From 68f33bb7a0025988f05a45bb38a94928bacfd6b4 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Mon, 6 Feb 2023 18:05:17 +0100
Subject: [PATCH 1/8] Use plain Git instead of Tekton git-init

Simplifies the container image and makes it easier to follow what is
going on.
---
 build/package/Dockerfile.start                | 29 +--------
 cmd/start/main.go                             | 64 ++++++++++++-------
 .../design/software-design-specification.adoc |  8 +--
 3 files changed, 43 insertions(+), 58 deletions(-)

diff --git a/build/package/Dockerfile.start b/build/package/Dockerfile.start
index bd9367c8..31725003 100644
--- a/build/package/Dockerfile.start
+++ b/build/package/Dockerfile.start
@@ -4,11 +4,7 @@ ARG TARGETARCH
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 USER root
 
-ENV TEKTON_VERSION=0.24.0 \
-    TEKTONCD_PATH=/opt/app-root/src/go/src/github.com/tektoncd \
-    BINARY=git-init.orig \
-    KO_APP=/ko-app \
-    GIT_LFS_VERSION=3.0.2
+ENV GIT_LFS_VERSION=3.0.2
 
 # Build Go binary.
 RUN mkdir -p /etc/go
@@ -20,15 +16,7 @@ COPY internal /etc/go/internal
 COPY pkg /etc/go/pkg
 RUN cd /etc/go/cmd/start && CGO_ENABLED=0 go build -o /usr/local/bin/ods-start
 
-RUN mkdir -p $TEKTONCD_PATH && \
-    cd /tmp && \
-    curl -LO https://github.com/tektoncd/pipeline/archive/refs/tags/v$TEKTON_VERSION.tar.gz && \
-    tar -C $TEKTONCD_PATH -xzf v$TEKTON_VERSION.tar.gz && \
-    ln -s $TEKTONCD_PATH/pipeline-$TEKTON_VERSION $TEKTONCD_PATH/pipeline && \
-    cd -
-
-WORKDIR $TEKTONCD_PATH/pipeline
-
+# Install Git LFS.
 RUN cd /tmp \
     && mkdir -p /tmp/git-lfs \
     && curl -LO https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${TARGETARCH}-v${GIT_LFS_VERSION}.tar.gz \
@@ -36,9 +24,6 @@ RUN cd /tmp \
     && bash /tmp/git-lfs/install.sh \
     && git lfs version
 
-RUN CGO_ENABLED=0 go build -o /tmp/openshift-pipelines-git-init ./cmd/git-init && \
-    mkdir ${KO_APP} && cp /tmp/openshift-pipelines-git-init ${KO_APP}/${BINARY}
-
 # Final image
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
 
@@ -53,14 +38,4 @@ COPY --from=builder /usr/local/bin/ods-start /usr/local/bin/ods-start
 COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs
 RUN git lfs version
 
-RUN mkdir /ko-app
-COPY --from=builder /ko-app/git-init.orig /ko-app/git-init.orig
-COPY build/package/scripts/uidwrapper /ko-app/git-init
-
-USER root
-RUN chgrp -R 0 /ko-app && \
-    chmod -R g=u /ko-app /etc/passwd
-
 USER 1001
-
-ENTRYPOINT ["/ko-app/git-init"]
diff --git a/cmd/start/main.go b/cmd/start/main.go
index 8e2deda8..aa1fe4fe 100644
--- a/cmd/start/main.go
+++ b/cmd/start/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"errors"
 	"flag"
 	"fmt"
@@ -375,62 +376,68 @@ func checkoutAndAssembleContext(
 	checkoutDir, url, gitFullRef, gitRefSpec, sslVerify, submodules, depth string,
 	baseCtxt *pipelinectxt.ODSContext,
 	logger logging.LeveledLoggerInterface) (*pipelinectxt.ODSContext, error) {
+
 	absCheckoutDir, err := filepath.Abs(checkoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("absolute path: %w", err)
 	}
+
 	logger.Infof("Checking out %s@%s into %s ...", url, gitFullRef, absCheckoutDir)
-	gitInitArgs := []string{
-		fmt.Sprintf("-url=%v", url),
-		fmt.Sprintf("-revision=%v", gitFullRef),
-		fmt.Sprintf("-refspec=%v", gitRefSpec),
-		fmt.Sprintf("-path=%v", absCheckoutDir),
-		fmt.Sprintf("-sslVerify=%v", sslVerify),
-		fmt.Sprintf("-submodules=%v", submodules),
-		fmt.Sprintf("-depth=%v", depth),
-	}
-	logger.Debugf("git-init %s", strings.Join(gitInitArgs, " "))
-	stdout, stderr, err := command.RunBuffered("/ko-app/git-init", gitInitArgs)
-	if err != nil {
-		logger.Errorf(string(stderr))
-		log.Fatal(err)
+
+	if err := runGit("init", absCheckoutDir); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := os.Chdir(absCheckoutDir); err != nil {
+		return nil, fmt.Errorf("change dir: %w", err)
+	}
+	if err := runGit("remote", "add", "origin", url); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := runGit("fetch",
+		"--recurse-submodules=yes", fmt.Sprintf("--depth=%s", depth),
+		"origin",
+		"--update-head-ok", "--force", gitFullRef,
+	); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := runGit("checkout", "-f", "FETCH_HEAD"); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
 	}
-	logger.Infof(string(stdout))
 
 	odsPipelineIgnoreFile := filepath.Join(absCheckoutDir, ".git", "info", "exclude")
 	if err := pipelinectxt.WriteGitIgnore(odsPipelineIgnoreFile); err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("write git ignore: %w", err)
 	}
 	logger.Infof("Wrote gitignore exclude at %s", odsPipelineIgnoreFile)
 
 	// check git LFS state and maybe pull
 	lfs, err := gitLfsInUse(logger, absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("check if git LFS is in use: %w", err)
 	}
 	if lfs {
 		logger.Infof("Git LFS detected, enabling and pulling files...")
 		err := gitLfsEnableAndPullFiles(logger, absCheckoutDir)
 		if err != nil {
-			log.Fatal(err)
+			return nil, fmt.Errorf("git LFS enable and pull: %w", err)
 		}
 	}
 
 	// write ODS cache
 	sha, err := getCommitSHA(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("commit SHA: %w", err)
 	}
 	ctxt := baseCtxt.Copy()
 	ctxt.GitFullRef = gitFullRef
 	ctxt.GitCommitSHA = sha
 	err = ctxt.Assemble(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("assemble ODS context: %w", err)
 	}
 	err = ctxt.WriteCache(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("write ODS context cache: %w", err)
 	}
 	return ctxt, nil
 }
@@ -454,13 +461,22 @@ func gitLfsInUse(logger logging.LeveledLoggerInterface, dir string) (lfs bool, e
 func gitLfsEnableAndPullFiles(logger logging.LeveledLoggerInterface, dir string) (err error) {
 	stdout, stderr, err := command.RunBufferedInDir("git", []string{"lfs", "install"}, dir)
 	if err != nil {
-		return fmt.Errorf("cannot enable git lfs: %s (%w)", stderr, err)
+		return fmt.Errorf("lfs install: %s (%w)", stderr, err)
 	}
 	logger.Infof(string(stdout))
 	stdout, stderr, err = command.RunBufferedInDir("git", []string{"lfs", "pull"}, dir)
 	if err != nil {
-		return fmt.Errorf("cannot git pull lfs files: %s (%w)", stderr, err)
+		return fmt.Errorf("lfs pull: %s (%w)", stderr, err)
 	}
 	logger.Infof(string(stdout))
 	return err
 }
+
+func runGit(args ...string) error {
+	var output bytes.Buffer
+	err := command.Run("git", args, []string{}, &output, &output)
+	if err != nil {
+		return fmt.Errorf("git %v: %w\n%s", args, err, output.String())
+	}
+	return nil
+}
diff --git a/docs/design/software-design-specification.adoc b/docs/design/software-design-specification.adoc
index 51b3c72b..5b0d8c1f 100644
--- a/docs/design/software-design-specification.adoc
+++ b/docs/design/software-design-specification.adoc
@@ -207,7 +207,7 @@ Input parameters: TODO
 
 | SDS-TASK-8
 | `ods-start` container image
-| Container image to start a pipeline. Based on `ubi8/ubi-minimal` (SDS-EXT-2), includes SDS-EXT-9, SDS-EXT-13, SDS-EXT-22, SDS-EXT-27, SDS-EXT-30 and SDS-TASK-9.
+| Container image to start a pipeline. Based on `ubi8/ubi-minimal` (SDS-EXT-2), includes SDS-EXT-9, SDS-EXT-13, SDS-EXT-27, SDS-EXT-30 and SDS-TASK-9.
 
 | SDS-TASK-9
 | `start` binary
@@ -616,12 +616,6 @@ a| The script installs the Helm chart located in `deploy/ods-pipeline`. Further,
 | Manages secrets with Git workflow.
 | https://github.com/jkroepke/helm-secrets
 
-| SDS-EXT-22
-| Tekton
-| 0.24
-| Cloud-native Pipeline resource.
-| https://github.com/tektoncd/pipeline
-
 | SDS-EXT-23
 | Sops
 | 3.7

From 3a7bc5294d1ec9ad65a80ebed03f85dde8db443e Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Mon, 6 Feb 2023 18:05:45 +0100
Subject: [PATCH 2/8] Concatenate private cert with existing bundle

Allows to pull from servers using a public cert as well.
---
 .../ods-pipeline/charts/tasks/templates/task-ods-start.yaml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml
index 57599932..b9a12b9a 100644
--- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml
+++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml
@@ -175,9 +175,9 @@ spec:
               name: ods-pipeline
       resources: {}
       script: |
-
         if [ -f /etc/ssl/certs/private-cert.pem ]; then
-          git config --global http.sslCAInfo /etc/ssl/certs/private-cert.pem
+          cat /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/private-cert.pem > /tekton/home/git-cert.pem
+          git config --global http.sslCAInfo /tekton/home/git-cert.pem
         fi
 
         # ods-start is built from cmd/start/main.go.

From 34aa5023e5e6643be88ff7a1318ea10022ba2ce3 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Mon, 6 Feb 2023 18:19:07 +0100
Subject: [PATCH 3/8] Fix MD5 handling

---
 build/package/scripts/configure-truststore.sh  | 6 ++++--
 build/package/scripts/download-aqua-scanner.sh | 4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/build/package/scripts/configure-truststore.sh b/build/package/scripts/configure-truststore.sh
index 22e74026..5f234f2b 100755
--- a/build/package/scripts/configure-truststore.sh
+++ b/build/package/scripts/configure-truststore.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -u
 
-md5_bin="${MD5_BIN:-"md5sum --tag"}"
+md5_bin="${MD5_BIN:-"md5sum"}"
 private_cert="/etc/ssl/certs/private-cert.pem"
 src_truststore="${JAVA_HOME}/lib/security/cacerts"
 src_pass="changeit"
@@ -30,7 +30,7 @@ esac; shift; done
 dest_truststore_dir="${dest_truststore%/*}"
 mkdir -p "${dest_truststore_dir}"
 md5_private_cert_path="${dest_truststore_dir}/.md5-private-cert"
-md5_private_cert=$(${md5_bin} "${private_cert}")
+md5_private_cert=$(${md5_bin} < "${private_cert}" | cut -d- -f1)
 
 if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_private_cert_path}")" ]; then
     echo "Creating truststore with private cert ..."
@@ -40,6 +40,7 @@ if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_pri
         -deststorepass "${dest_pass}" -srcstorepass "${src_pass}" &> keytool-output.txt
     # shellcheck disable=SC2181
     if [ $? -ne 0 ]; then
+        echo "error importing keystore:"
         cat keytool-output.txt; exit 1
     fi
     # Trust private cert (hide output containing warnings).
@@ -48,6 +49,7 @@ if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_pri
         -keystore "${dest_truststore}" -storepass "${dest_pass}" &> keytool-output.txt
     # shellcheck disable=SC2181
     if [ $? -ne 0 ]; then
+        echo "error importing cert:"
         cat keytool-output.txt; exit 1
     fi
     echo "${md5_private_cert}" > "${md5_private_cert_path}"
diff --git a/build/package/scripts/download-aqua-scanner.sh b/build/package/scripts/download-aqua-scanner.sh
index 12278b08..57f891db 100755
--- a/build/package/scripts/download-aqua-scanner.sh
+++ b/build/package/scripts/download-aqua-scanner.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -eu
 
-md5_bin="${MD5_BIN:-"md5sum --tag"}"
+md5_bin="${MD5_BIN:-"md5sum"}"
 aqua_scanner_url=""
 bin_dir=".ods-cache/bin"
 
@@ -26,7 +26,7 @@ md5_aqua_scanner_url_path="${bin_dir}/.md5-aquasec"
 # If the binary already exists and was downloaded from the
 # URL given by aqua_scanner_url, skip download.
 if [ -n "${aqua_scanner_url}" ] && [ "${aqua_scanner_url}" != "none" ]; then
-    md5_aqua_scanner_url=$(${md5_bin} -s "${aqua_scanner_url}")
+    md5_aqua_scanner_url=$(printf "%s" "${aqua_scanner_url}" | ${md5_bin} | cut -d- -f1)
     if [ ! -f "${md5_aqua_scanner_url_path}" ] || [ "${md5_aqua_scanner_url}" != "$(cat "${md5_aqua_scanner_url_path}")" ]; then
         echo 'Installing Aqua scanner...'
         curl -v -sSf -L "${aqua_scanner_url}" -o aquasec

From 478aebaa49d670d3590dffb021ae41c8860155a6 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Tue, 7 Feb 2023 15:50:34 +0100
Subject: [PATCH 4/8] Fix Java keystore handling

---
 build/package/scripts/configure-gradle.sh     | 20 ++++++++++---------
 build/package/scripts/configure-truststore.sh |  2 ++
 .../charts/tasks/templates/_sonar-step.tpl    |  4 ++--
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/build/package/scripts/configure-gradle.sh b/build/package/scripts/configure-gradle.sh
index 81e1d17b..83158ef7 100755
--- a/build/package/scripts/configure-gradle.sh
+++ b/build/package/scripts/configure-gradle.sh
@@ -4,15 +4,17 @@
 CONTENT=""
 
 if [ -f /etc/ssl/certs/private-cert.pem ]; then
-  echo "Configuring Gradle to trust private cert ..."
-  configure-truststore --dest-store ".ods-cache/truststore/cacerts"
-  # shellcheck disable=SC2181
-  if [ $? -ne 0 ]; then
-    exit 1
-  fi
-  # Configure Gradle to use the modified trust store.
-  CONTENT+="systemProp.javax.net.ssl.trustStore=.ods-cache/keystore/cacerts\n"
-  CONTENT+="systemProp.javax.net.ssl.trustStorePassword=password\n"
+	truststore_location="$(pwd)/.ods-cache/truststore/cacerts"
+	truststore_pass="changeit"
+	echo "Configuring Gradle to trust private cert ..."
+	configure-truststore --dest-store="${truststore_location}" --dest-storepass="${truststore_pass}"
+	# shellcheck disable=SC2181
+	if [ $? -ne 0 ]; then
+		exit 1
+	fi
+	# Configure Gradle to use the modified trust store.
+	CONTENT+="systemProp.javax.net.ssl.trustStore=${truststore_location}\n"
+	CONTENT+="systemProp.javax.net.ssl.trustStorePassword=${truststore_pass}\n"
 fi
 
 if [ "${HTTP_PROXY}" != "" ]; then
diff --git a/build/package/scripts/configure-truststore.sh b/build/package/scripts/configure-truststore.sh
index 5f234f2b..c2d75858 100755
--- a/build/package/scripts/configure-truststore.sh
+++ b/build/package/scripts/configure-truststore.sh
@@ -53,4 +53,6 @@ if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_pri
         cat keytool-output.txt; exit 1
     fi
     echo "${md5_private_cert}" > "${md5_private_cert_path}"
+else
+    echo "Trustore with private cert exists already and is up-to-date."
 fi
diff --git a/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl b/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl
index 773462a2..93c5c925 100644
--- a/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl
+++ b/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl
@@ -34,9 +34,9 @@
 
       truststore="${JAVA_HOME}/lib/security/cacerts"
       if [ -f /etc/ssl/certs/private-cert.pem ]; then
-        truststore=".ods-cache/truststore/cacerts"
+        truststore="$(pwd)/.ods-cache/truststore/cacerts"
+        configure-truststore --dest-store "${truststore}"
       fi
-      configure-truststore --dest-store "${truststore}"
       # sonar is built from cmd/sonar/main.go.
       sonar \
         -working-dir=$(params.working-dir) \

From a243aad610406439341ccd64f5db56ee25b2d997 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Tue, 7 Feb 2023 16:25:40 +0100
Subject: [PATCH 5/8] Start with clean truststore if there is already one

---
 build/package/scripts/configure-truststore.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/build/package/scripts/configure-truststore.sh b/build/package/scripts/configure-truststore.sh
index c2d75858..3f36bee2 100755
--- a/build/package/scripts/configure-truststore.sh
+++ b/build/package/scripts/configure-truststore.sh
@@ -35,6 +35,9 @@ md5_private_cert=$(${md5_bin} < "${private_cert}" | cut -d- -f1)
 if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_private_cert_path}")" ]; then
     echo "Creating truststore with private cert ..."
     # Copy global keystone to location where we can write to (hide output containing warnings).
+    if [ -f "${dest_truststore}" ]; then
+        rm "${dest_truststore}"
+    fi
     keytool -importkeystore \
         -srckeystore "${src_truststore}" -destkeystore "${dest_truststore}" \
         -deststorepass "${dest_pass}" -srcstorepass "${src_pass}" &> keytool-output.txt

From 37e0d30142b88c3b148bb513a2e060faaa754a55 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Tue, 7 Feb 2023 16:48:59 +0100
Subject: [PATCH 6/8] Create cached bin dir if it does not exist yet

---
 build/package/scripts/download-aqua-scanner.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build/package/scripts/download-aqua-scanner.sh b/build/package/scripts/download-aqua-scanner.sh
index 57f891db..7df32199 100755
--- a/build/package/scripts/download-aqua-scanner.sh
+++ b/build/package/scripts/download-aqua-scanner.sh
@@ -21,6 +21,7 @@ esac; shift; done
 
 aqua_scanner_path="${bin_dir}/aquasec"
 md5_aqua_scanner_url_path="${bin_dir}/.md5-aquasec"
+mkdir -p "${bin_dir}"
 
 # Optionally install Aqua scanner.
 # If the binary already exists and was downloaded from the
@@ -29,7 +30,7 @@ if [ -n "${aqua_scanner_url}" ] && [ "${aqua_scanner_url}" != "none" ]; then
     md5_aqua_scanner_url=$(printf "%s" "${aqua_scanner_url}" | ${md5_bin} | cut -d- -f1)
     if [ ! -f "${md5_aqua_scanner_url_path}" ] || [ "${md5_aqua_scanner_url}" != "$(cat "${md5_aqua_scanner_url_path}")" ]; then
         echo 'Installing Aqua scanner...'
-        curl -v -sSf -L "${aqua_scanner_url}" -o aquasec
+        curl -sSf -L "${aqua_scanner_url}" -o aquasec
         mv aquasec "${aqua_scanner_path}"
         chmod +x "${aqua_scanner_path}"
         echo "${md5_aqua_scanner_url}" > "${md5_aqua_scanner_url_path}"

From 0ec92694293830a6fd7678084ea4f4b1a5d3f709 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Fri, 10 Feb 2023 09:44:41 +0100
Subject: [PATCH 7/8] Increase timeout

---
 .github/workflows/main.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 23db4ea0..de5815ea 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -125,7 +125,7 @@ jobs:
           go test -v ./cmd/... | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
           go test -v ./internal/... | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
           go test -v ./pkg/... | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
-          go test -timeout 30m -v ./test/tasks/... -always-keep-tmp-workspaces | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
+          go test -timeout 45m -v ./test/tasks/... -always-keep-tmp-workspaces | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
           go test -timeout 10m -v ./test/e2e/... | sed ''/PASS/s//$(printf "\033[32mPASS\033[0m")/'' | sed ''/FAIL/s//$(printf "\033[31mFAIL\033[0m")/''
       -
         name: Log into ghcr.io

From de8182fc11e7d5d196bcafd22d6ec7679cc625c2 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Fri, 10 Feb 2023 13:14:56 +0100
Subject: [PATCH 8/8] Change back to working dir after checkout

---
 cmd/start/main.go | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/cmd/start/main.go b/cmd/start/main.go
index aa1fe4fe..7dcf8308 100644
--- a/cmd/start/main.go
+++ b/cmd/start/main.go
@@ -366,7 +366,7 @@ func downloadArtifacts(
 		logger,
 	)
 	if err != nil {
-		return err
+		return fmt.Errorf("download group %s: %w", group, err)
 	}
 	return pipelinectxt.WriteJsonArtifact(am, artifactsDir, pipelinectxt.ArtifactsManifestFilename)
 
@@ -375,21 +375,31 @@ func downloadArtifacts(
 func checkoutAndAssembleContext(
 	checkoutDir, url, gitFullRef, gitRefSpec, sslVerify, submodules, depth string,
 	baseCtxt *pipelinectxt.ODSContext,
-	logger logging.LeveledLoggerInterface) (*pipelinectxt.ODSContext, error) {
+	logger logging.LeveledLoggerInterface) (ctxt *pipelinectxt.ODSContext, err error) {
+	workingDir, err := os.Getwd()
+	if err != nil {
+		return
+	}
+	// Change back to working dir after checkout.
+	defer func(wd string) {
+		if err != nil { // if there are previous errors, give them predence.
+			return
+		}
+		err = os.Chdir(wd)
+	}(workingDir)
 
 	absCheckoutDir, err := filepath.Abs(checkoutDir)
 	if err != nil {
 		return nil, fmt.Errorf("absolute path: %w", err)
 	}
-
 	logger.Infof("Checking out %s@%s into %s ...", url, gitFullRef, absCheckoutDir)
-
-	if err := runGit("init", absCheckoutDir); err != nil {
-		return nil, fmt.Errorf("run git cmd: %w", err)
-	}
 	if err := os.Chdir(absCheckoutDir); err != nil {
 		return nil, fmt.Errorf("change dir: %w", err)
 	}
+	if err := runGit("init"); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+
 	if err := runGit("remote", "add", "origin", url); err != nil {
 		return nil, fmt.Errorf("run git cmd: %w", err)
 	}
@@ -428,7 +438,7 @@ func checkoutAndAssembleContext(
 	if err != nil {
 		return nil, fmt.Errorf("commit SHA: %w", err)
 	}
-	ctxt := baseCtxt.Copy()
+	ctxt = baseCtxt.Copy()
 	ctxt.GitFullRef = gitFullRef
 	ctxt.GitCommitSHA = sha
 	err = ctxt.Assemble(absCheckoutDir)
@@ -439,7 +449,7 @@ func checkoutAndAssembleContext(
 	if err != nil {
 		return nil, fmt.Errorf("write ODS context cache: %w", err)
 	}
-	return ctxt, nil
+	return
 }
 
 func getCommitSHA(dir string) (string, error) {