fix(deps): bare cache incompatible with git 2.53.0 safe.bareRepository + fetched SHAs not ref-reachable

[sergio-sisternes-epam]

Summary

Two bugs in bare_cache.py discovered during E2E validation of the SHA-pin fix (#1258 / PR #1259):

Bug 1: git -C <bare> fails on git 2.53.0

Git 2.53.0 (Homebrew, macOS) defaults safe.bareRepository=explicit. All bare-repo git commands in bare_cache.py use git -C <path> which now fails with exit 128 on bare repos. The fix is to use git --git-dir <path> instead (8 locations).

Bug 2: Fetched SHAs are not ref-reachable for git clone --local --shared

When fetch_sha_into_bare fetches a specific SHA into an existing bare, the SHA lands in the object store but is not pointed to by any ref. git clone --local --shared from a shallow bare uses upload-pack (ignoring --local) and only transfers objects reachable from advertised refs -- so the orphaned SHA is silently omitted and git checkout <sha> fails in the consumer.

The fix creates a synthetic refs/heads/apm-pin-<sha12> ref after every successful fetch (or discovery) so the SHA is reachable via the default refspec.

Reproduction

Both bugs are exercised by installing a mono-repo package with SHA-pinned transitive deps on git 2.53.0. The E2E test repo sergio-sisternes-epam/apm-marketplace-tests reproduces this scenario.

Environment

• macOS (Darwin)
• Git 2.53.0 with safe.bareRepository=explicit (default)
• APM built from main (post PR fix(deps): fetch missing SHA-pinned commits into shallow bare clones #1259 merge)

[github-actions]

Triage decision

accept

Proposed labels

theme/portability
area/lockfile
area/distribution
type/bug
status/accepted
priority/high

Milestone

0.14.0

Suggested next action

Open a PR against src/apm_cli/deps/bare_cache.py replacing all 8 git -C <dir> bare-repo invocations with git --git-dir <dir> and adding the refs/heads/apm-pin-<sha> synthetic ref after every successful fetch or discovery.

Suggested issue comment

Thank you for filing this -- two high-impact bugs in the bare cache that break SHA-pinned installs on git 2.53.0 (macOS Homebrew default), along with a clear reproduction path and concrete fix proposals.

Bug 1 (`git -C` on bare repos) is a clean portability regression introduced by git 2.53.0's `safe.bareRepository=explicit` default. Replacing the 8 `git -C <dir>` calls with `git --git-dir <dir>` is the correct fix and should be mechanical.

Bug 2 (fetched SHA not ref-reachable) is more subtle: the SHA lands in the object store but `git clone --local --shared` only transfers ref-reachable objects, so the lockfile-pinned SHA is silently absent from the consumer clone. Creating a `refs/heads/apm-pin-<sha>` synthetic ref after every fetch or discovery directly closes this gap and preserves the deterministic-install contract that APM's lockfile guarantees (see https://github.com/microsoft/apm#installation-and-usage).

Accepted for 0.14.0, priority high. Suggested PR scope: `src/apm_cli/deps/bare_cache.py` only -- 8 `git -C` replacements and one ref-creation call in `fetch_sha_into_bare`. Please link this issue in the PR body so the connection to #1258/#1259 is preserved for future bisect.

Per-lens notes (collapsed)

DevX UX Expert -- User-Need Reviewer

Both bugs manifest as silent install failures on git 2.53.0 -- the user types apm install against a SHA-pinned lockfile and git checkout <sha> fails with no actionable error. This directly breaks the core DevX promise: "lockfile is canonical; apm install from a lockfile is deterministic; CI must not need extra flags". The fix scope is entirely internal (bare_cache.py); no CLI surface, flag, or help text changes required. Recovery path for the user today is to downgrade git or patch manually, which is unacceptable for a tool targeting CI/CD environments.

Supply Chain Security Expert -- Risk-Surface Reviewer

Bug 2 has a direct integrity implication: the lockfile records a specific commit SHA as the pinned truth, the bare cache fetches that SHA into the object store, but git clone --local --shared silently omits it because it is not ref-reachable. The consumer ends up without the pinned object -- meaning the lockfile integrity chain (lockfile -> SHA -> deployed files) is broken at the clone step. The fix (synthetic refs/heads/apm-pin-<sha>) restores the chain. This is a portability issue (git version behavior change) rather than an adversarial attack surface, so theme/portability is correct; area/lockfile is primary since the lockfile integrity primitive is what fails. No token or auth surface is involved.

OSS Growth Hacker -- Contributor-Tone Reviewer

Not activated -- author is a repo collaborator with prior interactions; no first-time contributor tone tuning required.

Python Architect -- Architecture Reviewer

Not activated -- both fixes are well-scoped to bare_cache.py with no cross-cutting interface, data model, or schema changes; the proposed solutions are mechanical and do not require a design doc.

Doc Writer -- Documentation Reviewer

Not activated -- purely internal bare cache implementation fix with no new CLI flags, no schema changes, and no user-facing documentation surface affected.

APM CEO -- Triage Arbiter

Two well-reproduced, well-diagnosed bugs that break the SHA-pin install flow on git 2.53.0 (macOS Homebrew current default). The impact is high: any macOS developer on Homebrew hits these silently after brew upgrade git. The fixes are low-risk and mechanical. Accepting for 0.14.0 at priority/high is the right call -- this directly affects the deterministic-install guarantee that differentiates APM from ad-hoc script-based package management.

{
  "decision": "accept",
  "decision_detail": "",
  "theme": "theme/portability",
  "areas": ["area/lockfile", "area/distribution"],
  "type": "type/bug",
  "status": "status/accepted",
  "priority": "priority/high",
  "preserved_labels": [],
  "milestone": "0.14.0",
  "next_action": "Open a PR against src/apm_cli/deps/bare_cache.py replacing all 8 git -C bare-repo invocations with git --git-dir and adding the refs/heads/apm-pin-<sha> synthetic ref after every successful fetch or discovery.",
  "comment_markdown": "Thank you for filing this -- two high-impact bugs in the bare cache that break SHA-pinned installs on git 2.53.0 (macOS Homebrew default), along with a clear reproduction path and concrete fix proposals.\n\nBug 1 (`git -C` on bare repos) is a clean portability regression introduced by git 2.53.0's `safe.bareRepository=explicit` default. Replacing the 8 `git -C <dir>` calls with `git --git-dir <dir>` is the correct fix and should be mechanical.\n\nBug 2 (fetched SHA not ref-reachable) is more subtle: the SHA lands in the object store but `git clone --local --shared` only transfers ref-reachable objects, so the lockfile-pinned SHA is silently absent from the consumer clone. Creating a `refs/heads/apm-pin-<sha>` synthetic ref after every fetch or discovery directly closes this gap and preserves the deterministic-install contract that APM's lockfile guarantees (see https://github.com/microsoft/apm#installation-and-usage).\n\nAccepted for 0.14.0, priority high. Suggested PR scope: `src/apm_cli/deps/bare_cache.py` only -- 8 `git -C` replacements and one ref-creation call in `fetch_sha_into_bare`. Please link this issue in the PR body so the connection to #1258/#1259 is preserved for future bisect."
}

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• [BUG] Codex and Gemini adapters pass self-defined stdio env verbatim, skipping placeholder resolution #1266 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [BUG] Codex CLI skips Streamable HTTP MCP servers; README claims this is unsupported #1260 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• feat: make apm update respect air-gapped environment variables #1231 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Triage Panel for issue #1267 · ● 1M · ◷