From d21652903c95a306f1a0a196562ec827b1af89ec Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:07 +0000 Subject: [PATCH 01/17] t0001: allow implicit bare repo discovery for aliased-command test 8d1a7448206e (setup.c: create `safe.bareRepository`, 2022-07-14) introduced a setting to restrict implicit bare repository discovery, mitigating a social-engineering attack where an embedded bare repo's hooks get executed unknowingly. To allow for that default to change at some stage in the future, the tests need to be prepared. This commit adjusts a test accordingly that runs `git aliasedinit` from inside a bare repo to verify that aliased commands work there. The test is about alias resolution, not bare repo discovery, so add `test_config_global safe.bareRepository all` to opt in explicitly. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t0001-init.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/t0001-init.sh b/t/t0001-init.sh index e4d32bb4d2..6bd0a15dac 100755 --- a/t/t0001-init.sh +++ b/t/t0001-init.sh @@ -77,6 +77,7 @@ test_expect_success 'plain nested through aliased command' ' ' test_expect_success 'plain nested in bare through aliased command' ' + test_config_global safe.bareRepository all && ( git init --bare bare-ancestor-aliased.git && cd bare-ancestor-aliased.git && From f1a852920aa08ed273537e3bfeb541106febfb35 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:08 +0000 Subject: [PATCH 02/17] t0001: replace `cd`+`git` with `git --git-dir` in `check_config` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), replace `cd && git config` with `git --git-dir= config` so the helper does not rely on implicit bare repository discovery. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t0001-init.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t0001-init.sh b/t/t0001-init.sh index 6bd0a15dac..db2bf1001f 100755 --- a/t/t0001-init.sh +++ b/t/t0001-init.sh @@ -20,8 +20,8 @@ check_config () { return 1 fi - bare=$(cd "$1" && git config --bool core.bare) - worktree=$(cd "$1" && git config core.worktree) || + bare=$(git --git-dir="$1" config --bool core.bare) + worktree=$(git --git-dir="$1" config core.worktree) || worktree=unset test "$bare" = "$2" && test "$worktree" = "$3" || { From 68aa4c7a654f406e281617db6f5378d2c4620e9e Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:09 +0000 Subject: [PATCH 03/17] t0003: use `--git-dir` for bare repo attribute tests The bare repo tests in t0003-attributes.sh currently `cd` into the bare repository inside subshells, relying on implicit discovery. Restructure these tests to pass `--git-dir=bare.git` to the `attr_check` and `attr_check_source` helpers instead. This makes the code much easier to read, and also makes bare repo access explicit, i.e. compatible with an eventual `safe.bareRepository=explicit` default. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t0003-attributes.sh | 66 ++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 39 deletions(-) diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh index 582e207aa1..3a34f5dbc2 100755 --- a/t/t0003-attributes.sh +++ b/t/t0003-attributes.sh @@ -346,17 +346,14 @@ test_expect_success 'setup bare' ' test_expect_success 'bare repository: check that .gitattribute is ignored' ' ( - cd bare.git && - ( - echo "f test=f" && - echo "a/i test=a/i" - ) >.gitattributes && - attr_check f unspecified && - attr_check a/f unspecified && - attr_check a/c/f unspecified && - attr_check a/i unspecified && - attr_check subdir/a/i unspecified - ) + echo "f test=f" && + echo "a/i test=a/i" + ) >bare.git/.gitattributes && + attr_check f unspecified --git-dir=bare.git && + attr_check a/f unspecified --git-dir=bare.git && + attr_check a/c/f unspecified --git-dir=bare.git && + attr_check a/i unspecified --git-dir=bare.git && + attr_check subdir/a/i unspecified --git-dir=bare.git ' bad_attr_source_err="fatal: bad --attr-source or GIT_ATTR_SOURCE" @@ -449,41 +446,32 @@ test_expect_success 'diff without repository with attr source' ' ' test_expect_success 'bare repository: with --source' ' - ( - cd bare.git && - attr_check_source foo/bar/f f tag-1 && - attr_check_source foo/bar/a/i n tag-1 && - attr_check_source foo/bar/f unspecified tag-2 && - attr_check_source foo/bar/a/i m tag-2 && - attr_check_source foo/bar/g g tag-2 && - attr_check_source foo/bar/g unspecified tag-1 - ) + attr_check_source foo/bar/f f tag-1 --git-dir=bare.git && + attr_check_source foo/bar/a/i n tag-1 --git-dir=bare.git && + attr_check_source foo/bar/f unspecified tag-2 --git-dir=bare.git && + attr_check_source foo/bar/a/i m tag-2 --git-dir=bare.git && + attr_check_source foo/bar/g g tag-2 --git-dir=bare.git && + attr_check_source foo/bar/g unspecified tag-1 --git-dir=bare.git ' test_expect_success 'bare repository: check that --cached honors index' ' - ( - cd bare.git && - GIT_INDEX_FILE=../.git/index \ - git check-attr --cached --stdin --all <../stdin-all | - sort >actual && - test_cmp ../specified-all actual - ) + GIT_INDEX_FILE=.git/index \ + git --git-dir=bare.git check-attr --cached --stdin --all actual && + test_cmp specified-all actual ' test_expect_success 'bare repository: test info/attributes' ' + mkdir -p bare.git/info && ( - cd bare.git && - mkdir info && - ( - echo "f test=f" && - echo "a/i test=a/i" - ) >info/attributes && - attr_check f f && - attr_check a/f f && - attr_check a/c/f f && - attr_check a/i a/i && - attr_check subdir/a/i unspecified - ) + echo "f test=f" && + echo "a/i test=a/i" + ) >bare.git/info/attributes && + attr_check f f --git-dir=bare.git && + attr_check a/f f --git-dir=bare.git && + attr_check a/c/f f --git-dir=bare.git && + attr_check a/i a/i --git-dir=bare.git && + attr_check subdir/a/i unspecified --git-dir=bare.git ' test_expect_success 'binary macro expanded by -a' ' From ca053477d93d76791413418766c3ff24996ca528 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:10 +0000 Subject: [PATCH 04/17] t0056: allow implicit bare repo discovery for `-C` work-tree tests The `git -C c/a.git --work-tree=../a` invocations in t0056-git-C.sh enter what is technically the `.git` directory of a repository to test `-C` combined with `--work-tree`. In doing so, the code relies on implicit discovery of bare repositories, which 8d1a7448206e (setup.c: create `safe.bareRepository`, 2022-07-14) prepared to be prevented by default. These tests verify the interaction between those flags, so changing them to use `--git-dir` would defeat their purpose. So let's just temporarily force-enable implicit discovery of bare repositories, no matter what `safe.bareRepository` defaults to. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t0056-git-C.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/t/t0056-git-C.sh b/t/t0056-git-C.sh index 2630e756da..6b7122add5 100755 --- a/t/t0056-git-C.sh +++ b/t/t0056-git-C.sh @@ -57,11 +57,13 @@ test_expect_success 'Order should not matter: "--git-dir=a.git -C c" is equivale test_expect_success 'Effect on --work-tree option: "-C c/a.git --work-tree=../a" is equivalent to "--work-tree=c/a --git-dir=c/a.git"' ' rm c/a/a.txt && git --git-dir=c/a.git --work-tree=c/a status >expected && + test_config_global safe.bareRepository all && git -C c/a.git --work-tree=../a status >actual && test_cmp expected actual ' test_expect_success 'Order should not matter: "--work-tree=../a -C c/a.git" is equivalent to "-C c/a.git --work-tree=../a"' ' + test_config_global safe.bareRepository all && git -C c/a.git --work-tree=../a status >expected && git --work-tree=../a -C c/a.git status >actual && test_cmp expected actual From ecefd7ea3fb5b0321317786648bb912143c037cd Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:11 +0000 Subject: [PATCH 05/17] t1020: use `--git-dir` instead of subshell for bare repo Replace an unnecessarily complex subshell pattern with a much simpler `--git-dir`-based one. The latter is not only simpler, it also no longer relies on implicit bare repo discovery, which would fail with `safe.bareRepository=explicit`. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t1020-subdirectory.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/t/t1020-subdirectory.sh b/t/t1020-subdirectory.sh index 9fdbb2af80..20d2d306fe 100755 --- a/t/t1020-subdirectory.sh +++ b/t/t1020-subdirectory.sh @@ -177,10 +177,7 @@ test_expect_success 'no file/rev ambiguity check inside a bare repo (explicit GI test_expect_success 'no file/rev ambiguity check inside a bare repo' ' test_when_finished "rm -fr foo.git" && git clone -s --bare .git foo.git && - ( - cd foo.git && - git show -s HEAD - ) + git --git-dir=foo.git show -s HEAD ' test_expect_success SYMLINKS 'detection should not be fooled by a symlink' ' From ee58468e1f652a82aa250a7b214256e6ceea4f4e Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:12 +0000 Subject: [PATCH 06/17] t1900: avoid using `-C ` for a bare repository To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), add an optional 6th parameter `repo_flag` (defaulting to `-C`) to the `test_repo_info` helper, and use it in the caller that wants to operate on a bare repository. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t1900-repo-info.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/t/t1900-repo-info.sh b/t/t1900-repo-info.sh index 39bb77dda0..6280da1efb 100755 --- a/t/t1900-repo-info.sh +++ b/t/t1900-repo-info.sh @@ -20,6 +20,7 @@ test_repo_info () { repo_name=$3 key=$4 expected_value=$5 + repo_flag=${6:--C} test_expect_success "setup: $label" ' eval "$init_command $repo_name" @@ -27,13 +28,13 @@ test_repo_info () { test_expect_success "lines: $label" ' echo "$key=$expected_value" > expect && - git -C "$repo_name" repo info "$key" >actual && + git $repo_flag "$repo_name" repo info "$key" >actual && test_cmp expect actual ' test_expect_success "nul: $label" ' printf "%s\n%s\0" "$key" "$expected_value" >expect && - git -C "$repo_name" repo info --format=nul "$key" >actual && + git $repo_flag "$repo_name" repo info --format=nul "$key" >actual && test_cmp_bin expect actual ' } @@ -48,7 +49,7 @@ test_repo_info 'bare repository = false is retrieved correctly' \ 'git init' 'nonbare' 'layout.bare' 'false' test_repo_info 'bare repository = true is retrieved correctly' \ - 'git init --bare' 'bare' 'layout.bare' 'true' + 'git init --bare' 'bare' 'layout.bare' 'true' '--git-dir' test_repo_info 'shallow repository = false is retrieved correctly' \ 'git init' 'nonshallow' 'layout.shallow' 'false' From a6818366b7017258730da57a9531c6c99e6ac306 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:13 +0000 Subject: [PATCH 07/17] t2400: explicitly specify bare repo for `git worktree add` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), specify the gitdir specifically in bare-repo `git worktree add` invocations via `--git-dir=.` so Git does not rely on implicit bare repository discovery. While at it, also avoid unnecessary subshells and `cd`ing. This simplifies the logic in a rather pleasant way. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t2400-worktree-add.sh | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/t/t2400-worktree-add.sh b/t/t2400-worktree-add.sh index 023e1301c8..0f8c837647 100755 --- a/t/t2400-worktree-add.sh +++ b/t/t2400-worktree-add.sh @@ -171,11 +171,8 @@ test_expect_success 'not die on re-checking out current branch' ' ' test_expect_success '"add" from a bare repo' ' - ( - git clone --bare . bare && - cd bare && - git worktree add -b bare-main ../there2 main - ) + git clone --bare . bare && + git -C bare --git-dir=. worktree add -b bare-main ../there2 main ' test_expect_success 'checkout from a bare repo without "add"' ' @@ -186,15 +183,11 @@ test_expect_success 'checkout from a bare repo without "add"' ' ' test_expect_success '"add" default branch of a bare repo' ' - ( - git clone --bare . bare2 && - cd bare2 && - git worktree add ../there3 main && - cd ../there3 && - # Simple check that a Git command does not - # immediately fail with the current setup - git status - ) && + git clone --bare . bare2 && + git -C bare2 --git-dir=. worktree add ../there3 main && + # Simple check that a Git command does not + # immediately fail with the current setup + git status && cat >expect <<-EOF && init.t EOF From f71488534d5a0c0d56bc033a6fe617be610e8ded Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:14 +0000 Subject: [PATCH 08/17] t2406: use `--git-dir=.` for bare repository worktree repair To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), the test case t2406.10(repair .git file from bare.git) cannot rely on the implicit discovery of thee bare repository. Simply add a `--git-dir=.` to the invocation. The `-C bare.git` argument is still needed so that the `repair` command realizes works on the intended directory. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t2406-worktree-repair.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t2406-worktree-repair.sh b/t/t2406-worktree-repair.sh index f5f19b3169..cac448b575 100755 --- a/t/t2406-worktree-repair.sh +++ b/t/t2406-worktree-repair.sh @@ -84,7 +84,7 @@ test_expect_success 'repair .git file from bare.git' ' git -C bare.git worktree add --detach ../corrupt && git -C corrupt rev-parse --absolute-git-dir >expect && rm -f corrupt/.git && - git -C bare.git worktree repair && + git -C bare.git --git-dir=. worktree repair && git -C corrupt rev-parse --absolute-git-dir >actual && test_cmp expect actual ' From 58c5358a63baa70755c5d21833d5423642e1bf44 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:15 +0000 Subject: [PATCH 09/17] t5503: avoid discovering a bare repository The test case "fetch specific OID with tag following" creates a bare repository and wants to operate on it by changing the working directory and relying on Git's implicit discovery of the bare repository. Once the `safe.bareRepository` default is changed, this is no longer an option. So let's adjust the commands to specify the bare repository explicitly, via `--git-dir`, and avoid changing the working directory. As a bonus, the result is arguably more readable than the original code. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t5503-tagfollow.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/t/t5503-tagfollow.sh b/t/t5503-tagfollow.sh index febe441041..6d178d84dd 100755 --- a/t/t5503-tagfollow.sh +++ b/t/t5503-tagfollow.sh @@ -168,16 +168,13 @@ test_expect_success 'new clone fetch main and tags' ' test_expect_success 'fetch specific OID with tag following' ' git init --bare clone3.git && - ( - cd clone3.git && - git remote add origin .. && - git fetch origin $B:refs/heads/main && + git --git-dir=clone3.git remote add origin "$PWD" && + git --git-dir=clone3.git fetch origin $B:refs/heads/main && - git -C .. for-each-ref >expect && - git for-each-ref >actual && + git for-each-ref >expect && + git --git-dir=clone3.git for-each-ref >actual && - test_cmp expect actual - ) + test_cmp expect actual ' test_done From 9abf46deeb0dc2d07094200b1dd2a99690e58494 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:16 +0000 Subject: [PATCH 10/17] t5505: export `GIT_DIR` after `git init --bare` To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), export `GIT_DIR=.` right after `git init --bare &&` so subsequent commands access the bare repo explicitly. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t5505-remote.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t5505-remote.sh b/t/t5505-remote.sh index e592c0bcde..6d3d8510ca 100755 --- a/t/t5505-remote.sh +++ b/t/t5505-remote.sh @@ -561,7 +561,7 @@ test_expect_success 'add --mirror && prune' ' mkdir mirror && ( cd mirror && - git init --bare && + git init --bare && GIT_DIR=. && export GIT_DIR && git remote add --mirror -f origin ../one ) && ( @@ -583,7 +583,7 @@ test_expect_success 'add --mirror setting HEAD' ' mkdir headmirror && ( cd headmirror && - git init --bare -b notmain && + git init --bare -b notmain && GIT_DIR=. && export GIT_DIR && git remote add --mirror -f origin ../one && test "$(git symbolic-ref HEAD)" = "refs/heads/main" ) From c1e5cd1dda16d42b6678e5cc0a434574511d40e2 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:17 +0000 Subject: [PATCH 11/17] t5509: specify bare repository path explicitly After switching from `-C pushee` to `--git-dir=pushee` as part of the `safe.bareRepository` preparation, `ext::` URLs that used `.` (resolved relative to the `-C` target) must spell out the directory name explicitly. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t5509-fetch-push-namespaces.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/t/t5509-fetch-push-namespaces.sh b/t/t5509-fetch-push-namespaces.sh index 095df1a753..7771a3b34a 100755 --- a/t/t5509-fetch-push-namespaces.sh +++ b/t/t5509-fetch-push-namespaces.sh @@ -88,8 +88,8 @@ test_expect_success 'mirroring a repository using a ref namespace' ' test_expect_success 'hide namespaced refs with transfer.hideRefs' ' GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs=refs/tags \ - ls-remote "ext::git %s ." >actual && + git --git-dir=pushee -c transfer.hideRefs=refs/tags \ + ls-remote "ext::git %s pushee" >actual && printf "$commit1\trefs/heads/main\n" >expected && test_cmp expected actual ' @@ -97,8 +97,8 @@ test_expect_success 'hide namespaced refs with transfer.hideRefs' ' test_expect_success 'check that transfer.hideRefs does not match unstripped refs' ' git -C pushee pack-refs --all && GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs=refs/namespaces/namespace/refs/tags \ - ls-remote "ext::git %s ." >actual && + git --git-dir=pushee -c transfer.hideRefs=refs/namespaces/namespace/refs/tags \ + ls-remote "ext::git %s pushee" >actual && printf "$commit1\trefs/heads/main\n" >expected && printf "$commit0\trefs/tags/0\n" >>expected && printf "$commit1\trefs/tags/1\n" >>expected && @@ -107,8 +107,8 @@ test_expect_success 'check that transfer.hideRefs does not match unstripped refs test_expect_success 'hide full refs with transfer.hideRefs' ' GIT_NAMESPACE=namespace \ - git -C pushee -c transfer.hideRefs="^refs/namespaces/namespace/refs/tags" \ - ls-remote "ext::git %s ." >actual && + git --git-dir=pushee -c transfer.hideRefs="^refs/namespaces/namespace/refs/tags" \ + ls-remote "ext::git %s pushee" >actual && printf "$commit1\trefs/heads/main\n" >expected && test_cmp expected actual ' From 5513fb51b7024dc2ec26cf2d72dc3ca8b3f7513a Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:18 +0000 Subject: [PATCH 12/17] t5540/t5541: avoid accessing a bare repository via `-C ` In the `test_http_push_nonff` function both of these test scripts call, there were two Git invocations that assume that bare repositories will always be discovered when the current working directory is inside one. This is unlikely to be true forever because at some stage, the `safe.bareRepository` config is prone to be modified to be safe by default. So let's be safe and specify the bare repository explicitly. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/lib-httpd.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index 4c76e813e3..f15158b2c5 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh @@ -259,7 +259,7 @@ test_http_push_nonff () { test_expect_success 'non-fast-forward push fails' ' cd "$REMOTE_REPO" && - HEAD=$(git rev-parse --verify HEAD) && + HEAD=$(git --git-dir=. rev-parse --verify HEAD) && cd "$LOCAL_REPO" && git checkout $BRANCH && @@ -270,7 +270,7 @@ test_http_push_nonff () { ( cd "$REMOTE_REPO" && echo "$HEAD" >expect && - git rev-parse --verify HEAD >actual && + git --git-dir=. rev-parse --verify HEAD >actual && test_cmp expect actual ) ' @@ -284,18 +284,16 @@ test_http_push_nonff () { ' test_expect_${EXPECT_CAS_RESULT} 'force with lease aka cas' ' - HEAD=$( cd "$REMOTE_REPO" && git rev-parse --verify HEAD ) && + HEAD=$(git --git-dir="$REMOTE_REPO" rev-parse --verify HEAD) && test_when_finished '\'' - (cd "$REMOTE_REPO" && git update-ref HEAD "$HEAD") + git --git-dir="$REMOTE_REPO" update-ref HEAD "$HEAD" '\'' && ( cd "$LOCAL_REPO" && git push -v --force-with-lease=$BRANCH:$HEAD origin ) && git rev-parse --verify "$BRANCH" >expect && - ( - cd "$REMOTE_REPO" && git rev-parse --verify HEAD - ) >actual && + git --git-dir="$REMOTE_REPO" rev-parse --verify HEAD >actual && test_cmp expect actual ' } From 4dceee1c8ca39b506ee417e6ff94b3057609ced2 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:19 +0000 Subject: [PATCH 13/17] t5619: wrap `test_commit_bulk` in `GIT_DIR` subshell for bare repo To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), wrap the `test_commit_bulk` call in `(GIT_DIR="$REPO" && export GIT_DIR && test_commit_bulk ...)` because `test_commit_bulk -C` relies on implicit discovery which would fail once the default changes. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t5619-clone-local-ambiguous-transport.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh index cce62bf78d..3e9aac9015 100755 --- a/t/t5619-clone-local-ambiguous-transport.sh +++ b/t/t5619-clone-local-ambiguous-transport.sh @@ -21,7 +21,7 @@ test_expect_success 'setup' ' echo "secret" >sensitive/secret && git init --bare "$REPO" && - test_commit_bulk -C "$REPO" --ref=main 1 && + (GIT_DIR="$REPO" && export GIT_DIR && test_commit_bulk --ref=main 1) && git -C "$REPO" update-ref HEAD main && git -C "$REPO" update-server-info && From f1ecb9def010a69dd9f81091d002af0423a06c66 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:20 +0000 Subject: [PATCH 14/17] t6020: use `-C` for worktree, `--git-dir` for bare repository To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a7448206e), adjust a loop that iterated over both a bare (`cloned`) and a non-bare (`unbundled`) repository using the same `-C` flag: the bare repo needs `--git-dir` to avoid implicit discovery, while the non-bare one keeps `-C`. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t6020-bundle-misc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t6020-bundle-misc.sh b/t/t6020-bundle-misc.sh index 500c81b8a1..82df105b47 100755 --- a/t/t6020-bundle-misc.sh +++ b/t/t6020-bundle-misc.sh @@ -594,9 +594,9 @@ do reflist=$(git for-each-ref --format="%(objectname)") && git rev-list --objects --filter=$filter --missing=allow-any \ $reflist >expect && - for repo in cloned unbundled + for opt in "--git-dir cloned" "-C unbundled" do - git -C $repo rev-list --objects --missing=allow-any \ + git $opt rev-list --objects --missing=allow-any \ $reflist >actual && test_cmp expect actual || return 1 done From 3a20e2a04b147288b7af7d8504b3cbce2773e46f Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:21 +0000 Subject: [PATCH 15/17] t9210: pass `safe.bareRepository=all` to `scalar register` This test expects `scalar register` to discover a bare repo and reject it. Since `scalar` does not support `--git-dir` (that option would not make sense in the context of that command), pass `-c safe.bareRepository=all` to opt into implicit discovery of bare repositories, so the test keeps working once the default changes to `explicit`. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t9210-scalar.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t9210-scalar.sh b/t/t9210-scalar.sh index 009437a5f3..54513c220b 100755 --- a/t/t9210-scalar.sh +++ b/t/t9210-scalar.sh @@ -88,7 +88,7 @@ test_expect_success 'scalar enlistments need a worktree' ' test_when_finished rm -rf bare test && git init --bare bare/src && - ! scalar register bare/src 2>err && + ! scalar -c safe.bareRepository=all register bare/src 2>err && grep "Scalar enlistments require a worktree" err && git init test/src && From bf92209ddc7de6b19022d32ccad3d38576611a11 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:22 +0000 Subject: [PATCH 16/17] t9700: stop relying on implicit bare repo discovery Currently, the "alternate bare repo" test case relies on Git discovering non-bare and bare repositories alike. However, the automatic discovery of bare repository represents a weakness that leaves Git users vulnerable. To that end, the `safe.bareRepository` config was introduced, but out of backwards-compatibility concerns, the default is not yet secure. To prepare for that default to switch to the secure one, where bare repositories are never discovered automatically but instead must be specified explicitly, let's do exactly that in this test case: specify it explicitly, via setting the environment variable `GIT_DIR`. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- t/t9700/test.pl | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/t/t9700/test.pl b/t/t9700/test.pl index f83e6169e2..99b712b626 100755 --- a/t/t9700/test.pl +++ b/t/t9700/test.pl @@ -153,9 +153,12 @@ unlink $tmpfile3; chdir($abs_repo_dir); # open alternate bare repo -my $r4 = Git->repository(Directory => "$abs_repo_dir/bare.git"); -is($r4->command_oneline(qw(log --format=%s)), "bare commit", - "log of bare repo works"); +{ + local $ENV{GIT_DIR} = "$abs_repo_dir/bare.git"; + my $r4 = Git->repository(Directory => "$abs_repo_dir/bare.git"); + is($r4->command_oneline(qw(log --format=%s)), "bare commit", + "log of bare repo works"); +} # unquoting paths is(Git::unquote_path('abc'), 'abc', 'unquote unquoted path'); From 347da97f3e6efe4cb85ffa39b42da9ff96cb8e28 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 2 Apr 2026 14:33:23 +0000 Subject: [PATCH 17/17] git p4 clone --bare: need to be explicit about the gitdir When `safe.bareRepository` will change to be safe by default, bare repositories won't be discovered by default anymore. To prepare for this, `git p4` must be explicit about the gitdir when cloning into a bare repository, and no longer rely on that implicit discovery. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- git-p4.py | 1 + 1 file changed, 1 insertion(+) diff --git a/git-p4.py b/git-p4.py index c0ca7becaf..dd38dbca22 100755 --- a/git-p4.py +++ b/git-p4.py @@ -4360,6 +4360,7 @@ class P4Clone(P4Sync): init_cmd = ["git", "init"] if self.cloneBare: init_cmd.append("--bare") + os.environ["GIT_DIR"] = os.getcwd() retcode = subprocess.call(init_cmd) if retcode: raise subprocess.CalledProcessError(retcode, init_cmd)