Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission denied when "Deleting the contents of" #211

Open
soasada opened this issue Apr 8, 2020 · 37 comments
Open

Permission denied when "Deleting the contents of" #211

soasada opened this issue Apr 8, 2020 · 37 comments
Labels
documentation Improvements or additions to documentation

Comments

@soasada
Copy link

soasada commented Apr 8, 2020

Hi checkout team,

I'm having an issue when actions/checkout@v2 is trying to delete the repository:

image

I tried to change the permissions of the file but still happening, this has been happening since yesterday. I think that could be a bug but correct me if I'm wrong.

My .github/workflow/docker.yml is like this:

name: MorciTravel CI

on: [push]

jobs:

  morcitravel_job:
    name: Morcitravel job
    runs-on: ubuntu-latest
    env:
      KILL_JAVA_SH: ${{ github.workspace }}/ci/kill_java_process.sh
      SERVER_PUB_KEY: ${{ github.workspace }}/data/server/server_pub_key.txt
      JAVA_CMD_PATH: /opt/prod_jdk/bin/java
      JAR_NAME: morci-travel-api-
    services:
      mongodb:
        image: mongo:4-bionic
        ports:
          - 27017:27017
        volumes:
          - ${{ github.workspace }}/data/mongo/001_users.js:/docker-entrypoint-initdb.d/001_users.js
    steps:
      - name: Check out repository
        uses: actions/checkout@v2
      - name: Set up JDK 13
        uses: actions/setup-java@v1
        with:
          java-version: 13
      - name: Test & Package frontend
        run: mvn -B clean install -pl :morci-travel-frontend
      - name: Create version
        run: |
          APP_RELEASE_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
          APP_RELEASE_VERSION_ARRAY=(${APP_RELEASE_VERSION//./ })
          ((APP_RELEASE_VERSION_ARRAY[2]++))
          APP_RELEASE_VERSION="${APP_RELEASE_VERSION_ARRAY[0]}.${APP_RELEASE_VERSION_ARRAY[1]}.${APP_RELEASE_VERSION_ARRAY[2]}"
          echo "::set-env name=JAR_NAME::$JAR_NAME$APP_RELEASE_VERSION-SNAPSHOT.jar"
          mvn -B --batch-mode release:update-versions -DdevelopmentVersion=$APP_RELEASE_VERSION-SNAPSHOT
      - name: Test & Package backend
        run: mvn -B clean test package -pl :morci-travel-api
      - name: Prepare SSH Keys
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          cat "$SERVER_PUB_KEY" > ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
      - name: Kill java process
        run: |
          ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} 'bash -s' < $KILL_JAVA_SH
      - name: Remove old artifacts
        run: |
          ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "rm -rf morci-travel-api-*.jar"
      - name: Copy jar to server
        run: |
          scp -P ${{ secrets.PORT }} ${{ github.workspace }}/morci-travel-api/target/$JAR_NAME ${{ secrets.USERNAME }}@${{ secrets.HOST }}:~
      - name: Launch app
        run: |
          ssh -f -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "$JAVA_CMD_PATH -Xms64M -Xmx256M -jar $JAR_NAME &"
      - name: Commit version
        run: |
          git config --global user.name 'Nicolas Vargas Ortega'
          git config --global user.email 'soasada@users.noreply.github.com'
          git commit -am "AUTOMATIC: Updated version"
          git push
@ericsciple
Copy link
Contributor

You may need to specify the checkout path input to avoid the volume mount being under the repository.

The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.

You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.

@soasada
Copy link
Author

soasada commented Apr 9, 2020

You may need to specify the checkout path input to avoid the volume mount being under the repository.

The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.

You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.

I just removed the service and is working again. The thing is that I was able to use the script without problems (with the service) in the past.

So AFAIK, the problem is that the service mount the volume before the github checkout and this create a existing file with the same name (I guess) and github/checkoutv2 cannot remove it, right?

@jeremylynch
Copy link

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

@ericsciple ericsciple added external documentation Improvements or additions to documentation and removed external labels Apr 15, 2020
@ericsciple
Copy link
Contributor

I'm going to add a troubleshooting doc. I'll add a section for this.

@karancode
Copy link

karancode commented Apr 20, 2020

Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.

@soasada
Copy link
Author

soasada commented Apr 21, 2020

Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.

Could you take a look at @jeremylynch response?

@zpsjs
Copy link

zpsjs commented Apr 24, 2020

I had to add "echo password" before, otherwise sudo is asking for password.

echo ${{secrets.DEPLOY_PASSWORD}} | sudo -S chown -R $USER:$USER /home/github/deployment/{REPOSITORY_NAME_HERE}

Is there a better solution?

@guykeller
Copy link

@ericsciple I have encountered a similar issue, but have not been able to sort it using the suggested solution by @jeremylynch.
image

We're getting this error when using this action:
image

And secrets.Nothing contains our PAT, which should be valid (defined for a user that has access to the repo, saved as a secret in the repo).
Moreover, I've tried adding the permissions as suggested above, removing the token field, and using several different endpoints.

Important note - the same flow works without using the container, and the checkout is successful.

Any idea as to what the problem might be? I'll appreciate any advice

@JungHanter
Copy link

JungHanter commented Jul 8, 2020

@guykeller Is it solved? I have same problem when initialzing the repository

@ekahannes
Copy link

Also having the same issue if I use a container.

@guykeller
Copy link

I was not able to solve this, and instead had to stop using a container altogether.
Would love a solution if anyone has one.
FYI @JungHanter @ekahannes

@jef
Copy link
Contributor

jef commented Jul 27, 2020

Potentially related to actions/runner#434

@xanantis
Copy link

@guykeller You may find something helpful here.

@felipecrs
Copy link

felipecrs commented Aug 22, 2020

Is there any way to simply make the checkout work with containers running as non-root?

I'm trying something like:

clone-and-install:
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user 1000
  steps:
      - uses: actions/checkout@v2

and it does not work.

If I run the container as root it works by the way.

@xanantis
Copy link

@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116
So, change it to:

clone-and-install:
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user 1001
  steps:
      - uses: actions/checkout@v2

@felipecrs
Copy link

@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116

It makes sense. Do you know if is there any way to discover the UID dynamically?

The options: --user "$(id -u)" does not work by the way.

@xanantis
Copy link

@felipecrs No idea. Currently, I can see only two options. Hardcoded value or "Configure" Job where you can fetch UID and use it later. But it does not make sense.

@xanantis
Copy link

@felipecrs Something like this (runs-on must be equal):

  configure:
    runs-on: ubuntu-latest
    outputs:
      containerUser: ${{ steps.get-user.outputs.containerUser }}
    
    steps:
      - id: get-user
        run: echo "::set-output name=containerUser::`id -u`:`id -g`"
    
    
  clone-and-install:
    
    needs: configure
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user ${{ needs.configure.outputs.containerUser }}
    steps:
      - uses: actions/checkout@v2

But it is ridiculous.

@felipecrs
Copy link

Thank you so much @xanantis! The need for this is indeed ridiculous, but it solves my problem.

felipecrs added a commit to felipecrs/dotfiles that referenced this issue Aug 25, 2020
@xanantis
Copy link

@felipecrs you're welcome 😄
If you are using only GitHub runners, you may consider using hardcoded value. Because UID and GID seem to be stable. 116 is a GID of a docker group.

@felipecrs
Copy link

@xanantis since I didn't find it documented anywhere, I suppose it can change anytime without any warnings, so I prefer to keep my builds safe.

@gengjiawen
Copy link

Any plan on fix this, this is quite annoying since many services limit user not to be root.

@felipecrs
Copy link

felipecrs commented Sep 2, 2020

I believe the maintainers should close this issue since it's not caused by this Action. And of course, point to the relevant repository.

Reading actions/runner#434 description, I don't think it's so related.

@SkypLabs
Copy link

Hi,

I'm just sharing a variant of @EKami's solution but with the clean-up task executed as a single step instead of a job to save a runner execution:

  generate-openapi-code:
    name: Generate Go code from OpenAPI definitions
    runs-on: [self-hosted, nodejs]
    needs: [lint-openapi]
    steps:
      - name: Check out code
        uses: actions/checkout@v3

      # 🐳 Step spawning a Docker container 🐳
      - name: Generate web API client packages
        working-directory: ./history
        run: |
          npm install
          # This task spawns a Docker container per the OpenAPI Generator CLI configuration file
          # present in the current working directory 👇
          npx @openapitools/openapi-generator-cli generate

      - name: Archive Paylead API client package
        uses: actions/upload-artifact@v3
        with:
          name: openapi-paylead-api-package
          path: |                                                                                       
            history/pkg/paylead_api
          if-no-files-found: error

      # Temporary solution.
      # See https://github.com/actions/checkout/issues/211 for more details.
      - name: Clean up GitHub workspace
        uses: docker://ubuntu:latest # 👈 Clean-up done in a Docker container 🐳
        with:
          args: find /github/workspace/. -name . -o -prune -exec rm -rf -- {} +

@sumanth-sure
Copy link

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

Hi was trying this out, but while running this command its asking for password how to pass the password without doing an echo and sending through pipe |

@EktaPuri12
Copy link

Adding cleaning workspace step in workflow

  • name: Cleaning Operation
    run : sudo find /opt/actions-runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}/. -name . -o -prune -exec rm -rf -- {} + || true

Before Cloning the Repo First clean the workspace it will work.

@Yalchin403
Copy link

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

It was woring perfectly till today, I haven't changed a line, but I got this for today's build:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

@robertpiosik
Copy link

@Yalchin403 AutoModality/action-clean@v1 action fixed this for me

@softlberton
Copy link

I was able to resolve this by adding this step:

- name: Chown user
  run: |
    sudo chown -R $USER:$USER $GITHUB_WORKSPACE

@aLeX1443
Copy link

If you run inside a docker container, no files are stored so the next time you run you shouldn't get the error:

jobs:
  build-and-push:
    runs-on: ubuntu-latest

    # NOTE: we want to run inside a container, that way no files are saved locally after
    # the run completes. This way, we can use the on-prem runner without encountering
    # permission errors.
    container:
      image: ubuntu:22.10

@temurih
Copy link

temurih commented Dec 31, 2022

I was able to resolve this by adding this step:

- name: Chown user
  run: |
    sudo chown -R $USER:$USER $GITHUB_WORKSPACE

Only solution that worked for me after 12 hours of debugging.

@ejortegau
Copy link

I found a solution for this - check out the code of each job in a different directory so that different jobs don't interfere with each other. Here is my setup:

name: ci-pipeline
#run-name: CI run for branch ${{ github.ref_name }}
on: [push]
jobs:
  test:
    runs-on: ts-hosted
    steps:
      - uses: actions/checkout@v3
        with:
          path: test
      - run: bash ./scripts/ci.sh test
  lint:
    runs-on: ts-hosted
    steps:
      - uses: actions/checkout@v3
        with:
          path: lint
      - run: bash ./scripts/ci.sh lint

No monkey business changing permissions or dealing with sudo.

@g3kk0
Copy link

g3kk0 commented Mar 10, 2023

If you're being prompted for a password when calling sudo it's probably because you need to configure NOPASSWD for the user that runs sudo in /etc/sudoers.

Appending something like this to the bottom /etc/sudoers (preferably using visudo) should prevent the prompt for password.

myuser ALL=(ALL) NOPASSWD:ALL

whikloj added a commit to whikloj/stomp-php that referenced this issue Jun 16, 2023
HuangFuSL added a commit to HuangFuSL/HuangFuSL.github.io that referenced this issue Aug 17, 2023
HuangFuSL added a commit to HuangFuSL/HuangFuSL.github.io that referenced this issue Aug 17, 2023
* Fix: override `WORKDIR` command

* Patch: disabled if condition for testing

* Patch: disable preceding workflow

* Patch: add verbose option to check path

* Patch: use `root` user according to actions/checkout#1014

* Patch: add a `chown` step to take ownership

According to actions/checkout#211

* Patch: removed `sudo` as it's not found

* Patch: add a `path` parameter?

* Patch: try changing pwd

* Patch: add `ls` to check what's happening

* Patch: replace `--local` using `--global`

* Patch: fix dubious ownership

* Patch: trying to fix detached HEAD

* Revert "Patch: disable preceding workflow"

This reverts commit 2d1c778.

* Revert "Patch: add verbose option to check path"

This reverts commit 86d5211.

* Revert "Patch: disabled if condition for testing"

This reverts commit 83d4c4a.

* Patch: remove `--dry-run` in deploy step

* Patch: trying to remove `chown` step
vincentbernat added a commit to akvorado/akvorado that referenced this issue Mar 30, 2024
Because we are now mounting volumes, the current user may not have the
rights to delete the repository. Clone it elsewhere to workaround that
for the Linux job.

See actions/checkout#211
maxgallup added a commit to VU-ASE/actions that referenced this issue Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests