Unable to attest artifacts when a git worktree exists

[gsavage]

Summary

If a git repository the worktreeconfig extension enabled, the call to kosli attest artifact will fail with an error that:

core.repositoryformatversion does not support extension: worktreeconfig

To reproduce this, create an empty git repository and cd into it. Then run

git config --local extensions.worktreeconfig true

kosli attest artifact ./Dockerfile --artifact-type=file --flow=my-flow --trail=my-trail --name=my.name --build-url=https://github.com/hello/world.git --commit-url=https://github.com/hello/world.git 

The call to attest artifact will fail with the error shown above.

Initial investigation

My initial investigation suggests that the go-git library used within the CLI does not have support for git worktrees; support is clearly being added in v6 of that library, but that's still marked as "alpha" by the maintainers.

Blast Radius

The use of git worktrees, configured in a way that would set the extensions flag in a git config, is almost certainly something that would only happen for local development. I doubt a CI/CD pipeline would make use of worktrees. Therefore, the impact is likely to be limited to those who are actively developing against the Kosli CLI.

It is worth noting that development LLMs, such as Claude Code, make use of git worktrees and so this may become more of a problem as more developers adopt such tools.

[gsavage]

Steps for an individual to "resolve" the issue for themselves

If you find you are affected by this, you can do the following. Note that you'll want to make sure that you don't have any worktrees first:

cd problematic-git-repo
git worktree list
# check the list only contains the current directory
git config --local --unset extensions.worktreeconfig

That last command removes the problematic configuration from your local repository, so the go-git library will not throw any errors.