Permission error when repository content shall be written to disk

[jeltsch]

I’m trying to use an image from Docker Hub, makarius/isabelle, for automated builds. However, if usage of this image is enabled, checking out my repository fails with the error EACCES: permission denied, open '/__w/⟨repository-name⟩/⟨repository-name⟩/⟨uuid⟩.tar.gz'. The repository is downloaded using the GitHub REST API.

A minimal workflow file that triggers this error is as follows:

name: Automated checkout

on: [push]

jobs:
  checkout:
    runs-on: ubuntu-latest
    container: makarius/isabelle
    steps:
      - name: Check out repository
        uses: actions/checkout@v2

Unfortunately, the above error message, while mentioning a path, does not tell, on which machine the respective directories should exist and what permissions they should have.

From the documentation, I cannot tell, what actions/checkout@v2 is trying to achieve. Does the virtual host try to write the data into the container and doesn’t have write permissions? Or does the container try to copy the data from the virtual host onto its own disk, and, if yes, is the problem that it cannot read the data or that it cannot write the data?

Are there any constraints a docker image to be used with actions/checkout@v2 has to fulfill? If yes, where are these documented?

[DasSkelett]

Hitting the same. actions/checkout seems to not work with non-root containers by default. The error message doesn't tell me what to do to fix it though.

Trying to specify a different destination path in the container doesn't work either and fails with

Error: Repository path '/home/user/repo' is not under '/__w/repo/repo'

Is there any way to make this action work with non-root users?

[jeltsch]

You can derive a container from the official Isabelle container by importing the latter and adding something like USER root to it (I might not remember the details correctly, but that should be the general approach).

I tried going down this path, but was then hit by the fact that the official Isabelle container doesn’t contain LaTeX, which I found a bit strange, given that running LaTeX is part of the, fundamental, build command by default. I solved this issue by ignoring the Isabelle container and instead starting with the official TeX Live container. My GitHub workflow installs the Isabelle distribution into this container on the fly. To save bandwidth, it uses GitHub’s caching facilities to cache the Isabelle installation.

You can find an example workflow at https://github.com/input-output-hk/network-equivalences/blob/master/.github/workflows/quick-and-dirty-build.yaml. For using it in similar situations as ours, you only have to change the metadata at the top of the workflow description, because the rest of the code is rather generic. Note that this workflow even supports the import of other Isabelle sessions from GitHub, which we need, because we concurrently develop several interdependent sessions that reside in different repositories.