Deployment fails if files are not writable or owned by root

[opeik]

Hi there,

I tried to deploy my site which is built with NIx and actions/deploy-pages would fail with a cryptic error message.

name: Continuous deployment

on:
  push:
    branches: [main]
  
permissions:
  contents: read
  pages: write
  id-token: write

concurrency:
  group: cd
  cancel-in-progress: true

jobs:
  deploy:
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}

    runs-on: ubuntu-latest

    steps:
      - name: Checkout repo
        uses: actions/checkout@v3

      - name: Install Nix
        uses: cachix/install-nix-action@v15
        with:
          extra_nix_config: access-tokens = github.com=${{ github.token }}

      - name: Build website
        run: nix build --print-build-logs

      - name: Setup GitHub Pages
        uses: actions/configure-pages@v1

      - name: Upload website
        uses: actions/upload-pages-artifact@v1
        with:
          path: public

      - name: Deploy website
        id: deployment
        uses: actions/deploy-pages@v1

Which outputs this:

Actor: danth
Action ID: 2761250916
Artifact URL: https://pipelines.actions.githubusercontent.com/TbYKgfAZOYa7gipiGxQgSbih1nRuFlBDNpZeQ6z2I00IpqUyZA/_apis/pipelines/workflows/2761250916/artifacts?api-version=6.0-preview
{"count":1,"value":[{"containerId":1480084,"size":61440,"signedContent":null,"fileContainerResourceUrl":"https://pipelines.actions.githubusercontent.com/TbYKgfAZOYa7gipiGxQgSbih1nRuFlBDNpZeQ6z2I00IpqUyZA/_apis/resources/Containers/1480084","type":"actions_storage","name":"github-pages","url":"https://pipelines.actions.githubusercontent.com/TbYKgfAZOYa7gipiGxQgSbih1nRuFlBDNpZeQ6z2I00IpqUyZA/_apis/pipelines/1/runs/14/artifacts?artifactName=github-pages","expiresOn":"2022-07-30T14:44:47.4503161Z","items":null}]}
Creating deployment with payload:
{
	"artifact_url": "https://pipelines.actions.githubusercontent.com/TbYKgfAZOYa7gipiGxQgSbih1nRuFlBDNpZeQ6z2I00IpqUyZA/_apis/pipelines/1/runs/14/artifacts?artifactName=github-pages&%24expand=SignedContent",
	"pages_build_version": "5d3a8f8ecf3635514f0046294ddc600728eb75c4",
	"oidc_token": "***"
}
Created deployment for 5d3a8f8ecf3635514f0046294ddc600728eb75c4
{"page_url":"https://danth.github.io/coricamu/","status_url":"https://api.github.com/repos/danth/coricamu/pages/deployment/status/5d3a8f8ecf3635514f0046294ddc600728eb75c4","preview_url":""}

Error: Deployment failed, try again later.

From my testing actions/deploy-pages fails if the files are either not writable or owned by root. The output of a Nix build is both not writable and owned by root. I worked around this by clearing the permissions after building:

cp --recursive --dereference --no-preserve=mode,ownership result public

I don't think this should fail, since I expect the file permissions be cleared on deployment. Even so, the error message should at least be more clear.

[JamesMGreene]

ℹ️ While it's not a complete fix, as this should indeed be handled on the server-side eventually, we have added a partial fix to the actions/upload-pages-artifact Action that should clear out such permissions: actions/upload-pages-artifact#34

Since you are using that Action with @v1 already, your future workflow runs will hopefully be successful without your cp ... workaround.

Please let us know if you're still running into issues.

[Gerschtli]

The permission problem itself might be resolved but in the example of OP, the directory for deployment is a symlink itself where the contents of ./result is not writeable. Judged by the warnings that should have been printed, your fix does not work for these cases, see https://github.com/Gerschtli/nix-formatter-pack/actions/runs/3499580588/jobs/5861357357.

Probably because chmod is running in . instead of inputs.path. But because chmod is not derefencing symlinks that may exist in inputs.path, you should probably run the cp --recursive --dereference before doing chmod.

[cor]

@sempruijs looks like this is the issue you've been encountering

[yoannchaudet]

We made changes recently around that which should help. Closing.

[gilice]

@yoannchaudet are those changes merged/released yet? I ran into the same issue, with nix, too.

[yoannchaudet]

The permissions fix is included in https://github.com/actions/upload-pages-artifact/releases/tag/v1.0.6.

It's best effort and we don't change ownership on the files. If that's your issue, I am afraid you will need to handle that yourself with an extra chown command.

[Gerschtli]

Why is it not possible to take care of necessary ownership requirements with this action? I am glad to help out.

[pinpox]

Running into this aswell. Is the chown still the way to use this?