Restructure CI diagnostic steps

Cleanups on the ownership-display step from the previous commit:

- Split into per-shell steps (bash POSIX `ls -ld`, pwsh NTFS
  `Get-Acl`, bash safe.directory `git config`), removing the
  bash-driven PowerShell subprocess with `cygpath -w` and
  quote-escaping. Use `pwsh`, not `powershell.exe`. Gate
  pythonpackage's two views by `matrix.os-type` (Git Bash's `ls -ld`
  on Windows reports a uniform `runneradmin 197121` for every path,
  ignoring NTFS Owner -- MSYS2's SID-to-uid mapping doesn't have
  Cygwin's fidelity).

- Trim the decorative `$HOME` entry from POSIX path lists: it isn't
  part of any git trust decision -- only `~/.gitconfig` is. Use
  `${HOME:?HOME is not set}/.gitconfig` for the remaining entry so an
  unset HOME fails loudly.

- Move the pwsh path list into a `$paths = @(...)` variable. Unix
  shells keep the inline `for p in WORD WORD ...` form: alpine's
  `sh` (busybox ash) doesn't support arrays, and the others
  shouldn't differ from it unnecessarily.

- Drop `2>&1` from the safe.directory step. Drop the `|| echo
  "(none)"` fallback on cygwin (entries are explicitly configured;
  bare command fails on regression). Keep it on pythonpackage and
  alpine, where `actions/checkout`'s safe.directory add lives under
  a throwaway HOME override and doesn't persist, so there
  legitimately are no entries to display.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: EliahKagan

.github/workflows/alpine-test.yml

@@ -61,25 +61,28 @@ jobs:
         . .venv/bin/activate
         pip install '.[test]'
 
-    - name: Show file ownership and safe.directory entries
+    - name: Show POSIX file ownership
       run: |
-        echo "==================== File ownership ===================="
         for p in \
-            "$(pwd)" \
-            "$(pwd)/.git" \
-            "$(pwd)/git/ext/gitdb" \
-            "$(pwd)/git/ext/gitdb/.git" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
-            "${HOME:-}" \
-            "${HOME:-}/.gitconfig"; do
-          if [ -n "$p" ]; then
-            ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
-          fi
+          "$(pwd)" \
+          "$(pwd)/.git" \
+          "$(pwd)/git/ext/gitdb" \
+          "$(pwd)/git/ext/gitdb/.git" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
+          "${HOME:?HOME is not set}/.gitconfig"
+        do
+          ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
         done
-        echo
-        echo "==================== safe.directory entries ===================="
-        git config --global --get-all safe.directory 2>&1 || echo "(none)"
+
+    - name: Show safe.directory entries
+      # `actions/checkout`'s safe.directory add is only durable for the
+      # checkout itself (it writes under a throwaway HOME override and
+      # then discards it), so by the time this step runs the runner
+      # user's `~/.gitconfig` has no entries -- and the Alpine container
+      # chowns the workspace to runner:docker to match the test user, so
+      # git accepts the ownership without one. Expected: `(none)`.
+      run: git config --global --get-all safe.directory || echo "(none)"
 
     - name: Show version and platform information
       run: |

.github/workflows/cygwin-test.yml

@@ -90,64 +90,62 @@ jobs:
       run: |
         pip install '.[test]'
 
-    - &ownership-display
-      name: Show file ownership and safe.directory entries
+    - &ownership-posix-display
+      name: Show POSIX file ownership
+      # Cygwin's `ls -ld` reports the NTFS Owner SID via Cygwin's SID-to-uid
+      # mapping (well-known SIDs by their RID, machine-local accounts by
+      # 0x30000+RID). That mapping is what Cygwin git's
+      # `is_path_owned_by_current_user` reduces to, so this is the view that
+      # determines whether `safe.directory` is consulted.
       run: |
-        echo "==================== File ownership (Cygwin view, ls -ld) ===================="
         for p in \
-            "$(pwd)" \
-            "$(pwd)/.git" \
-            "$(pwd)/git/ext/gitdb" \
-            "$(pwd)/git/ext/gitdb/.git" \
-            "$(pwd)/.git/modules/gitdb" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
-            "$(pwd)/.git/modules/gitdb/modules/smmap" \
-            "${HOME:-}" \
-            "${HOME:-}/.gitconfig"; do
-          if [ -n "$p" ]; then
-            ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
-          fi
+          "$(pwd)" \
+          "$(pwd)/.git" \
+          "$(pwd)/git/ext/gitdb" \
+          "$(pwd)/git/ext/gitdb/.git" \
+          "$(pwd)/.git/modules/gitdb" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
+          "$(pwd)/.git/modules/gitdb/modules/smmap" \
+          "${HOME:?HOME is not set}/.gitconfig"
+        do
+          ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
         done
-        echo
-        echo "==================== File ownership (Win32 view, Get-Acl) ===================="
-        # Cygwin's ls -ld and stat go through Cygwin's SID-to-uid mapping
-        # (well-known SIDs by their RID, machine-local accounts by 0x30000+RID).
-        # The mapping is deterministic, but going via Win32 Get-Acl gives the
-        # NTAccount form of the NTFS Owner SID directly, with no Cygwin layer
-        # in between -- useful for confirming that what Cygwin reports as
-        # "Administrators" really is the BUILTIN\Administrators SID (S-1-5-32-544)
-        # rather than some local-machine account that Cygwin happens to map to
-        # the same uid. The workflow sets CYGWIN_NOWINPATH=1, so Windows paths
-        # are not on Cygwin's $PATH; invoke powershell.exe by absolute path.
-        ps_exe=/cygdrive/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe
-        if [ -x "$ps_exe" ]; then
-          for p in \
-              "$(pwd)" \
-              "$(pwd)/.git" \
-              "$(pwd)/git/ext/gitdb" \
-              "$(pwd)/git/ext/gitdb/.git" \
-              "$(pwd)/.git/modules/gitdb" \
-              "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
-              "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
-              "$(pwd)/.git/modules/gitdb/modules/smmap" \
-              "${HOME:-}/.gitconfig"; do
-            if [ -n "$p" ] && [ -e "$p" ]; then
-              wp=$(cygpath -w "$p")
-              # Escape single-quotes for PowerShell single-quoted string literal: ' -> ''
-              wp_escaped=${wp//\'/\'\'}
-              owner=$("$ps_exe" -NoProfile -NonInteractive -Command \
-                "try { (Get-Acl -LiteralPath '${wp_escaped}').Owner } catch { 'ERROR: ' + \$_.Exception.Message }" \
-                2>/dev/null | tr -d '\r')
-              printf "  %-44s  %s\n" "$owner" "$wp"
-            fi
-          done
-        else
-          echo "($ps_exe not found -- skipping Win32 view)"
-        fi
-        echo
-        echo "==================== safe.directory entries ===================="
-        git config --global --get-all safe.directory 2>&1 || echo "(none)"
+
+    - &ownership-ntfs-display
+      name: Show NTFS file ownership
+      # Authoritative NTFS Owner via Get-Acl, with no Cygwin SID-to-uid layer
+      # in between -- useful for confirming what the Cygwin view reports as
+      # "Administrators" is the BUILTIN\Administrators SID (S-1-5-32-544).
+      shell: pwsh
+      run: |
+        $paths = @(
+          "$pwd",
+          "$pwd\.git",
+          "$pwd\git\ext\gitdb",
+          "$pwd\git\ext\gitdb\.git",
+          "$pwd\.git\modules\gitdb",
+          "$pwd\git\ext\gitdb\gitdb\ext\smmap",
+          "$pwd\git\ext\gitdb\gitdb\ext\smmap\.git",
+          "$pwd\.git\modules\gitdb\modules\smmap",
+          "$env:USERPROFILE\.gitconfig"
+        )
+        foreach ($p in $paths) {
+          if (Test-Path -LiteralPath $p) {
+            try {
+              $owner = (Get-Acl -LiteralPath $p).Owner
+            } catch {
+              $owner = "ERROR: $($_.Exception.Message)"
+            }
+            "{0,-44}  {1}" -f $owner, $p
+          } else {
+            "(missing: $p)"
+          }
+        }
+
+    - &safe-directory-display
+      name: Show safe.directory entries
+      run: git config --global --get-all safe.directory
 
     - name: Show version and platform information
       run: |
@@ -251,7 +249,9 @@ jobs:
     - *setup-venv
     - *update-pypa
     - *install-deps
-    - *ownership-display
+    - *ownership-posix-display
+    - *ownership-ntfs-display
+    - *safe-directory-display
 
     - name: Run submodule tests
       run: |

.github/workflows/pythonpackage.yml

@@ -87,25 +87,63 @@ jobs:
       run: |
         pip install '.[test]'
 
-    - name: Show file ownership and safe.directory entries
+    - name: Show POSIX file ownership
+      # Linux and macOS only. On Windows, Git Bash's `ls -ld` reports a
+      # uniform uid+gid for every path regardless of NTFS Owner (MSYS2's
+      # SID-to-uid mapping doesn't have Cygwin's fidelity), so it would
+      # not be informative here. The NTFS Owner check below covers Windows.
+      if: matrix.os-type != 'windows'
       run: |
-        echo "==================== File ownership ===================="
         for p in \
-            "$(pwd)" \
-            "$(pwd)/.git" \
-            "$(pwd)/git/ext/gitdb" \
-            "$(pwd)/git/ext/gitdb/.git" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
-            "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
-            "${HOME:-}" \
-            "${HOME:-}/.gitconfig"; do
-          if [ -n "$p" ]; then
-            ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
-          fi
+          "$(pwd)" \
+          "$(pwd)/.git" \
+          "$(pwd)/git/ext/gitdb" \
+          "$(pwd)/git/ext/gitdb/.git" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap" \
+          "$(pwd)/git/ext/gitdb/gitdb/ext/smmap/.git" \
+          "${HOME:?HOME is not set}/.gitconfig"
+        do
+          ls -ld -- "$p" 2>/dev/null || echo "(missing: $p)"
         done
-        echo
-        echo "==================== safe.directory entries ===================="
-        git config --global --get-all safe.directory 2>&1 || echo "(none)"
+
+    - name: Show NTFS file ownership
+      # Windows only. Reads NTFS Owner directly via Get-Acl, which is the
+      # authoritative view for Windows-side ownership questions; the POSIX
+      # view via Git Bash's MSYS2 layer is not a reliable proxy here.
+      if: matrix.os-type == 'windows'
+      shell: pwsh
+      run: |
+        $paths = @(
+          "$pwd",
+          "$pwd\.git",
+          "$pwd\git\ext\gitdb",
+          "$pwd\git\ext\gitdb\.git",
+          "$pwd\git\ext\gitdb\gitdb\ext\smmap",
+          "$pwd\git\ext\gitdb\gitdb\ext\smmap\.git",
+          "$env:USERPROFILE\.gitconfig"
+        )
+        foreach ($p in $paths) {
+          if (Test-Path -LiteralPath $p) {
+            try {
+              $owner = (Get-Acl -LiteralPath $p).Owner
+            } catch {
+              $owner = "ERROR: $($_.Exception.Message)"
+            }
+            "{0,-44}  {1}" -f $owner, $p
+          } else {
+            "(missing: $p)"
+          }
+        }
+
+    - name: Show safe.directory entries
+      # `actions/checkout`'s safe.directory add is only durable for the
+      # checkout itself (it writes under a throwaway HOME override and
+      # then discards it), so by the time this step runs the runner
+      # user's `~/.gitconfig` has no entries -- and git accepts the
+      # workspace's ownership anyway: Git for Windows via its
+      # Admins-group exemption on the windows matrix; on Linux/macOS
+      # the workspace is owned by the test user. Expected: `(none)`.
+      run: git config --global --get-all safe.directory || echo "(none)"
 
     - name: Show version and platform information
       run: |