CasperWA
Self-hosted runner .git ownership issue after push
The ownership left in .git configuration directory after push belongs to root:
...
total 12
drwxr-xr-x. 2 root root 4096 18 sept. 16:34 .
drwxr-xr-x. 3 root root 4096 18 sept. 16:34 ..
-rw-r--r--. 1 root root 41 18 sept. 16:34 9221-53-7461
./refs/remotes:
total 12
drwxr-xr-x. 3 actions-runner actions-runner 4096 18 sept. 14:57 .
drwxr-xr-x. 4 actions-runner actions-runner 4096 18 sept. 18:31 ..
drwxr-xr-x. 3 actions-runner actions-runner 4096 18 sept. 18:31 origin
./refs/remotes/origin:
total 12
drwxr-xr-x. 3 actions-runner actions-runner 4096 18 sept. 18:31 .
drwxr-xr-x. 3 actions-runner actions-runner 4096 18 sept. 14:57 ..
drwxr-xr-x. 3 root root 4096 18 sept. 16:34 push-action
./refs/remotes/origin/push-action:
total 12
drwxr-xr-x. 3 root root 4096 18 sept. 16:34 .
drwxr-xr-x. 3 actions-runner actions-runner 4096 18 sept. 18:31 ..
drwxr-xr-x. 2 root root 4096 18 sept. 16:34 6222839019
./refs/remotes/origin/push-action/6222839019:
total 12
drwxr-xr-x. 2 root root 4096 18 sept. 16:34 .
drwxr-xr-x. 3 root root 4096 18 sept. 16:34 ..
The self-hosted runner is not able to cleanup the repo checkout at next run.
Is it possible to allow to choose the uid/gid that will call git for the push?
I've been looking into this a bit. It seems the way to go about this (unfortunately) is that GitHub Docker Actions should indeed use root - or rather, the user is set by the host Docker runner - for self-hosted runners this should be done similarly.
Some references I could find:
- https://github.com/actions/jekyll-build-pages/issues/18
- https://github.com/myoung34/docker-github-actions-runner/issues/186
If you think you have indeed setup your self-hosted runner in this manner, it would be helpful if you have some input on how you'd intend to implement the change for this action.
For now, I run a post action shell script changing the ownership to the user used to execute the runner as a custom setting. I guess GitHub runner should probably do something similar at pre or post action runner hook: cleanup the work direction or changing its ownership.
If the action is able to specify a UID/GID that will be used on the docker image to execute the action: USER <UID> in Dockerfile and UID as an ARG with a default sensible value, I think that should be enough.
I do not have enough GitHub action internal knowledge to known if it will work.
Right - so the main issue is that setting USER in the Dockerfile might break the action (see the docs on this).
But at the same time, the excessive comments in the still open issue actions/runner#434 shows that this is a common and known issue. From the comments here, there are multiple solutions:
- Use the tailor-made action reset-workspace-ownership-action (I'd think this is similar to the approach you're currently taking).
- Run the self-hosted runner as root.
- Permanently set the user in this action's Dockerfile, risking breaking it (according to the docs).
- Implement something similar to reset-workspace-ownership-action to either run
git mergewith a custom UID/GID or update the file ownership in-between merging and pushing (or at some other appropriate stage) within the action.
What do you think? You'd still prefer the custom addition of a UID/GID input to be used within the action?
Independently of the issue, running the action commands under another user than root will close a security issue.
Does running the container commands under a different UID than root (like in https://github.com/myoung34/docker-github-actions-runner/pull/223/files) will break anything?
To summarise:
- The action should really avoid to run anything as root for security purpose
- While fixing the previous, maybe address that issue by allowing to setup the UID
In any case, I can live with the workarounds proposed (except bullet point 2).