Permissions error when building actions container, no such issue on local

I am attemtping to create a docker container action after reading this tutorial.

On local, I have the following Dockerfile:

### Draws from https://github.com/kurron/docker-snowsql/blob/b1b16ff88b36f9df58f692a69642e84f353c2d46/Dockerfile ###

FROM ubuntu:18.04

RUN apt-get update && apt-get --assume-yes install -y curl

# Create non-root user
RUN groupadd --system snowflake --gid 444 && \
useradd --uid 444 --system --gid snowflake --home-dir /home/snowflake --create-home --shell /sbin/nologin --comment "Docker image user" snowflake && \
chown -R snowflake:snowflake /home/snowflake

# default to being in the user's home directory
WORKDIR /home/snowflake

ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8
ENV VERSION 1.2.9
ENV SNOWSQL_DEST /usr/local/bin
ENV SNOWSQL_LOGIN_SHELL /home/snowflake/.bashrc

# grab the installation script
RUN curl -O https://sfc-repo.snowflakecomputing.com/snowsql/bootstrap/1.2/linux_x86_64/snowsql-1.2.9-linux_x86_64.bash

# Install the tool
## Add unzip first, avoid error
RUN apt-get install -y unzip vim
RUN bash snowsql-1.2.9-linux_x86_64.bash

# Switch to the non-root user
USER snowflake

# Run the SnowSQL client once, allowing it to auto-upgrade to the latest version.
# See https://docs.snowflake.com/en/user-guide/snowsql-install-config.html#label-understanding-auto-upgrades
RUN snowsql -v

ENTRYPOINT ["snowsql"]

CMD ["-v"]

I am able to build this image no problem on local. But when I attempt to create my first action after reading the tutorial, I get a permissions error.

Not sure which info is relevant, but here’s my action.yml:

# action.yml

name: 'ssql'
description: 'Get data using snowsql and save in a volume for rscripts to use'
permissions:
  
runs:
  using: 'docker'
  image: 'Dockerfile'

My .github/workflows/main.yml:

on: [push]

jobs:
  ssql_job:
    runs-on: ubuntu-latest
    name: Build ssql image
    steps:
      # To use this repository's private action,
      # you must check out the repository
      - name: Checkout
        uses: actions/checkout
      - name: Build ssql container action
        uses: ./ssql # Use an action in the ssql directory.
        id: build_ssql

When I push and then navigate to the repos Actions tab, I see the workflow failing to build the image starting at what looks like line 34 RUN snowsql -v. This is right after I switch to the non root user on the previous line USER snowflake.

Output of Actions ‘building docker image’ step:

...
  ... lots of out put above here with no issues...

  Step 12/16 : RUN bash snowsql-1.2.9-linux_x86_64.bash
   ---> Running in 49610102b20a
  **********************************************************************
   Installing SnowSQL, Snowflake CLI.
  **********************************************************************
  
  Updating /home/snowflake/.bashrc to have /usr/local/bin in PATH
  Open a new terminal session to make the updated PATH take effect.
  **********************************************************************
   Congratulations! Follow the steps to connect to Snowflake DB.
  **********************************************************************
  
  1. Open a new terminal window.
  2. Execute the following command to test your connection:
        snowsql -a <account_name> -u <login_name>
  
        Enter your password when prompted. Enter !quit to quit the connection.
  
  3. Add your connection information to the ~/.snowsql/config file:
        accountname = <account_name>
                  username = <login_name>
                  password = <password>
  
  4. Execute the following command to connect to Snowflake:
  
        snowsql
  
  See the Snowflake documentation <https://docs.snowflake.net/manuals/user-guide/snowsql.html> for more information.
  Removing intermediate container 49610102b20a
   ---> 97c036ab2e56
  Step 13/16 : USER snowflake
   ---> Running in a1dabc3f5987
  Removing intermediate container a1dabc3f5987
   ---> d9b3e02e91d1
  Step 14/16 : RUN snowsql -v
   ---> Running in 2f4408b885b6
  Failed to initialize log. No logging is enabled: [Errno 13] Permission denied: '/home/snowsql_rt.log_bootstrap'
  Installing version: 1.2.17
  Version: 1.2.17
  Removing intermediate container 2f4408b885b6
   ---> 2fec45cbd941
  Step 15/16 : ENTRYPOINT ["snowsql"]
   ---> Running in 22b5f31d93a4
  Removing intermediate container 22b5f31d93a4
   ---> e83252b18739
  Step 16/16 : CMD ["-v"]
   ---> Running in 3aacaebe01b1
  Removing intermediate container 3aacaebe01b1
   ---> eb2bc127305c
  Successfully built eb2bc127305c
  Successfully tagged 48c8ce:c8416ac1d920510b4e017a749d9e3c7c
/usr/bin/docker run --name c8cec8416ac1d920510b4e017a749d9e3c7c_d9c332 --label 48c8ce --workdir /github/workspace --rm -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/ds-pipeline-cohort-cumrevenue/ds-pipeline-cohort-cumrevenue":"/github/workspace" 48c8ce:c8416ac1d920510b4e017a749d9e3c7c
Traceback (most recent call last):
  File "snowflake/cli/bootstrap/bootstrap.py", line 1109, in <module>
  File "click/core.py", line 722, in __call__
  File "click/core.py", line 697, in main
  File "click/core.py", line 895, in invoke
  File "click/core.py", line 535, in invoke
  File "snowflake/cli/bootstrap/bootstrap.py", line 319, in run
  File "os.py", line 220, in makedirs
PermissionError: [Errno 13] Permission denied: '/github/home/.snowsql'
[8] Failed to execute script bootstrap

Why am I able to build this image on local but not when attempting to create a new github docker container action? How can I overcome this permissions error while building with Github actions?

According to the log above the build works, but running the container fails (see the /usr/bin/docker run line and below). The “permission denied” is probably because you have a USER instruction in the Dockerfile. WORKDIR won’t work as expected either, at least not after build.

The documentation describes those limitations here: Dockerfile support for GitHub Actions - GitHub Docs

1 Like