fix(ci): robust git isolation and early installation

1. Redirected GIT_CONFIG_GLOBAL to /tmp and added 'touch' to ensure
   writeability and prevent lock file errors.
2. Moved 'Install Git' to the top of the e2e-test job to ensure
   'actions/checkout' creates a proper .git directory.

Author: flyingrobots

.github/workflows/ci.yml

@@ -29,9 +29,11 @@ jobs:
 
       - name: Configure Git User
         run: |
-          # Redirect global git config to a file in the workspace to avoid polluting the host system
-          echo "GIT_CONFIG_GLOBAL=${{ github.workspace }}/.gitconfig_ci" >> $GITHUB_ENV
-          export GIT_CONFIG_GLOBAL="${{ github.workspace }}/.gitconfig_ci"
+          # Redirect global git config to a file in /tmp to avoid polluting the host system
+          # and ensure we have write permissions regardless of the workspace setup.
+          touch /tmp/.gitconfig_ci
+          echo "GIT_CONFIG_GLOBAL=/tmp/.gitconfig_ci" >> $GITHUB_ENV
+          export GIT_CONFIG_GLOBAL="/tmp/.gitconfig_ci"
           git config --global user.email "ci@git-cms.local"
           git config --global user.name "CI Bot"
           git config --global init.defaultBranch main
@@ -56,22 +58,20 @@ jobs:
     container:
       image: mcr.microsoft.com/playwright:v1.57.0-jammy
     steps:
-      - uses: actions/checkout@v4
-      
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-      
-      # Git is required in the container to perform plumbing operations during E2E tests
+      # Git is required in the container to perform plumbing operations during E2E tests.
+      # Installing it BEFORE checkout ensures actions/checkout performs a real clone.
       - name: Install Git
         run: apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
+
+      - uses: actions/checkout@v4
 
       - name: Configure Git User
         run: |
-          # Redirect global git config to a file in the workspace to avoid polluting the host system
-          echo "GIT_CONFIG_GLOBAL=${{ github.workspace }}/.gitconfig_ci" >> $GITHUB_ENV
-          export GIT_CONFIG_GLOBAL="${{ github.workspace }}/.gitconfig_ci"
+          # Redirect global git config to a file in /tmp to avoid polluting the host system
+          # and ensure we have write permissions regardless of the workspace setup.
+          touch /tmp/.gitconfig_ci
+          echo "GIT_CONFIG_GLOBAL=/tmp/.gitconfig_ci" >> $GITHUB_ENV
+          export GIT_CONFIG_GLOBAL="/tmp/.gitconfig_ci"
           git config --global user.email "ci@git-cms.local"
           git config --global user.name "CI Bot"
           git config --global init.defaultBranch main

CHANGELOG.md

@@ -6,7 +6,7 @@ All notable changes to git-cms are documented in this file.
 
 ### Fixed
 
-- **(Security) Git identity leakage:** Removed `git config --global` from host-level modification in CI workflow (`.github/workflows/ci.yml`). Scripts now use an isolated global config file via `GIT_CONFIG_GLOBAL` redirected to the workspace, preventing accidental modification of host global settings if workflows are executed locally (e.g., via `act`).
+- **(Security) Git identity leakage:** Removed `git config --global` from host-level modification in CI workflow (`.github/workflows/ci.yml`). Scripts now use an isolated global config file via `GIT_CONFIG_GLOBAL` redirected to `/tmp`, preventing accidental modification of host global settings if workflows are executed locally (e.g., via `act`).
 - `QUICK_REFERENCE.md`: `revert` command description corrected — sets state to `reverted`, not `draft`
 - `QUICK_REFERENCE.md`: state machine diagram refined to accurately show `draft`→`reverted` transition
 - `QUICK_REFERENCE.md`: HTTP API table uses canonical `optional` notation and clarifies optimistic concurrency for `publish`