[q] fix: install crush to writable npm prefix to fix EROFS in AWF chroot mode#29734
Closed
github-actions[bot] wants to merge 1 commit intomainfrom
Closed
[q] fix: install crush to writable npm prefix to fix EROFS in AWF chroot mode#29734github-actions[bot] wants to merge 1 commit intomainfrom
github-actions[bot] wants to merge 1 commit intomainfrom
Conversation
…mode The @charmland/crush npm package lazily downloads the actual binary into its package directory at runtime (when `crush run` is first invoked). In AWF chroot mode, the standard npm global prefix (/opt/hostedtoolcache/node/.../lib/node_modules/) is mounted read-only, causing the binary download to fail with: Error: Installation failed: EROFS: read-only file system, mkdir '/opt/hostedtoolcache/node/.../lib/node_modules/@charmland/crush/bin' Fix by setting NPM_CONFIG_PREFIX=/tmp/npm-global in the install step so the crush package and its binary land in a writable /tmp directory. Also prepend /tmp/npm-global/bin to PATH in the execution steps so the installed crush binary is found both in AWF chroot mode and in non-firewall execution. Evidence: run #25248852737 (Smoke Crush), identified by Q weekly analysis. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Q Workflow Optimization Report
Issues Found (from live data)
Smoke Crush
Error: Installation failed: EROFS: read-only file system, mkdir '/opt/hostedtoolcache/node/24.14.1/x64/lib/node_modules/@charmland/crush/bin'@charmland/crushnpm package lazily downloads the actual binary at runtime whencrush runis first invoked. It tries to write the binary into its own package directory, which lives inside the npm global prefix (/opt/hostedtoolcache/node/.../lib/node_modules/). In AWF chroot mode, the host filesystem is mounted read-only (EROFS), causing the download to fail.Changes Made
pkg/workflow/crush_engine.goInstall to writable prefix: Changed the crush installation step from:
to:
This installs the crush package to
/tmp/npm-global/lib/node_modules/, which is always writable — both in standard execution and in AWF chroot mode.PATH update: Prepend
/tmp/npm-global/binto the PATH in both the firewall-enabled and non-firewall execution paths so the crush binary can be found at runtime.Other Findings (No Action Required)
error:transaction-end-before-headersfrom::1(localhost health checks), not real outbound blocks. No workflow config change needed.Expected Improvements
/tmp/npm-globalis writable everywhereNote on Lock Files
Lock files (
.lock.yml) will be regenerated automatically by CI after this PR is merged, since the Go binary needs to be rebuilt first.References
Warning
Firewall blocked 2 domains
The following domains were blocked by the firewall during workflow execution:
charm.landproxy.golang.orgSee Network Configuration for more information.