I have a CI pipeline which runs a basic Python unit test command. It uses the python:3.11 Docker base image.
When the pipeline runs in the main repo, everything works fine. However, when running the pipeline in a fork, I get the following error message.
Preparing environment
Running on runner-xxx-concurrent-0 via runner-xxx...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/<username>/<project_name>/.git
Created fresh repository.
fatal: mismatched algorithms: client sha1; server sha256
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1
I’ve confirmed that my repo, my local git, and all commits in the repo, are using SHA256 (in both the main repo and the fork).
The error indicates that the Git client and server are using mismatched hash algorithms for communication. Specifically, the client (your CI pipeline environment) uses SHA-1, while the server requires SHA-256. This issue is often related to differences in Git versions or configurations between environments. Here’s how to troubleshoot and resolve it:
Steps to Resolve
Ensure Both Git Client and Server Use SHA-256
Verify that the Git version in the CI runner environment (within the python:3.11 Docker image) supports SHA-256:
git --version
Git versions 2.29 and newer support SHA-256 repositories. If the version is outdated, consider updating the Git client by modifying the Docker image or base environment.
2. Update the Docker Image
By default, the python:3.11 image may not include the latest Git version. Update Git in the Docker image used in your CI pipeline:
FROM python:3.11
RUN apt-get update && apt-get install -y git
Rebuild your Docker image with this updated configuration.
Explicitly Set Hash Algorithm
Ensure the hash algorithm is set to SHA-256 in your Git configuration. Add this step to your CI pipeline:
git config --global protocol.version 2
This forces Git to negotiate capabilities with the latest protocol version.
4. Check CI Runner Configuration
If you are using a shared runner, confirm its Git configuration supports SHA-256 repositories. You might need to configure a dedicated runner with the appropriate environment.
Debug Environment Mismatch
Add debugging steps in your CI pipeline to check the environment and Git settings:
git config --list
git config --global --list
Force SHA-1 Compatibility
As a temporary workaround (if you cannot update Git), you can allow SHA-1 in your repository: