Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot write to $GITHUB_OUTPUT file from Docker action using user with UID 1000 #10915

Open
1 of 15 tasks
vorporeal opened this issue Nov 6, 2024 · 3 comments
Open
1 of 15 tasks

Cannot write to $GITHUB_OUTPUT file from Docker action using user with UID 1000 #10915

vorporeal opened this issue Nov 6, 2024 · 3 comments
Assignees
@Prabhatkumar59
Labels
bug report OS: Ubuntu

Comments

@vorporeal
Copy link

vorporeal commented Nov 6, 2024
edited
Loading

Description

We have a custom action that spins up an Arch Linux Docker container and runs a shell script within it that writes to $GITHUB_OUTPUT. The Dockerfile creates a user named build with UID 1000, and invokes USER build so entrypoint.sh executes as this non-root user. (We cannot run the script we need to as root.)

This has been working fine up until today, where it started failing. It failed when running with the 20241103.1.0 runner image (ubuntu-20.04) but passed a few hours earlier with the 20241006.1.0 runner image.

We're getting a "Permission denied" error when attempting to append to $GITHUB_OUTPUT. I'm guessing the user owning the $GITHUB_OUTPUT file outside of the container is no longer assigned UID 1000 and/or the permissions on the file don't grant all users write permissions, leading to this issue.

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

Image: ubuntu-20.04
Version: 20241103.1.0

Screenshot of the failing step:

image

Output copied below, in case it's useful to have it in text form:

Run ./.github/actions/bundle_arch_package
Building docker image
/usr/bin/docker run --name c6dc350e4cd7f005b529aff3e296d6904d9d0_a09fdb --label 5c6dc3 --workdir /github/workspace --rm -e "CARGO_TERM_COLOR" -e "CONFIG_FILE" -e "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE" -e "GOOGLE_APPLICATION_CREDENTIALS" -e "GOOGLE_GHA_CREDS_PATH" -e "CLOUDSDK_CORE_PROJECT" -e "CLOUDSDK_PROJECT" -e "GCLOUD_PROJECT" -e "GCP_PROJECT" -e "GOOGLE_CLOUD_PROJECT" -e "INPUT_CHANNEL" -e "INPUT_RELEASE-TAG" -e "INPUT_ARCH" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/warp-internal/warp-internal":"/github/workspace" 5c6dc3:50e4cd7f005b529aff3e296d6904d9d0  "dev" "v0.2024.11.06.16.24.dev_00" "aarch64"
Setting release tag to v0.2024.11.06.16.24.dev_00
Setting architecture to aarch64
Skipping `cargo build` step due to --skip-build argument
./script/linux/bundle: line 195: /github/file_commands/set_output_2b1cf403-5[17](https://github.com/warpdotdev/warp-internal/actions/runs/11707713664/job/32608800523#step:11:18)9-4f32-ba69-1b387703b018: Permission denied

Is it regression?

Yes, it worked on 20241006.1.0 a few hours earlier

Expected behavior

We should be able to write to the file path at $GITHUB_OUTPUT from within a Docker container action without errors.

Actual behavior

The write fails with "Permission denied".

Repro steps

I have not explicitly tested this, but my expectation is that the following would reproduce the issue (it's a simplification of our failing action):

Define a Docker action with the following Dockerfile:

# Explicitly use an older version, as it appears that the next release
# (base-devel-20240714.0.246936) causes fakeroot (invoked by makepkg)
# to hang.
FROM archlinux:base-devel-20240101.0.204074

ARG USERNAME=build
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Create our build user.
RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME

# Run as our build user instead of root, as makepkg must be run as a non-root
# user.
USER $USERNAME

COPY entrypoint.sh /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

Define the following entrypoint.sh file:

#!/usr/bin/env bash

echo "test=value" >> "$GITHUB_OUTPUT"

Use that action in a workflow running on ubuntu-20.04 that uses the new runner image.
@VincentTanguayCasgrain
Copy link

VincentTanguayCasgrain commented Nov 6, 2024
edited
Loading

We had the same exact issue. We have more or less the same Dockerfile strategy.

Issue came when they changed the default version of Ubuntu image to 20241103.1.0 from 20241015.1.0. Runner could not read files shared in a volume between the runner and the container instance.

I saw that Buildx changed between version. I tried to revert to 0.17.1, but at last it didn't work.

Somehow someone reverted something, now our CI runs 20241015.1.0 again.

Hope this help a little.

@kishorekumar-anchala
Copy link
Contributor

Hi @vorporeal - we're looking into this issue , we will update on it ASAP. thank you !

@Prabhatkumar59
Copy link

Prabhatkumar59 commented Nov 7, 2024
edited
Loading

Hi @vorporeal - As I can observe from your issue description, the recent permission issue with $GITHUB_OUTPUT in your Docker container action is likely due to changes in the runner image or permissions.

For this, you can try possible ways as below:
-You can try to set permissions on $GITHUB_OUTPUT before entering the container. You can do this by running a chmod command to make the file writable by other users (including UID 1000) before starting the Docker container.
Try to Run chmod a+rw $GITHUB_OUTPUT before the Docker step to allow non-root container access.

-name: Adjust permissions for $GITHUB_OUTPUT
  run: chmod a+rw $GITHUB_OUTPUT

-Further, Inside your Docker action (entrypoint.sh), write to a custom file instead of $GITHUB_OUTPUT
then append it to $GITHUB_OUTPUT in a separate step as:-

-name: Append Docker output to $GITHUB_OUTPUT
  run: cat /github/workspace/custom_output >> $GITHUB_OUTPUT

These might help to resolve your issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Prabhatkumar59 Prabhatkumar59

Labels
bug report OS: Ubuntu
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vorporeal @VincentTanguayCasgrain @Prabhatkumar59 @kishorekumar-anchala