github-action icon indicating copy to clipboard operation
github-action copied to clipboard

Published 20 hours ago verified publisher icon renovatebot

Unable to use `actions/cache` with Renovate: `EACCESS`

Open jamietanna opened this issue 2 years ago • 8 comments

When using GitHub Actions' caching functionality, Renovate ends up hitting an EACCESS when trying to write to the restored cache keys.

A failing job with workflow definition reports the following error on subsequent runs:

 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "BxuFXuCsh1JmPxe_hfhG1",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
         }
       ]

It appears that:

/usr/bin/docker run --env RENOVATE_TOKEN=x-access-token:*** --env RENOVATE_CONFIG_FILE=/github-action/config.js --volume /home/runner/work/actions-testing/actions-testing/config.js:/github-action/config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user 1000:121 --rm renovate/renovate:34.2.0-slim

May be at fault, as running id -u outside of the Renovate runner shows:

uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal)

Whereas we're trying to use the uid 1000, which doesn't match, and is therefore denied from reading the files:

# this is from a different run, so not visible on the above link
/tmp/renovate-baseDir:
total 12
drwxr-xr-x  3 runner docker 4096 Nov  2 16:40 .

jamietanna avatar Nov 02 '22 17:11 jamietanna

It looks like https://github.com/renovatebot/github-action/blob/d7c9fe4fd76644e3acba0da8fe63756bac210d94/src/renovate.ts#L20 is the line we'd want to change

jamietanna avatar Nov 02 '22 17:11 jamietanna

@jamietanna were you able to work past this?

Akaame avatar Jan 31 '23 17:01 Akaame

@Akaame we are working around that like this:

- run: sudo chown -R 1000 /tmp/renovate
- // Run renovate
- run: sudo chown -R $(whoami) /tmp/renovate

GSala avatar Feb 01 '23 08:02 GSala

Due to the size of our organisation, the recommendation from the Renovate team was to use Mend Renovate On-Prem (which is free!) and much less costly for our usages, and has its own means to do caching

jamietanna avatar Feb 01 '23 08:02 jamietanna

@GSala thanks this is what we also ended up doing.

Akaame avatar Feb 11 '23 01:02 Akaame

v35 will use current host user id and use binarySource=install

viceice avatar Mar 10 '23 12:03 viceice

Need to revert the default user change because of

  • #713
  • #736

viceice avatar May 12 '23 08:05 viceice