/t9700/test.pl index f83e6169e2c100..99b712b626cfd8 100755 --- a/t/t9700/test.pl +++ b/t/t9700/test.pl @@ -153,9 +153,12 @@ sub adjust_dirsep { chdir($abs_repo_dir); # open alternate bare repo -my $r4 = Git->repository(Directory => "$abs_repo_dir/bare.git"); -is($r4->command_oneline(qw(log --format=%s)), "bare commit", - "log of bare repo works"); +{ + local $ENV{GIT_DIR} = "$abs_repo_dir/bare.git"; + my $r4 = Git->repository(Directory => "$abs_repo_dir/bare.git"); + is($r4->command_oneline(qw(log --format=%s)), "bare commit", + "log of bare repo works"); +} # unquoting paths is(Git::unquote_path('abc'), 'abc', 'unquote unquoted path'); From 139b9da946e7adb1e4331bb5005e6481b2c2de20 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 1 Apr 2026 21:43:57 +0200 Subject: [PATCH 17/17] git p4 clone --bare: need to be explicit about the gitdir When `safe.bareRepository` will change to be safe by default, bare repositories won't be discovered by default anymore. To prepare for this, `git p4` must be explicit about the gitdir when cloning into a bare repository, and no longer rely on that implicit discovery. Signed-off-by: Johannes Schindelin --- git-p4.py | 1 + 1 file changed, 1 insertion(+) diff --git a/git-p4.py b/git-p4.py index c0ca7becaf4861..dd38dbca221580 100755 --- a/git-p4.py +++ b/git-p4.py @@ -4360,6 +4360,7 @@ def run(self, args): init_cmd = ["git", "init"] if self.cloneBare: init_cmd.append("--bare") + os.environ["GIT_DIR"] = os.getcwd() retcode = subprocess.call(init_cmd) if retcode: raise subprocess.CalledProcessError(retcode, init_cmd)