Checkout error in container runner

This is the non-root user I am creating in the Docker image to run the workflow:

RUN useradd --shell /bin/bash --create-home cicd-runner
USER cicd-runner

When I try to simply checkout the repo with the official checkout action, this error appears:

  /usr/bin/git init /__w/pydeps/pydeps
  /__w/pydeps/pydeps/.git: Permission denied
  Error: The process '/usr/bin/git' failed with exit code 1

What permissions do I need to give the non-root user ?

There are no permissions you can set inside the container image to make this work. The workspace on the runner VM is mounted to /__w/ when the runner starts the job container (check the “Initialize containers” step in the log). Assuming a GitHub hosted runner VM the workspace is owned by the user runner. So what’s happening here is that the container is running as a different non-root user and can’t write another user’s files.

The documentation on Dockerfiles for Actions mentions the following regarding USER instructions:

Docker actions must be run by the default Docker user (root). Do not use the USER instruction in your Dockerfile, because you won’t be able to access the GITHUB_WORKSPACE.

If you use a job container you can’t adjust ownership before passing control to the container, so I’m afraid you’ll have to either run the container as root or start it manually (docker run and possibly docker exec).

1 Like

Yeah, that’s what I was afraid of… thank you for the clarification :slightly_smiling_face:

1 Like

Just to confirm if I understood correcly, does that mean that the GiHA runtime is installing a non-root user (runner) under the hood and ensuring the upcoming GiHA actions are executed within the context of this non-root (runner) user (installed by the GiHA runtime) ?

Not sure what you mean by “under the hood”. On a GitHub hosted runner the runner user is part of the standard VM setup, not sure about self-hosted ones.

Actions stuff that runs on the VM (run without a job container, Javascript Actions) runs as the runner user. You can use sudo without password for commands that need root access. Job containers and Docker Actions run as the default user for the image, which is root unless there’s a USER instruction.

The workspace directory in the VM is owned by the runner user. root naturally can write there anyway, but any other user defined in a container that doesn’t happen to have the exact same UID as the runner user won’t be able to.

1 Like