Xcode Cloud + SPM Package Plugin Failure "You don't have permission to save the file..."

[jaredsinclair]

New Issue Checklist

• Updated SwiftLint to the latest version (0.54)
• I searched for existing GitHub issues. This closed issue claims to have resolved the problem, but that does not seem to hold true for Xcode Cloud when using SwiftLint as a package plugin.

Bug

SwiftLint fails to run as a package plugin in Xcode Cloud: Error: You don’t have permission to save the file “26c6d2....plist” in the folder “4D4FA.....”.

Description

SwiftLint fails to run as a package plugin in Xcode Cloud. Please note as a package plugin, not via the CLI/Homebrew installation/etc. I'm seeing SwiftLint 0.54 attempt to write to the file system despite the fact that the tool is running in Xcode Cloud. This causes an unrecoverable error preventing the rest of the build process. Here's the relevant Xcode Cloud log output:

v - Prepare Packages
vv - Running SwiftLint for MyApp 16.0 seconds

/usr/bin/sandbox-exec -p "(version 1)
(deny default)
(import \"system.sb\")
(allow file-read*)
(allow process*)
(allow mach-lookup (global-name \"com.apple.lsd.mapdb\"))
(allow file-write*
    (subpath \"/private/tmp\")
    (subpath \"/private/var/folders/lz/kwk55s8n75j_r0ckr6m6qj9h0000gn/T\")
)
(deny file-write*
    (subpath \"/Volumes/workspace/repository/MyApp\")
)
(allow file-write*
    (subpath \"/Volumes/workspace/DerivedData/SourcePackages/plugins/MyApp.output/MyApp/SwiftLint\")
)
" /Volumes/workspace/DerivedData/SourcePackages/artifacts/MyPrivatePackage/SwiftLintBinary/SwiftLintBinary.artifactbundle/swiftlint-0.54.0-macos/bin/swiftlint lint --strict --quiet --config /Volumes/workspace/repository/MyApp/.swiftlint.yml --cache-path /Volumes/workspace/DerivedData/SourcePackages/plugins/MyApp.output/MyApp/SwiftLint

2024-01-31 09:42:24.142 xcodebuild[6350:24748]  DVTFilePathFSEvents: Failed to start fs event stream.
2024-01-31 09:42:24.447 xcodebuild[6353:24760]  DVTFilePathFSEvents: Failed to start fs event stream.
2024-01-31 09:42:25.584 xcodebuild[6358:24778]  DVTFilePathFSEvents: Failed to start fs event stream.
Error: You don’t have permission to save the file “26c6d282529428ce0cf1ecf2295388c5f0fb2580bd42d99096ebb8d3b99f4da4.plist” in the folder “4D4FAECE-7849-3B2C-9674-8DDA23306B7E”.

Environment

• SwiftLint 0.54 binary release "Macro-Economic Forces"
• SwiftLint is included as a .binaryTarget(...) dependency of an internal Swift package MyPrivatePackage. This package is a dependency used across our team's various projects.
• Project target relies on MyPrivatePackage's copy of SwiftLint as a build plugin step under a "Run Build Tool Plugins" Xcode build phase.
• Xcode Cloud set to "Latest Release" tooling
• A ci_post_checkout.sh Xcode Cloud script runs the following commands prior to resolving Swift packages or running build plugins, per the SwiftLint README for "unattended" CI usage:

defaults write com.apple.dt.Xcode IDESkipPackagePluginFingerprintValidatation -bool YES
defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES

The Xcode Cloud environment variables during Xcode Cloud's "Set environment variables" build step are:

CI=TRUE
CI_BRANCH=feature/jared/my-branch-name
CI_BUILD_ID=4a399832-e8ee-45cb-970a-350c55b478ce
CI_BUILD_NUMBER=21
CI_BUILD_URL=[REDACTED]
CI_BUNDLE_ID=[REDACTED]
CI_COMMIT=[REDACTED]
CI_DERIVED_DATA_PATH=/Volumes/workspace/DerivedData
CI_GIT_REF=refs/heads/feature/jared/my-branch-name
CI_PRIMARY_REPOSITORY_PATH=/Volumes/workspace/repository
CI_PRODUCT=MyApp
CI_PRODUCT_ID=[REDACTED]
CI_PRODUCT_PLATFORM=iOS
CI_PROJECT_FILE_PATH=/Volumes/workspace/repository/MyApp/MyApp.xcworkspace
CI_PULL_REQUEST_HTML_URL=[REDACTED]
CI_PULL_REQUEST_NUMBER=12345
CI_PULL_REQUEST_SOURCE_BRANCH=feature/jared/my-branch
CI_PULL_REQUEST_SOURCE_COMMIT=[REDACTED]
CI_PULL_REQUEST_SOURCE_REPO=[REDACTED]
CI_PULL_REQUEST_TARGET_BRANCH=feature/jared/my-branch-name
CI_PULL_REQUEST_TARGET_COMMIT=[REDACTED]
CI_PULL_REQUEST_TARGET_REPO=[REDACTED]
CI_RESULT_BUNDLE_PATH=/Volumes/workspace/resultbundle.xcresult
CI_START_CONDITION=pr_update
CI_TEAM_ID=[REDACTED]
CI_TEST_PLAN=AllTests
CI_TEST_PRODUCTS_PATH=/Volumes/workspace/TestProducts.xctestproducts
CI_WORKFLOW=PR Validation
CI_WORKSPACE_PATH=/Volumes/workspace
CI_XCODEBUILD_ACTION=build-for-testing
CI_XCODE_CLOUD=TRUE
CI_XCODE_PROJECT=MyApp.xcworkspace
CI_XCODE_SCHEME=MyApp
TMPDIR=/Volumes/workspace/tmp/

Workaround

I am able to get SwiftLint to run successfully in Xcode Cloud if I don't use it as a package plugin but instead use it via a custom build phase run script (installed via homebrew, f.ex.). Unfortunately, this workaround is not available to me, because my team is relying on the package plugin support in order to avoid tooling challenges with programmatic/manual SwiftLint installs.

Given that a run script approach works, I have reason to believe that this bug is specific to running SwiftLint in Xcode Cloud as a package plugin. My guess here is that the option to disable caching is missed in some code path unique to the package plugin use case.

[jaredsinclair]

Oh lord, I figured out what was going on. I'm so sorry, closing this issue.

TL;DR our usage of the SwiftLint tool was completely bypassing its native use as a package plugin, and was instead using a custom package plugin that invoked SwiftLint directly, which is why the --cache-path was supplied instead of --no-cache.

For posterity: If, like me, you encounter this error, double check that the project setup you have inherited is indeed using SwiftLint directly as a package plugin. If you are rolling your own package plugin and invoking SwiftLint directly, you will miss out on important fixes like this one (#5287) which you will not enjoy, even if you're always using the latest exported SwiftLint binary.