From 582f92eec40b6b08974b39f5d6967d46de22be0e Mon Sep 17 00:00:00 2001
From: Sascha Lustenberger | techlan gmbh <sascha.lustenberger@techlan.ch>
Date: Tue, 24 Feb 2026 10:58:02 +0100
Subject: [PATCH] fix(update): add git safe.directory and fetch --tags after
 pull
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Register SOURCE_DIR as git safe.directory before pulling so the
  process (root inside container) can access repos owned by a host user
- Run 'git fetch --tags' after pull so git describe always finds the
  latest tag for version.json — git pull does not reliably fetch all tags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/services/update_service.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/services/update_service.py b/app/services/update_service.py
index 8b6ea6f..ed59b06 100644
--- a/app/services/update_service.py
+++ b/app/services/update_service.py
@@ -252,6 +252,16 @@ def trigger_update(config: Any, db_path: str) -> dict:
         pull_cmd = ["git", "-C", SOURCE_DIR, "pull", "origin", branch]
 
     # 3. Git pull (synchronous — must complete before rebuild)
+    # Ensure .git directory is owned by the process user (root inside container).
+    # The .git dir may be owned by the host user after manual operations.
+    try:
+        subprocess.run(
+            ["git", "config", "--global", "--add", "safe.directory", SOURCE_DIR],
+            capture_output=True, timeout=10,
+        )
+    except Exception:
+        pass
+
     try:
         result = subprocess.run(
             pull_cmd,
@@ -275,6 +285,15 @@ def trigger_update(config: Any, db_path: str) -> dict:
 
     logger.info("git pull succeeded: %s", result.stdout.strip()[:200])
 
+    # Fetch tags separately — git pull does not always pull all tags
+    try:
+        subprocess.run(
+            ["git", "-C", SOURCE_DIR, "fetch", "--tags"],
+            capture_output=True, text=True, timeout=30,
+        )
+    except Exception as exc:
+        logger.warning("git fetch --tags failed (non-fatal): %s", exc)
+
     # 4. Read version info from the freshly-pulled source
     build_env = os.environ.copy()
     try: