From b516fda8be0040c2e7aeeba3eb16fb7c866c0944 Mon Sep 17 00:00:00 2001
From: Ruoyu Zhong <zhongruoyu@outlook.com>
Date: Thu, 11 Apr 2024 01:12:03 +0800
Subject: [PATCH 1/5] package/scripts/postinstall: avoid writing to
 `~/.gitconfig`

We can eliminate permission issues by not touching `~/.gitconfig` at
all.

Fixes #17067.
---
 package/scripts/postinstall | 38 ++++++++-----------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

diff --git a/package/scripts/postinstall b/package/scripts/postinstall
index e9ba586c0c..6b40b6e189 100755
--- a/package/scripts/postinstall
+++ b/package/scripts/postinstall
@@ -21,35 +21,15 @@ fi
 # add Git to path
 export PATH="/Library/Developer/CommandLineTools/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:${PATH}"
 
-# helpers for setting/unsetting Git's safe directory setting
-set_git_safe_directory() {
-  if git config --global --get-all safe.directory | grep -q "${1}"
-  then
-    return
-  fi
-  SET_GIT_SAFE_DIRECTORY="${1}"
-  git config --global --add safe.directory "${1}"
-}
-unset_git_safe_directory() {
-  if [[ -z "${SET_GIT_SAFE_DIRECTORY-}" ]]
-  then
-    return
-  fi
-
-  git config --global --unset safe.directory "${1}" || git config --global --unset-all safe.directory
-  if [[ ${SET_GIT_SAFE_DIRECTORY-} == "${1}" ]]
-  then
-    unset SET_GIT_SAFE_DIRECTORY
-  fi
-}
+# use `git -c key=value` to avoid writing to Git's global config
+# https://github.com/Homebrew/brew/issues/17067
+git=(git -c "safe.directory=${homebrew_directory}")
 
 # reset Git repository
 cd "${homebrew_directory}"
-set_git_safe_directory "${homebrew_directory}"
-git reset --hard
-git checkout --force master
-git branch | grep -v '\*' | xargs -n 1 git branch --delete --force || true
-unset_git_safe_directory "${homebrew_directory}"
+"${git[@]}" reset --hard
+"${git[@]}" checkout --force master
+"${git[@]}" branch | grep -v '\*' | xargs -n 1 "${git[@]}" branch --delete --force || true
 
 # move to /usr/local if on x86_64
 if [[ $(uname -m) == "x86_64" ]]
@@ -59,10 +39,8 @@ then
     cp -pRL "${homebrew_directory}/.git" "/usr/local/Homebrew/"
     mv "${homebrew_directory}/cache_api" "/usr/local/Homebrew/"
 
-    set_git_safe_directory /usr/local/Homebrew
-    git -C /usr/local/Homebrew reset --hard
-    git -C /usr/local/Homebrew checkout --force master
-    unset_git_safe_directory /usr/local/Homebrew
+    "${git[@]}" -C /usr/local/Homebrew reset --hard
+    "${git[@]}" -C /usr/local/Homebrew checkout --force master
   else
     mkdir -vp /usr/local/bin
     mv "${homebrew_directory}" "/usr/local/Homebrew/"

From ad4a0800cc9e98f2a0c69f8d8570897d4fcc68aa Mon Sep 17 00:00:00 2001
From: Ruoyu Zhong <zhongruoyu@outlook.com>
Date: Thu, 11 Apr 2024 01:54:40 +0800
Subject: [PATCH 2/5] package/scripts/postinstall: handle `/usr/local/Homebrew`

---
 package/scripts/postinstall | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/scripts/postinstall b/package/scripts/postinstall
index 6b40b6e189..058370cf34 100755
--- a/package/scripts/postinstall
+++ b/package/scripts/postinstall
@@ -39,6 +39,7 @@ then
     cp -pRL "${homebrew_directory}/.git" "/usr/local/Homebrew/"
     mv "${homebrew_directory}/cache_api" "/usr/local/Homebrew/"
 
+    git=(git -c safe.directory="/usr/local/Homebrew")
     "${git[@]}" -C /usr/local/Homebrew reset --hard
     "${git[@]}" -C /usr/local/Homebrew checkout --force master
   else

From 4c24f9160f72221f740eed8b243d66ab3c8bad4e Mon Sep 17 00:00:00 2001
From: Ruoyu Zhong <zhongruoyu@outlook.com>
Date: Thu, 11 Apr 2024 03:22:37 +0800
Subject: [PATCH 3/5] workflows/pkg-installer: unset global Git
 `safe.directory`

---
 .github/workflows/pkg-installer.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index a8da6c8b0d..30ae5131c8 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -146,6 +146,9 @@ jobs:
         with:
           name: "${{ needs.build.outputs.installer_path }}"
 
+      - name: Unset global Git safe directory setting
+        run: git config --global --unset-all safe.directory
+
       - name: Remove existing Homebrew installations
         run: |
           sudo rm -rf brew /{usr/local,opt/homebrew}/{Cellar,Caskroom,Homebrew/Library/Taps}

From f76442837a5b4d8ddf9b7e0c4cc04882e42a8779 Mon Sep 17 00:00:00 2001
From: Ruoyu Zhong <zhongruoyu@outlook.com>
Date: Thu, 11 Apr 2024 04:15:59 +0800
Subject: [PATCH 4/5] package/scripts/postinstall: avoid writing to
 `~/.gitconfig`

In this attempt we pretend that the "global" configs are in the
repository itself.

    $ XDG_CONFIG_HOME= HOME=$PWD git config --global section.key value
    $ XDG_CONFIG_HOME= HOME=$PWD git config --global section.key
    value
    $ git config --global section.key
    $ cat $PWD/.gitconfig
    [section]
      key = value
---
 package/scripts/postinstall | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/package/scripts/postinstall b/package/scripts/postinstall
index 058370cf34..e6e384ea2a 100755
--- a/package/scripts/postinstall
+++ b/package/scripts/postinstall
@@ -21,15 +21,17 @@ fi
 # add Git to path
 export PATH="/Library/Developer/CommandLineTools/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:${PATH}"
 
-# use `git -c key=value` to avoid writing to Git's global config
-# https://github.com/Homebrew/brew/issues/17067
-git=(git -c "safe.directory=${homebrew_directory}")
-
 # reset Git repository
 cd "${homebrew_directory}"
+# avoid writing user's global config file by making
+# "${homebrew_directory}/.gitconfig" the "global" config
+# https://git-scm.com/docs/git-config#SCOPES
+git=(env XDG_CONFIG_HOME="" HOME="${homebrew_directory}" git)
+"${git[@]}" config --global --add safe.directory "${homebrew_directory}"
 "${git[@]}" reset --hard
 "${git[@]}" checkout --force master
 "${git[@]}" branch | grep -v '\*' | xargs -n 1 "${git[@]}" branch --delete --force || true
+rm "${homebrew_directory}/.gitconfig"
 
 # move to /usr/local if on x86_64
 if [[ $(uname -m) == "x86_64" ]]
@@ -39,9 +41,11 @@ then
     cp -pRL "${homebrew_directory}/.git" "/usr/local/Homebrew/"
     mv "${homebrew_directory}/cache_api" "/usr/local/Homebrew/"
 
-    git=(git -c safe.directory="/usr/local/Homebrew")
+    git=(env XDG_CONFIG_HOME="" HOME="/usr/local/Homebrew" git)
+    "${git[@]}" config --global --add safe.directory /usr/local/Homebrew
     "${git[@]}" -C /usr/local/Homebrew reset --hard
     "${git[@]}" -C /usr/local/Homebrew checkout --force master
+    rm /usr/local/Homebrew/.gitconfig
   else
     mkdir -vp /usr/local/bin
     mv "${homebrew_directory}" "/usr/local/Homebrew/"

From 8a0b4edd8a77b211ee0de34ab3b480d0fe73adb8 Mon Sep 17 00:00:00 2001
From: Ruoyu Zhong <zhongruoyu@outlook.com>
Date: Thu, 11 Apr 2024 20:37:37 +0800
Subject: [PATCH 5/5] package/scripts/postinstall: simplify

It is safe to override `HOME` for the entire script as only Git uses it.
---
 package/scripts/postinstall | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/package/scripts/postinstall b/package/scripts/postinstall
index e6e384ea2a..f07b2a8f67 100755
--- a/package/scripts/postinstall
+++ b/package/scripts/postinstall
@@ -21,16 +21,17 @@ fi
 # add Git to path
 export PATH="/Library/Developer/CommandLineTools/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:${PATH}"
 
+# avoid writing to user's global config file by overriding HOME
+# https://git-scm.com/docs/git-config#SCOPES
+unset XDG_CONFIG_HOME
+export HOME="${homebrew_directory}"
+
 # reset Git repository
 cd "${homebrew_directory}"
-# avoid writing user's global config file by making
-# "${homebrew_directory}/.gitconfig" the "global" config
-# https://git-scm.com/docs/git-config#SCOPES
-git=(env XDG_CONFIG_HOME="" HOME="${homebrew_directory}" git)
-"${git[@]}" config --global --add safe.directory "${homebrew_directory}"
-"${git[@]}" reset --hard
-"${git[@]}" checkout --force master
-"${git[@]}" branch | grep -v '\*' | xargs -n 1 "${git[@]}" branch --delete --force || true
+git config --global --add safe.directory "${homebrew_directory}"
+git reset --hard
+git checkout --force master
+git branch | grep -v '\*' | xargs -n 1 git branch --delete --force || true
 rm "${homebrew_directory}/.gitconfig"
 
 # move to /usr/local if on x86_64
@@ -41,10 +42,10 @@ then
     cp -pRL "${homebrew_directory}/.git" "/usr/local/Homebrew/"
     mv "${homebrew_directory}/cache_api" "/usr/local/Homebrew/"
 
-    git=(env XDG_CONFIG_HOME="" HOME="/usr/local/Homebrew" git)
-    "${git[@]}" config --global --add safe.directory /usr/local/Homebrew
-    "${git[@]}" -C /usr/local/Homebrew reset --hard
-    "${git[@]}" -C /usr/local/Homebrew checkout --force master
+    export HOME="/usr/local/Homebrew"
+    git config --global --add safe.directory /usr/local/Homebrew
+    git -C /usr/local/Homebrew reset --hard
+    git -C /usr/local/Homebrew checkout --force master
     rm /usr/local/Homebrew/.gitconfig
   else
     mkdir -vp /usr/local/bin