Run as non-root/Use the same UID and GID as the GitHub runners?

[simonvanderveldt]

Hi! First of all thanks for this repo/including GitHub Pages in Actions, it's nice to finally be able to see what's happening with a Pages build and deployment plus now we can use the exact same way GitHub Pages does a build or deployment in our own CI :)

One small thing I ran into is that the Docker image runs as root, so the files written by the build are also owned by root.
Since the GitHub runners run as UID 1001 GID 121 they are then unable to make any changes to these files.
I'm not sure if there's a policy within GitHub for these things, but it might make sense to use the same UID/GID as the runners? Also not running as root is a plus of course :)

[yoannchaudet]

Hello!

It is actually a requirement to have a published action uses the default Docker user (root). See documentation. We cannot pass any docker options in a published action so there are some assumption for the runner's working directory that is mounted as a volume.

I am asking the Actions team to see if there is anything we can do and maybe aligned the UIDs.

What are you trying to do by the way?

[simonvanderveldt]

Thanks for the quick reply!

It is actually a requirement to have a published action uses the default Docker user (root). See documentation. We cannot pass any docker options in a published action so there are some assumption for the runner's working directory that is mounted as a volume.

O, sorry about that, I did search a bit to see if there were any requirements like this but somehow I missed this.
Interesting choice though, pretty much everyone and everything suggests against running as root. The rationale in the docs you linked also don't really seem to make sense given that if you run the container with the same UID/GID as the host it works fine.
I guess they are just suggesting this to keep things simple for users?
It's also not helped by the fact that AFAIK it's not possible to configure container options for actions that use a container. That would've been a relatively simple way to work around it.

I am asking the Actions team to see if there is anything we can do and maybe aligned the UIDs.

👍
FYI it's been a longer standing issue in general, a quick search gave me https://gitpro.ttaallkk.topmunity/t/actions-files-changed-in-container-action-are-now-owned-by-root/16115, actions/runner#691 and actions/checkout#211 from 2019 and 2020.

What are you trying to do by the way?

Was just using this action to do a build for PRs and then push it to a "staging" deployment. Been doing so with the jekyll/jekyll:pages Docker image and whilst that's close it's just not the exact same way GitHub Pages are being built for real. This Action is :) Plus it's less maintenance to just use an existing GitHub managed action vs a slightly more custom workflow with run tasks with a container.

FYI I worked around this by using setgid before running the action, that works fine. I've seen others work around it by running some chown statements (I expect these would need to be run within a container that's running as root or run with sudo) but that seems a bit clunky.

[yoannchaudet]

Closing because I don't have a good workaround for that. Unfortunately this is in part how Actions and containers behave today.

[simonvanderveldt]

😢