Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run as non-root/Use the same UID and GID as the GitHub runners? #18

Closed
simonvanderveldt opened this issue Feb 6, 2022 · 4 comments
Closed

Comments

@simonvanderveldt
Copy link

Hi! First of all thanks for this repo/including GitHub Pages in Actions, it's nice to finally be able to see what's happening with a Pages build and deployment plus now we can use the exact same way GitHub Pages does a build or deployment in our own CI :)

One small thing I ran into is that the Docker image runs as root, so the files written by the build are also owned by root.
Since the GitHub runners run as UID 1001 GID 121 they are then unable to make any changes to these files.
I'm not sure if there's a policy within GitHub for these things, but it might make sense to use the same UID/GID as the runners? Also not running as root is a plus of course :)

@yoannchaudet
Copy link
Collaborator

Hello!

It is actually a requirement to have a published action uses the default Docker user (root). See documentation. We cannot pass any docker options in a published action so there are some assumption for the runner's working directory that is mounted as a volume.

I am asking the Actions team to see if there is anything we can do and maybe aligned the UIDs.

What are you trying to do by the way?

@simonvanderveldt
Copy link
Author

simonvanderveldt commented Feb 8, 2022

Thanks for the quick reply!

It is actually a requirement to have a published action uses the default Docker user (root). See documentation. We cannot pass any docker options in a published action so there are some assumption for the runner's working directory that is mounted as a volume.

O, sorry about that, I did search a bit to see if there were any requirements like this but somehow I missed this.
Interesting choice though, pretty much everyone and everything suggests against running as root. The rationale in the docs you linked also don't really seem to make sense given that if you run the container with the same UID/GID as the host it works fine.
I guess they are just suggesting this to keep things simple for users?
It's also not helped by the fact that AFAIK it's not possible to configure container options for actions that use a container. That would've been a relatively simple way to work around it.

I am asking the Actions team to see if there is anything we can do and maybe aligned the UIDs.

👍
FYI it's been a longer standing issue in general, a quick search gave me https://git.luolix.topmunity/t/actions-files-changed-in-container-action-are-now-owned-by-root/16115, actions/runner#691 and actions/checkout#211 from 2019 and 2020.

What are you trying to do by the way?

Was just using this action to do a build for PRs and then push it to a "staging" deployment. Been doing so with the jekyll/jekyll:pages Docker image and whilst that's close it's just not the exact same way GitHub Pages are being built for real. This Action is :) Plus it's less maintenance to just use an existing GitHub managed action vs a slightly more custom workflow with run tasks with a container.

FYI I worked around this by using setgid before running the action, that works fine. I've seen others work around it by running some chown statements (I expect these would need to be run within a container that's running as root or run with sudo) but that seems a bit clunky.

@yoannchaudet
Copy link
Collaborator

Closing because I don't have a good workaround for that. Unfortunately this is in part how Actions and containers behave today.

@simonvanderveldt
Copy link
Author

simonvanderveldt commented Jul 13, 2022

😢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants