Permission denied when "Deleting the contents of"

[soasada]

Hi checkout team,

I'm having an issue when actions/checkout@v2 is trying to delete the repository:

I tried to change the permissions of the file but still happening, this has been happening since yesterday. I think that could be a bug but correct me if I'm wrong.

My .github/workflow/docker.yml is like this:

name: MorciTravel CI

on: [push]

jobs:

  morcitravel_job:
    name: Morcitravel job
    runs-on: ubuntu-latest
    env:
      KILL_JAVA_SH: ${{ github.workspace }}/ci/kill_java_process.sh
      SERVER_PUB_KEY: ${{ github.workspace }}/data/server/server_pub_key.txt
      JAVA_CMD_PATH: /opt/prod_jdk/bin/java
      JAR_NAME: morci-travel-api-
    services:
      mongodb:
        image: mongo:4-bionic
        ports:
          - 27017:27017
        volumes:
          - ${{ github.workspace }}/data/mongo/001_users.js:/docker-entrypoint-initdb.d/001_users.js
    steps:
      - name: Check out repository
        uses: actions/checkout@v2
      - name: Set up JDK 13
        uses: actions/setup-java@v1
        with:
          java-version: 13
      - name: Test & Package frontend
        run: mvn -B clean install -pl :morci-travel-frontend
      - name: Create version
        run: |
          APP_RELEASE_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
          APP_RELEASE_VERSION_ARRAY=(${APP_RELEASE_VERSION//./ })
          ((APP_RELEASE_VERSION_ARRAY[2]++))
          APP_RELEASE_VERSION="${APP_RELEASE_VERSION_ARRAY[0]}.${APP_RELEASE_VERSION_ARRAY[1]}.${APP_RELEASE_VERSION_ARRAY[2]}"
          echo "::set-env name=JAR_NAME::$JAR_NAME$APP_RELEASE_VERSION-SNAPSHOT.jar"
          mvn -B --batch-mode release:update-versions -DdevelopmentVersion=$APP_RELEASE_VERSION-SNAPSHOT
      - name: Test & Package backend
        run: mvn -B clean test package -pl :morci-travel-api
      - name: Prepare SSH Keys
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          cat "$SERVER_PUB_KEY" > ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
      - name: Kill java process
        run: |
          ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} 'bash -s' < $KILL_JAVA_SH
      - name: Remove old artifacts
        run: |
          ssh -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "rm -rf morci-travel-api-*.jar"
      - name: Copy jar to server
        run: |
          scp -P ${{ secrets.PORT }} ${{ github.workspace }}/morci-travel-api/target/$JAR_NAME ${{ secrets.USERNAME }}@${{ secrets.HOST }}:~
      - name: Launch app
        run: |
          ssh -f -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "$JAVA_CMD_PATH -Xms64M -Xmx256M -jar $JAR_NAME &"
      - name: Commit version
        run: |
          git config --global user.name 'Nicolas Vargas Ortega'
          git config --global user.email 'soasada@users.noreply.github.com'
          git commit -am "AUTOMATIC: Updated version"
          git push

[ericsciple]

You may need to specify the checkout path input to avoid the volume mount being under the repository.

The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.

You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.

[soasada]

You may need to specify the checkout path input to avoid the volume mount being under the repository.

The containers are setup at the beginning of the job. And git clone will fail if the directory isnt empty.

You could always symlink the dir back in place (or copy the files), if you need the data underneath the repository. Or if it's your test data, consider updating your scripts to allow the location to be overridden using an env var.

I just removed the service and is working again. The thing is that I was able to use the script without problems (with the service) in the past.

So AFAIK, the problem is that the service mount the volume before the github checkout and this create a existing file with the same name (I guess) and github/checkoutv2 cannot remove it, right?

[jeremylynch]

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

[ericsciple]

I'm going to add a troubleshooting doc. I'll add a section for this.

[karancode]

Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.

[soasada]

Thank you for reporting this,. I am also facing the same issue.. But I still couldn't figure out a way to resolve this. Please help.

Could you take a look at @jeremylynch response?

[zpsjs]

I had to add "echo password" before, otherwise sudo is asking for password.

echo ${{secrets.DEPLOY_PASSWORD}} | sudo -S chown -R $USER:$USER /home/github/deployment/{REPOSITORY_NAME_HERE}

Is there a better solution?

[guykeller]

@ericsciple I have encountered a similar issue, but have not been able to sort it using the suggested solution by @jeremylynch.

We're getting this error when using this action:

And secrets.Nothing contains our PAT, which should be valid (defined for a user that has access to the repo, saved as a secret in the repo).
Moreover, I've tried adding the permissions as suggested above, removing the token field, and using several different endpoints.

Important note - the same flow works without using the container, and the checkout is successful.

Any idea as to what the problem might be? I'll appreciate any advice

[JungHanter]

@guykeller Is it solved? I have same problem when initialzing the repository

[ekahannes]

Also having the same issue if I use a container.

[guykeller]

I was not able to solve this, and instead had to stop using a container altogether.
Would love a solution if anyone has one.
FYI @JungHanter @ekahannes

[jef]

Potentially related to actions/runner#434

[xanantis]

@guykeller You may find something helpful here.

[felipecrs]

Is there any way to simply make the checkout work with containers running as non-root?

I'm trying something like:

clone-and-install:
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user 1000
  steps:
      - uses: actions/checkout@v2

and it does not work.

If I run the container as root it works by the way.

[xanantis]

@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116
So, change it to:

clone-and-install:
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user 1001
  steps:
      - uses: actions/checkout@v2

[felipecrs]

@felipecrs Well, how it looks, GitHub runner, is running under user, with UID: 1001 and GID: 116

It makes sense. Do you know if is there any way to discover the UID dynamically?

The options: --user "$(id -u)" does not work by the way.

[xanantis]

@felipecrs No idea. Currently, I can see only two options. Hardcoded value or "Configure" Job where you can fetch UID and use it later. But it does not make sense.

[xanantis]

@felipecrs Something like this (runs-on must be equal):

  configure:
    runs-on: ubuntu-latest
    outputs:
      containerUser: ${{ steps.get-user.outputs.containerUser }}
    
    steps:
      - id: get-user
        run: echo "::set-output name=containerUser::`id -u`:`id -g`"
    
    
  clone-and-install:
    
    needs: configure
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user ${{ needs.configure.outputs.containerUser }}
    steps:
      - uses: actions/checkout@v2

But it is ridiculous.

[felipecrs]

Thank you so much @xanantis! The need for this is indeed ridiculous, but it solves my problem.

[xanantis]

@felipecrs you're welcome 😄
If you are using only GitHub runners, you may consider using hardcoded value. Because UID and GID seem to be stable. 116 is a GID of a docker group.

[felipecrs]

@xanantis since I didn't find it documented anywhere, I suppose it can change anytime without any warnings, so I prefer to keep my builds safe.

[gengjiawen]

Any plan on fix this, this is quite annoying since many services limit user not to be root.

[felipecrs]

I believe the maintainers should close this issue since it's not caused by this Action. And of course, point to the relevant repository.

Reading actions/runner#434 description, I don't think it's so related.

[SkypLabs]

Hi,

I'm just sharing a variant of @EKami's solution but with the clean-up task executed as a single step instead of a job to save a runner execution:

  generate-openapi-code:
    name: Generate Go code from OpenAPI definitions
    runs-on: [self-hosted, nodejs]
    needs: [lint-openapi]
    steps:
      - name: Check out code
        uses: actions/checkout@v3

      # 🐳 Step spawning a Docker container 🐳
      - name: Generate web API client packages
        working-directory: ./history
        run: |
          npm install
          # This task spawns a Docker container per the OpenAPI Generator CLI configuration file
          # present in the current working directory 👇
          npx @openapitools/openapi-generator-cli generate

      - name: Archive Paylead API client package
        uses: actions/upload-artifact@v3
        with:
          name: openapi-paylead-api-package
          path: |                                                                                       
            history/pkg/paylead_api
          if-no-files-found: error

      # Temporary solution.
      # See https://github.com/actions/checkout/issues/211 for more details.
      - name: Clean up GitHub workspace
        uses: docker://ubuntu:latest # 👈 Clean-up done in a Docker container 🐳
        with:
          args: find /github/workspace/. -name . -o -prune -exec rm -rf -- {} +

[sumanth-sure]

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

Hi was trying this out, but while running this command its asking for password how to pass the password without doing an echo and sending through pipe |

[EktaPuri12]

Adding cleaning workspace step in workflow

• name: Cleaning Operation
  run : sudo find /opt/actions-runner/_work/${{ github.event.repository.name }}/${{ github.event.repository.name }}/. -name . -o -prune -exec rm -rf -- {} + || true

Before Cloning the Repo First clean the workspace it will work.

[Yalchin403]

I experienced the same issue. To get around this I ran a command to change file permissions right before executing actions/checkout:

sudo chown -R $USER:$USER /home/github/actions-runner/_work/{REPOSITORY_NAME_HERE}

It was woring perfectly till today, I haven't changed a line, but I got this for today's build:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

[robertpiosik]

@Yalchin403 AutoModality/action-clean@v1 action fixed this for me

[softlberton]

I was able to resolve this by adding this step:

- name: Chown user
  run: |
    sudo chown -R $USER:$USER $GITHUB_WORKSPACE

[aLeX1443]

If you run inside a docker container, no files are stored so the next time you run you shouldn't get the error:

jobs:
  build-and-push:
    runs-on: ubuntu-latest

    # NOTE: we want to run inside a container, that way no files are saved locally after
    # the run completes. This way, we can use the on-prem runner without encountering
    # permission errors.
    container:
      image: ubuntu:22.10

[temurih]

I was able to resolve this by adding this step:

- name: Chown user
  run: |
    sudo chown -R $USER:$USER $GITHUB_WORKSPACE

Only solution that worked for me after 12 hours of debugging.

[ejortegau]

I found a solution for this - check out the code of each job in a different directory so that different jobs don't interfere with each other. Here is my setup:

name: ci-pipeline
#run-name: CI run for branch ${{ github.ref_name }}
on: [push]
jobs:
  test:
    runs-on: ts-hosted
    steps:
      - uses: actions/checkout@v3
        with:
          path: test
      - run: bash ./scripts/ci.sh test
  lint:
    runs-on: ts-hosted
    steps:
      - uses: actions/checkout@v3
        with:
          path: lint
      - run: bash ./scripts/ci.sh lint

No monkey business changing permissions or dealing with sudo.

[g3kk0]

If you're being prompted for a password when calling sudo it's probably because you need to configure NOPASSWD for the user that runs sudo in /etc/sudoers.

Appending something like this to the bottom /etc/sudoers (preferably using visudo) should prevent the prompt for password.

myuser ALL=(ALL) NOPASSWD:ALL