GitLab script fails with Errno::EACCES: Permission denied @ rb_sysopen -

[m-aciek]

On $ bundle install -j $(nproc) --path vendor step.

Logs:

$ bundle install -j $(nproc) --path vendor�
Fetching gem metadata from https://rubygems.org/...........
Using concurrent-ruby 1.1.8
Using public_suffix 4.0.6
Using ast 2.4.2
Using aws-eventstream 1.1.1
Fetching aws-partitions 1.434.0
Using jmespath 1.4.0
Using bundler 1.17.3
Using citrus 3.0.2
Using http-accept 1.7.0
Using unf_ext 0.0.7.7
Using mime-types-data 3.2021.0225
Using netrc 0.11.0
Using excon 0.79.0
Fetching minitest 5.14.4
Fetching zeitwerk 2.4.2
Using multi_xml 0.6.0
Using unicode-display_width 1.7.0
Using mini_portile2 2.5.0
Using racc 1.5.2
Using faraday-net_http 1.0.1
Using multipart-post 2.1.1
Using ruby2_keywords 0.0.4
Using pandoc-ruby 2.1.4
Using parseconfig 1.0.8
Using reline 0.0.7
Using i18n 1.8.9
Fetching tzinfo 2.0.4
Using addressable 2.7.0
Using terminal-table 1.8.0
Using aws-sigv4 1.2.3
Using ruby-enum 0.9.0
Using unf 0.1.4
Using toml-rb 2.0.1
Using irb 1.2.0
Using mime-types 3.3.1
Using domain_name 0.5.20190701
Using httparty 0.18.1
Using parser 3.0.0.0
Using commonmarker 0.21.2
Using faraday 1.3.0
Using sawyer 0.8.2
Using http-cookie 1.0.3
Using gitlab 4.17.0
Using nokogiri 1.11.2 (x86_64-linux)
Using octokit 4.20.0
Using rest-client 2.1.0
Using docker_registry2 1.10.0
Errno::EACCES: Permission denied @ rb_sysopen -
/builds/devops/dependabot/vendor/ruby/2.6.0/cache/minitest-5.14.4.gem
An error occurred while installing minitest (5.14.4), and Bundler cannot
continue.
Make sure that `gem install minitest -v '5.14.4' --source
'https://rubygems.org/'` succeeds before bundling.

In Gemfile:
  dependabot-omnibus was resolved to 0.138.1, which depends on
    dependabot-bundler was resolved to 0.138.1, which depends on
      dependabot-common was resolved to 0.138.1, which depends on
        activesupport was resolved to 6.1.3, which depends on
          minitest


Errno::EACCES: Permission denied @ rb_sysopen -
/builds/devops/dependabot/vendor/ruby/2.6.0/cache/tzinfo-2.0.4.gem
An error occurred while installing tzinfo (2.0.4), and Bundler cannot continue.
Make sure that `gem install tzinfo -v '2.0.4' --source 'https://rubygems.org/'`
succeeds before bundling.

In Gemfile:
  dependabot-omnibus was resolved to 0.138.1, which depends on
    dependabot-bundler was resolved to 0.138.1, which depends on
      dependabot-common was resolved to 0.138.1, which depends on
        activesupport was resolved to 6.1.3, which depends on
          tzinfo


Errno::EACCES: Permission denied @ rb_sysopen -
/builds/devops/dependabot/vendor/ruby/2.6.0/cache/zeitwerk-2.4.2.gem
An error occurred while installing zeitwerk (2.4.2), and Bundler cannot
continue.
Make sure that `gem install zeitwerk -v '2.4.2' --source
'https://rubygems.org/'` succeeds before bundling.

In Gemfile:
  dependabot-omnibus was resolved to 0.138.1, which depends on
    dependabot-bundler was resolved to 0.138.1, which depends on
      dependabot-common was resolved to 0.138.1, which depends on
        activesupport was resolved to 6.1.3, which depends on
          zeitwerk


Errno::EACCES: Permission denied @ rb_sysopen -
/builds/devops/dependabot/vendor/ruby/2.6.0/cache/aws-partitions-1.434.0.gem
An error occurred while installing aws-partitions (1.434.0), and Bundler cannot
continue.
Make sure that `gem install aws-partitions -v '1.434.0' --source
'https://rubygems.org/'` succeeds before bundling.

In Gemfile:
  dependabot-omnibus was resolved to 0.138.1, which depends on
    dependabot-bundler was resolved to 0.138.1, which depends on
      dependabot-common was resolved to 0.138.1, which depends on
        aws-sdk-codecommit was resolved to 1.42.0, which depends on
          aws-sdk-core was resolved to 3.113.0, which depends on
            aws-partitions

[m-aciek]

After bisecting the problem first not working version is omnibus 1.137.2 #557.

[gringostar]

A fix for this is to leave out --path vendor, to use default path for bundle install.

I believe the error comes from the change on dependabot-core dockerfile, where the user has been changed from root to a dependabot user with less privileges, and so does not have rights to write to the vendor folder.

[feelepxyz]

We've just merged a fix to the core dockerfile that should hopefully fix this, will confirm.

[feelepxyz]

For some context. I made this change in core dependabot/dependabot-core#3398 which is what's caused these issues, I'm sorry for any hassle this has caused and for not spotting this would cause downstream issues.

The docker container in core now creates a dependabot user and installs dependencies as this user. This means you either need to use the new Dockerfile: https://github.com/dependabot/dependabot-script#running-script-with-dependabot-script-dockerfile

Or if you have your own Dockerfile, make sure to create the working directory in $HOME: RUN mkdir -p /home/dependabot/script and copy files owned by dependabot: COPY --chown=dependabot:dependabot . /home/dependabot/script to fix permissions.

Alternatively, you can still build and run only the core container and volume mount the folders but this requires rebuilding the dependabot-core container with USER_UID and USER_GID args: https://github.com/dependabot/dependabot-script#running-scripts-with-dependabot-core-dockerfile-only

[m-aciek]

I can confirm the issue has been solved. Thank you!