Run SF git pull as ec2-user to avoid dubious ownership error#21
Merged
Conversation
PR #20 added `git pull --ff-only origin main` to every SSM command in the Saturday Step Function. When executed, every command failed with: fatal: detected dubious ownership in repository at '/home/ec2-user/alpha-engine-data' failed to run commands: exit status 128 Cause: SSM RunShellScript runs as root on Amazon Linux, but the four repo checkouts are owned by ec2-user. Git's >=2.35.2 safe.directory check refuses to operate on repos owned by a different user unless explicitly allowed. Fix: run the git pull as ec2-user via `sudo -u ec2-user git -C /path pull --ff-only origin main`. `git -C <path>` avoids the pwd-across-sudo subshell issue. The rest of each command (cd, source, Python/bash) continues to run as root as before — no behavior change for non-git steps. All six SSM commands updated consistently: - DataPhase1, RAGIngestion, HealthCheck (alpha-engine-data) - PredictorTraining (alpha-engine-predictor) - DriftDetection (alpha-engine-data + alpha-engine-predictor) - Backtester (alpha-engine-backtester) Verified working via a standalone SSM probe before pushing this PR — `sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull` ran cleanly and advanced the EC2 checkout from 292e51e to 0a3a90b. ## Live deployment Applied directly to the live state machine. This PR is the repo-side record. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wrap every `git pull --ff-only origin main` in the Saturday Step Function with `sudo -u ec2-user git -C ` so git runs as the repo owner and doesn't hit the 2.35.2+ safe.directory check.
Context
#20 added `git pull` to every SSM command to auto-pull fresh code before running. When the pipeline kicked off (full-rerun-20260411T211223Z) DataPhase1 failed immediately with:
```
fatal: detected dubious ownership in repository at '/home/ec2-user/alpha-engine-data'
failed to run commands: exit status 128
```
SSM runs as root, but the /home/ec2-user/alpha-engine-* repos are owned by ec2-user. Git refuses by default.
Silver lining: the Step Function's CheckDataPhase1Status gate routed correctly to HandleFailure → FailExecution → SNS, and the SNS email surfaced the real error immediately — proving #20's hard-fail + exit-propagation fix works end-to-end.
Fix
`sudo -u ec2-user git -C /path/to/repo pull --ff-only origin main`
All six SSM commands updated consistently. Verified the pattern on a standalone SSM probe before pushing — the probe successfully pulled 292e51e → 0a3a90b.
Live deployment
Applied directly to the live state machine via `aws stepfunctions update-state-machine` (revision `8acf52b1`). This PR is the repo-side record.
Test plan
🤖 Generated with Claude Code