bundle install with cached Ruby version fails

[rafalhejna]

Description

Running bundle install is fine when we're using the non-cached version of Ruby on the previous Ubuntu runner image version

2024-07-10T14:37:33.9769136Z Current runner version: '2.317.0'
2024-07-10T14:37:33.9790402Z ##[group]Operating System
2024-07-10T14:37:33.9790998Z Ubuntu
2024-07-10T14:37:33.9791488Z 22.04.4
2024-07-10T14:37:33.9791825Z LTS
2024-07-10T14:37:33.9792186Z ##[endgroup]
2024-07-10T14:37:33.9792700Z ##[group]Runner Image
2024-07-10T14:37:33.9793146Z Image: ubuntu-22.04
2024-07-10T14:37:33.9793536Z Version: 20240630.1.0
2024-07-10T14:37:33.9794589Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240630.1/images/ubuntu/Ubuntu2204-Readme.md
2024-07-10T14:37:33.9796238Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240630.1
(...)
2024-07-10T14:37:38.9526000Z ##[group]Run ruby/setup-ruby@v1
2024-07-10T14:37:38.9526424Z with:
2024-07-10T14:37:38.9526819Z ruby-version: 3.2
2024-07-10T14:37:38.9527225Z working-directory: mfe-deployer-cli
2024-07-10T14:37:38.9527681Z bundler-cache: false
2024-07-10T14:37:38.9528118Z env:
2024-07-10T14:37:38.9528509Z ARTIFACTORY_USER: ***
2024-07-10T14:37:38.9529075Z ARTIFACTORY_SECRET: ***
2024-07-10T14:37:38.9529488Z BUNDLE_GEMFILE: Gemfile
2024-07-10T14:37:38.9529893Z ##[endgroup]
2024-07-10T14:37:39.0813459Z ##[group]Modifying PATH
2024-07-10T14:37:39.0816638Z Entries added to PATH to use selected Ruby:
2024-07-10T14:37:39.0824323Z /opt/hostedtoolcache/Ruby/3.2.4/x64/bin
2024-07-10T14:37:39.0825311Z ##[endgroup]
2024-07-10T14:37:39.0853873Z ##[group]Downloading Ruby
2024-07-10T14:37:39.0856708Z https://github.com/ruby/ruby-builder/releases/download/toolcache/ruby-3.2.4-ubuntu-22.04.tar.gz
2024-07-10T14:37:40.0313603Z Took 0.95 seconds
2024-07-10T14:37:40.0315668Z ##[endgroup]
2024-07-10T14:37:40.0316771Z ##[group]Extracting Ruby
2024-07-10T14:37:40.0351346Z [command]/usr/bin/tar -xz -C /opt/hostedtoolcache/Ruby/3.2.4 -f /home/runner/work/_temp/b8ede50a-14c4-44f2-9367-4e8b6d82f189
2024-07-10T14:37:40.4519673Z Took 0.42 seconds
2024-07-10T14:37:40.4524272Z ##[endgroup]
2024-07-10T14:37:40.4525198Z ##[group]Print Ruby version
2024-07-10T14:37:40.4540984Z [command]/opt/hostedtoolcache/Ruby/3.2.4/x64/bin/ruby --version
2024-07-10T14:37:40.4752622Z ruby 3.2.4 (2024-04-23 revision af471c0e01) [x86_64-linux]
2024-07-10T14:37:40.4776078Z Took 0.03 seconds
2024-07-10T14:37:40.4777092Z ##[endgroup]
(...)
2024-07-10T14:37:56.5613666Z Resolving dependencies...
2024-07-10T14:37:56.6730433Z Installing rake 13.2.1
2024-07-10T14:37:56.6900067Z Installing public_suffix 6.0.0
2024-07-10T14:37:56.6986005Z Installing addressable 2.8.7
2024-07-10T14:37:56.7098775Z Installing ast 2.4.2
2024-07-10T14:37:56.7154023Z Installing aws-eventstream 1.3.0
2024-07-10T14:37:56.7199656Z Installing aws-partitions 1.949.0
(...)
2024-07-10T14:38:12.3313472Z Updating files in vendor/cache
2024-07-10T14:38:12.6282042Z Bundle complete! 12 Gemfile dependencies, 87 gems now installed.

But, when using the same Ruby version on the latest ubuntu-22.04 image (which is cached now), the same process fails:

2024-07-11T08:17:45.8734859Z Current runner version: '2.317.0'
2024-07-11T08:17:45.8759431Z ##[group]Operating System
2024-07-11T08:17:45.8760172Z Ubuntu
2024-07-11T08:17:45.8760546Z 22.04.4
2024-07-11T08:17:45.8760878Z LTS
2024-07-11T08:17:45.8761308Z ##[endgroup]
2024-07-11T08:17:45.8761694Z ##[group]Runner Image
2024-07-11T08:17:45.8762218Z Image: ubuntu-22.04
2024-07-11T08:17:45.8762639Z Version: 20240708.1.0
2024-07-11T08:17:45.8763594Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240708.1/images/ubuntu/Ubuntu2204-Readme.md
2024-07-11T08:17:45.8765108Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240708.1
(...)
2024-07-11T08:17:49.2356296Z ##[group]Run ruby/setup-ruby@v1
2024-07-11T08:17:49.2356834Z with:
2024-07-11T08:17:49.2357162Z ruby-version: 3.2
2024-07-11T08:17:49.2357748Z working-directory: mfe-deployer-cli
2024-07-11T08:17:49.2358224Z bundler-cache: false
2024-07-11T08:17:49.2358605Z env:
2024-07-11T08:17:49.2359196Z ARTIFACTORY_USER: ***
2024-07-11T08:17:49.2359775Z ARTIFACTORY_SECRET: ***
2024-07-11T08:17:49.2360286Z BUNDLE_GEMFILE: Gemfile
2024-07-11T08:17:49.2360664Z ##[endgroup]
2024-07-11T08:17:49.3649305Z ##[group]Modifying PATH
2024-07-11T08:17:49.3656182Z Entries added to PATH to use selected Ruby:
2024-07-11T08:17:49.3661447Z /opt/hostedtoolcache/Ruby/3.2.4/x64/bin
2024-07-11T08:17:49.3663008Z ##[endgroup]
2024-07-11T08:17:49.3672701Z ##[group]Print Ruby version
2024-07-11T08:17:49.3752651Z [command]/opt/hostedtoolcache/Ruby/3.2.4/x64/bin/ruby --version
2024-07-11T08:17:49.6350374Z ruby 3.2.4 (2024-04-23 revision af471c0e01) [x86_64-linux]
2024-07-11T08:17:49.6384838Z Took 0.27 seconds
2024-07-11T08:17:49.6386482Z ##[endgroup]
(...)
2024-07-11T08:18:06.7804824Z Resolving dependencies...
2024-07-11T08:18:06.8980268Z Installing rake 13.2.1
2024-07-11T08:18:06.9163191Z Installing public_suffix 6.0.0
2024-07-11T08:18:06.9254810Z Installing addressable 2.8.7
2024-07-11T08:18:06.9376314Z Installing ast 2.4.2
2024-07-11T08:18:06.9440183Z Installing aws-eventstream 1.3.0
2024-07-11T08:18:06.9521833Z Installing aws-partitions 1.949.0
2024-07-11T08:18:06.9611562Z Installing aws-sigv4 1.8.0
2024-07-11T08:18:06.9662496Z Installing jmespath 1.6.2
2024-07-11T08:18:06.9769621Z Installing aws-sdk-core 3.200.0
2024-07-11T08:18:07.0387049Z Installing aws-sdk-cloudfront 1.95.0
2024-07-11T08:18:07.0584938Z Installing aws-sdk-dynamodb 1.115.0
2024-07-11T08:18:07.0774526Z Installing aws-sdk-kms 1.87.0
2024-07-11T08:18:07.0947666Z Installing aws-sdk-s3 1.155.0
2024-07-11T08:18:07.1433257Z Installing aws-sdk-sts 1.11.0
2024-07-11T08:18:07.1479781Z Installing thread_safe 0.3.6
2024-07-11T08:18:07.1645890Z Installing descendants_tracker 0.0.4
2024-07-11T08:18:07.1735172Z Installing ice_nine 0.11.2
2024-07-11T08:18:07.1908758Z Installing axiom-types 0.1.1
2024-07-11T08:18:07.2097510Z Installing base64 0.2.0
2024-07-11T08:18:07.2135264Z Installing bigdecimal 3.1.8 with native extensions
(...)
2024-07-11T08:18:16.4172445Z The installation path is insecure. Bundler cannot continue.
2024-07-11T08:18:16.4174345Z /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems is world-writable
2024-07-11T08:18:16.4175595Z (without sticky bit).
2024-07-11T08:18:16.4176918Z Bundler cannot safely replace gems in world-writeable directories due to
2024-07-11T08:18:16.4222809Z potential vulnerabilities.
2024-07-11T08:18:16.4223945Z Please change the permissions of this directory or choose a different install
2024-07-11T08:18:16.4224961Z path.

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• Ubuntu 24.04
• macOS 12
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• Windows Server 2019
• Windows Server 2022

Image version and build link

20240708.1.0

Is it regression?

Yes, it worked on 20240630.1.0

Expected behavior

bundle install is successful

Actual behavior

bundle install fails

Repro steps

1. Create a workflow with ubuntu-latest as a runner image
2. Prepare a sample Gemfile with couple of gems
3. Add setup-ruby@v1 step with version 3.2 of Ruby
4. Add bundle install step
5. Run the workflow

[vidyasagarnimmagaddi]

Hi @rafalhejna , We will analyse the issue and provide the solution, thanks

[vidyasagarnimmagaddi]

Hi @rafalhejna , Could you please retry the same and share the snippet/workflow file is any errors. thanks

[rafalhejna]

@vidyasagarnimmagaddi The issue is still present. I haven't done enough research into it, so my recreation steps are not quite correct. Below please find sample workflow and Gemfile files, that will cause the same issue.

workflow.yml

name: 'Ruby test'

on:
  workflow_dispatch:

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2
          bundler: 2.5.13
        env:
          BUNDLE_GEMFILE: Gemfile

      - name: bundle install
        run: bundle install

Gemfile

source 'https://rubygems.org'

gem 'faraday'

[vidyasagarnimmagaddi]

Hi @rafalhejna , the above provided workflow , successful at our end,.
Follow below steps

1. Make sure your installing the bundler where Gemfile is located.
2. If not move to the Gemfile location and try to run .

     run: |
       cd ${{ github.workspace }}
       bundle install
      shell: bash

[rafalhejna]

@vidyasagarnimmagaddi Still the same error. Here's my workflow file

name: 'Ruby test'

on:
  workflow_dispatch:

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2
          working-directory: ./ruby-test
        env:
          BUNDLE_GEMFILE: Gemfile

      - name: bundle install
        run: |
          cd ruby-test
          gem install bundler -v 2.5.13
          bundle install
        shell: bash

And here is the output log

2024-07-15T15:31:34.0859573Z Current runner version: '2.317.0'
2024-07-15T15:31:34.0885887Z ##[group]Operating System
2024-07-15T15:31:34.0886507Z Ubuntu
2024-07-15T15:31:34.0886969Z 22.04.4
2024-07-15T15:31:34.0887288Z LTS
2024-07-15T15:31:34.0887611Z ##[endgroup]
2024-07-15T15:31:34.0887946Z ##[group]Runner Image
2024-07-15T15:31:34.0888478Z Image: ubuntu-22.04
2024-07-15T15:31:34.0888872Z Version: 20240708.1.0
2024-07-15T15:31:34.0889929Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240708.1/images/ubuntu/Ubuntu2204-Readme.md
2024-07-15T15:31:34.0891336Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240708.1
2024-07-15T15:31:34.0892181Z ##[endgroup]
(...)
2024-07-15T15:31:36.2826476Z ##[group]Run ruby/setup-ruby@v1
2024-07-15T15:31:36.2826925Z with:
2024-07-15T15:31:36.2827335Z ruby-version: 3.2
2024-07-15T15:31:36.2827665Z working-directory: ./ruby-test
2024-07-15T15:31:36.2828073Z bundler-cache: false
2024-07-15T15:31:36.2828485Z env:
2024-07-15T15:31:36.2828780Z BUNDLE_GEMFILE: Gemfile
2024-07-15T15:31:36.2829146Z ##[endgroup]
2024-07-15T15:31:36.5000307Z ##[group]Modifying PATH
2024-07-15T15:31:36.5051966Z Entries added to PATH to use selected Ruby:
2024-07-15T15:31:36.5052956Z /opt/hostedtoolcache/Ruby/3.2.4/x64/bin
2024-07-15T15:31:36.5054079Z ##[endgroup]
2024-07-15T15:31:36.5055101Z ##[group]Print Ruby version
2024-07-15T15:31:36.5056095Z [command]/opt/hostedtoolcache/Ruby/3.2.4/x64/bin/ruby --version
2024-07-15T15:31:36.7928677Z ruby 3.2.4 (2024-04-23 revision af471c0e01) [x86_64-linux]
2024-07-15T15:31:36.7967094Z Took 0.38 seconds
2024-07-15T15:31:36.7973298Z ##[endgroup]
2024-07-15T15:31:36.7974295Z ##[group]Installing Bundler
2024-07-15T15:31:36.7975405Z Using Bundler 2 shipped with ruby-3.2.4
2024-07-15T15:31:36.7976128Z Took 0.00 seconds
2024-07-15T15:31:36.7977470Z ##[endgroup]
2024-07-15T15:31:36.8088188Z ##[group]Run cd ruby-test
2024-07-15T15:31:36.8088640Z �[36;1mcd ruby-test�[0m
2024-07-15T15:31:36.8089067Z �[36;1mgem install bundler -v 2.5.13�[0m
2024-07-15T15:31:36.8089625Z �[36;1mbundle install�[0m
2024-07-15T15:31:36.8135404Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-07-15T15:31:36.8136066Z ##[endgroup]
2024-07-15T15:31:38.2230565Z Successfully installed bundler-2.5.13
2024-07-15T15:31:38.2231843Z 1 gem installed
2024-07-15T15:31:39.2517623Z Fetching gem metadata from https://rubygems.org/........
2024-07-15T15:31:39.6319014Z Resolving dependencies...
2024-07-15T15:31:39.6616629Z Installing logger 1.6.0
2024-07-15T15:31:39.6620372Z Installing uri 0.13.0
2024-07-15T15:31:39.6766090Z Installing net-http 0.4.1
2024-07-15T15:31:39.6863774Z The installation path is insecure. Bundler cannot continue.
2024-07-15T15:31:39.6864804Z /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems is world-writable
2024-07-15T15:31:39.6870220Z (without sticky bit).
2024-07-15T15:31:39.6872331Z Bundler cannot safely replace gems in world-writeable directories due to
2024-07-15T15:31:39.6873502Z potential vulnerabilities.
2024-07-15T15:31:39.6874454Z Please change the permissions of this directory or choose a different install
2024-07-15T15:31:39.6875610Z path.
2024-07-15T15:31:39.7095068Z ##[error]Process completed with exit code 38.

[vidyasagarnimmagaddi]

Hi @rafalhejna , the issue is due to the permissions.Kindly try this.

name: 'Ruby test'

on:
  push

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2
          working-directory: ./ruby-test
        env:
          BUNDLE_GEMFILE: Gemfile

      - name: Change permissions
        run: chmod -R o-w /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems

      - name: bundle install
        run: |
          cd ruby-test
          gem install bundler -v 2.5.13
          bundle install
        shell: bash

[rafalhejna]

@vidyasagarnimmagaddi So your suggestion worked, but this solution looks rather "hacky". Is it really the only way to make this work? Can this setting be applied more "globally" to all runners?

[jcoyne]

This is a real challenge to do if you happen to be using a matrix build with many different versions of ruby.

[jamis]

This is a real challenge to do if you happen to be using a matrix build with many different versions of ruby.

This is exactly what we are encountering. We were able to just be quite a bit more liberal in our chmod usage, though:

chmod -R o-w /opt/hostedtoolcache/Ruby

That seemed to do the trick for us.

[eregon]

This seems a bug of the prebuilt Ruby 3.2.4 in the toolcache, where it got wrong permissions.

Since ruby/setup-ruby#98 the expectation is the binaries from https://github.com/ruby/ruby-builder are used.

[Asjnhbv]

Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240708.1/images/ubuntu/Ubuntu2204-Readme.md

[eregon]

https://github.com/eregon/actions-shell/actions/runs/10199673790/job/28217339098 shows that indeed the permissions are wrong:

$ ls -la /opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems
total 352
drwxrwxrwx+ 88 runner docker 4096 Apr 23 13:04 .
drwxrwxrwx+  9 runner docker 4096 Apr 23 13:04 ..
drwxrwxrwx+  2 runner docker 4096 Apr 23 13:04 abbrev-0.1.1
drwxrwxrwx+  2 runner docker 4096 Apr 23 13:04 base64-0.1.1
...

That should be fixed in the scripts creating the runner images (i.e., this repo).

https://github.com/ruby/ruby-builder/releases/download/toolcache/ruby-3.2.4-ubuntu-22.04.tar.gz has the correct permissions, see ruby/setup-ruby#624 (comment)

[eregon]

OTOH it seems the permissions are wrong for everything under /opt/hostedtoolcache on all 3 ubuntu versions:
https://github.com/eregon/actions-shell/actions/runs/10199733618/job/28217556337

Run ls -la /opt/hostedtoolcache
total 36
drwxrwxrwx+  9 runner root        4096 Jul 21 22:30 .
drwxrwxrwx+ 17 root   root        4096 Aug  1 13:49 ..
drwxrwxrwx+  3 runner root        4096 Jul 21 21:20 CodeQL
drwxrwxrwx+  6 runner root        4096 Jul 21 21:40 Java_Temurin-Hotspot_jdk
drwxrwxrwx+  8 runner runneradmin 4096 Jul 21 22:23 PyPy
drwxrwxrwx+  8 runner runneradmin 4096 Jul 21 22:29 Python
drwxrwxrwx+  5 runner root        4096 Jul 21 22:00 Ruby
drwxrwxrwx+  5 runner runneradmin 4096 Jul 21 22:30 go
drwxrwxrwx+  5 runner runneradmin 4096 Jul 21 22:29 node

I don't know if that is new or it was always like that.