checkout
checkout copied to clipboard
actions
Permission denied when "Deleting the contents of"
Hi checkout team,
I'm having an issue when actions/checkout@v2 is trying to delete the repository:
I tried to change the permissions of the file but still happening, this has been happening since yesterday. I think that could be a bug but correct me if I'm wrong.
My .github/workflow/docker.yml is like this:
name: MorciTravel CI
on: [push]
jobs:
morcitravel_job:
name: Morcitravel job
runs-on: ubuntu-latest
env:
KILL_JAVA_SH: ${{ github.workspace }}/ci/kill_java_process.sh
SERVER_PUB_KEY: ${{ github.workspace }}/data/server/server_pub_key.txt
JAVA_CMD_PATH: /opt/prod_jdk/bin/java
JAR_NAME: morci-travel-api-
services:
mongodb:
image: mongo:4-bionic
ports:
- 27017:27017
volumes:
- ${{ github.workspace }}/data/mongo/001_users.js:/docker-entrypoint-initdb.d/001_users.js
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Set up JDK 13
uses: actions/setup-java@v1
with:
java-version: 13
- name: Test & Package frontend
run: mvn -B clean install -pl :morci-travel-frontend
- name: Create version
run: |
APP_RELEASE_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
APP_RELEASE_VERSION_ARRAY=(${APP_RELEASE_VERSION//./ })
((APP_RELEASE_VERSION_ARRAY[2]++))
APP_RELEASE_VERSION="${APP_RELEASE_VERSION_ARRAY[0]}.${APP_RELEASE_VERSION_ARRAY[1]}.${APP_RELEASE_VERSION_ARRAY[2]}"
echo "::set-env name=JAR_NAME::$JAR_NAME$APP_RELEASE_VERSION-SNAPSHOT.jar"
mvn -B --batch-mode release:update-versions -DdevelopmentVersion=$APP_RELEASE_VERSION-SNAPSHOT
- name: Test & Package backend
run: mvn -B clean test package -pl :morci-travel-api
- name: Prepare SSH Keys
run: |
mkdir -p ~/.ssh
echo "${{ secrets.KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
cat "$SERVER_PUB_KEY" > ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
- name: Kill java process
run: |
ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} 'bash -s' < $KILL_JAVA_SH
- name: Remove old artifacts
run: |
ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "rm -rf morci-travel-api-*.jar"
- name: Copy jar to server
run: |
scp -P ${{ secrets.PORT }} ${{ github.workspace }}/morci-travel-api/target/$JAR_NAME ${{ secrets.USERNAME }}@${{ secrets.HOST }}:~
- name: Launch app
run: |
ssh -f -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "$JAVA_CMD_PATH -Xms64M -Xmx256M -jar $JAR_NAME &"
- name: Commit version
run: |
git config --global user.name 'Nicolas Vargas Ortega'
git config --global user.email '[email protected]'
git commit -am "AUTOMATIC: Updated version"
git push
You may need to specify the checkout path input to avoid the volume mount being under the repository.
The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.
You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.
You may need to specify the checkout
pathinput to avoid the volume mount being under the repository.The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.
You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.
I just removed the service and is working again. The thing is that I was able to use the script without problems (with the service) in the past.
So AFAIK, the problem is that the service mount the volume before the github checkout and this create a existing file with the same name (I guess) and github/checkoutv2 cannot remove it, right?
I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:
sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}
Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.
Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.
Could you take a look at @jeremylynch response?
I had to add "echo password" before, otherwise sudo is asking for password.
echo ${{secrets.DEPLOY_PASSWORD}} | sudo -S chown -R $USER:$USER /home/github/deployment/{REPOSITORY_NAME_HERE}
Is there a better solution?
@ericsciple I have encountered a similar issue, but have not been able to sort it using the suggested solution by @jeremylynch.
We're getting this error when using this action:
And secrets.Nothing contains our PAT, which should be valid (defined for a user that has access to the repo, saved as a secret in the repo). Moreover, I've tried adding the permissions as suggested above, removing the token field, and using several different endpoints.
Important note - the same flow works without using the container, and the checkout is successful.
Any idea as to what the problem might be? I'll appreciate any advice
@guykeller Is it solved? I have same problem when initialzing the repository
I was not able to solve this, and instead had to stop using a container altogether. Would love a solution if anyone has one. FYI @JungHanter @ekahannes
Is there any way to simply make the checkout work with containers running as non-root?
I'm trying something like:
clone-and-install:
runs-on: ubuntu-latest
container:
image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
options: --user 1000
steps:
- uses: actions/checkout@v2
and it does not work.
If I run the container as root it works by the way.
@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116 So, change it to:
clone-and-install:
runs-on: ubuntu-latest
container:
image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
options: --user 1001
steps:
- uses: actions/checkout@v2
@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116
It makes sense. Do you know if is there any way to discover the UID dynamically?
The options: --user "$(id -u)" does not work by the way.
@felipecrs No idea. Currently, I can see only two options. Hardcoded value or "Configure" Job where you can fetch UID and use it later. But it does not make sense.
@felipecrs Something like this (runs-on must be equal):
configure:
runs-on: ubuntu-latest
outputs:
containerUser: ${{ steps.get-user.outputs.containerUser }}
steps:
- id: get-user
run: echo "::set-output name=containerUser::`id -u`:`id -g`"
clone-and-install:
needs: configure
runs-on: ubuntu-latest
container:
image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
options: --user ${{ needs.configure.outputs.containerUser }}
steps:
- uses: actions/checkout@v2
But it is ridiculous.
Thank you so much @xanantis! The need for this is indeed ridiculous, but it solves my problem.
@felipecrs you're welcome :smile: If you are using only GitHub runners, you may consider using hardcoded value. Because UID and GID seem to be stable. 116 is a GID of a docker group.
@xanantis since I didn't find it documented anywhere, I suppose it can change anytime without any warnings, so I prefer to keep my builds safe.
Any plan on fix this, this is quite annoying since many services limit user not to be root.
I believe the maintainers should close this issue since it's not caused by this Action. And of course, point to the relevant repository.
Reading https://github.com/actions/runner/issues/434 description, I don't think it's so related.
Since I could not find an issue that exactly describes the real root cause and how to solve it, I created one. I believe this can now be closed.
Here is another solution that is a bit hacky but works to clean up the working directory before attempting any checkout:
jobs:
cleanup:
runs-on: self-hosted
container:
image: ubuntu:latest
steps:
- name: Cleaning up the $GITHUB_WORKSPACE as root from a Docker image
# Volume auto mounted by gh actions pointing to the current working-directory
run: find /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}/. -name . -o -prune -exec rm -rf -- {} + || true
unit_tests:
needs: cleanup
name: Run the unit tests
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v2
...
Hope it helps!
I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:
sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}
This worked for me - but I used ${{ github.workspace }} as the path
This worked for me - but I used
${{ github.workspace }}as the path
For me, I had to set the path to /__w/{REPOSITORY_NAME_HERE}. I am not sure if something changed, but this is where checkout seems to work in my case. If you think that I probably did something terribly wrong, please shout out.
I also set up passwordless sudo in the container, something that anyway GitHub Actions runners also set.
Hi,
I'm just sharing a variant of @EKami's solution but with the clean-up task executed as a single step instead of a job to save a runner execution:
generate-openapi-code:
name: Generate Go code from OpenAPI definitions
runs-on: [self-hosted, nodejs]
needs: [lint-openapi]
steps:
- name: Check out code
uses: actions/checkout@v3
# 🐳 Step spawning a Docker container 🐳
- name: Generate web API client packages
working-directory: ./history
run: |
npm install
# This task spawns a Docker container per the OpenAPI Generator CLI configuration file
# present in the current working directory 👇
npx @openapitools/openapi-generator-cli generate
- name: Archive Paylead API client package
uses: actions/upload-artifact@v3
with:
name: openapi-paylead-api-package
path: |
history/pkg/paylead_api
if-no-files-found: error
# Temporary solution.
# See https://github.com/actions/checkout/issues/211 for more details.
- name: Clean up GitHub workspace
uses: docker://ubuntu:latest # 👈 Clean-up done in a Docker container 🐳
with:
args: find /github/workspace/. -name . -o -prune -exec rm -rf -- {} +
I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:
sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}
Hi was trying this out, but while running this command its asking for password how to pass the password without doing an echo and sending through pipe |
Adding cleaning workspace step in workflow
- name: Cleaning Operation run : sudo find /opt/actions-runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}/. -name . -o -prune -exec rm -rf -- {} + || true
Before Cloning the Repo First clean the workspace it will work.
