Permission problems when checking out code as part of GitHub action

I’m trying to use an image from Docker Hub, makarius/isabelle , for automated builds. However, if usage of this image is enabled, checking out my repository with actions/checkout@v2 fails with the error EACCES: permission denied, open '/__w/⟨repository-name⟩/⟨repository-name⟩/⟨uuid⟩.tar.gz'. The repository is downloaded using the GitHub REST API.

A minimal workflow that triggers this error is as follows:

name: Automated checkout

on: [push]

jobs:
  checkout:
    runs-on: ubuntu-latest
    container: makarius/isabelle
    steps:
      - name: Check out repository
        uses: actions/checkout@v2

Unfortunately, the above error message, while mentioning a path, does not tell, on which machine the respective directories should exist and what permissions they should have.

From its documentation, I cannot tell, what actions/checkout@v2 is trying to do precisely. Should the virtual host write the data into the container but doesn’t have write permissions? Or should the container try to copy the data from the virtual host onto its own disk but can’t either read or write the data?

Are there any constraints a docker image to be used with actions/checkout@v2 has to fulfill? If yes, where are these documented?

The particular image I’m trying to employ uses a non-privileged user for its entry point. Could this be the problem?

I’ve extended the workflow, adding run: ls -laR /__w before the checkout. Now I see that the directory /__w indeed exists inside the container; so apparently the host system manages to create or mount it there.

The problem is that this directory and everything in it is created for user 1001 and group 121, which don’t exist inside the container. Apparently, actions/checkout@v2 just assumes that the container uses the same user database as the host, which is quite a bold assumption, in my opinion. I guess the containers provided by GitHub Actions have this property, but since the checkout action has special support for using images from Docker Hub, I’m a bit surprised that such a constraint is imposed (and apparently not documented).

What is a simple way to fix that?

My current idea is that the only safe approach would be to use a Docker image derived from one of GitHub’s own images, like ubuntu-latest, and have this image contain the Isabelle software. However, can I create and store such an image within GitHub Actions? Putting it on Docker Hub doesn’t seem like a good idea to me, since it would depend on one of GitHub’s images, which are moving targets, from what I understand.

1 Like

I’m meanwhile convinced that the container’s entry point must have root privileges. This constraint is documented in the GitHub Actions Documentation in the section “Creating actions”. My approach doesn’t involve creating a custom action, which is why I didn’t look at that section initially. Apparently, the requirement of having root privileges also applies to the situation where you don’t implement your own action, but unfortunately the documentation doesn’t seem to mention that.

1 Like