core: Error when running in GitHub Actions: `Error: EACCES: permission denied, mkdir `

[g-farrow]

When running a cdk deploy in GitHub Actions I have started to get the following error:

Error: EACCES: permission denied, mkdir.

This error occurs since upgrading from v1.102.0 to v1.1.9.0

Run cdk deploy --context DEPLOY_ENV=development  "*"
Error: EACCES: permission denied, mkdir '/github/workspace/cdk.out/asset.7af6295e521fd55af94332393ceffb3e866aac4dc4956321f7918f21e72199e4'
    at Object.mkdirSync (fs.js:1009:3)
    at AssetStaging.stageAsset (/github/workspace/node_modules/@aws-cdk/core/lib/asset-staging.ts:308:10)
    at AssetStaging.stageByCopying (/github/workspace/node_modules/@aws-cdk/core/lib/asset-staging.ts:203:10)
    at stageThisAsset (/github/workspace/node_modules/@aws-cdk/core/lib/asset-staging.ts:139:35)
    at Cache.obtain (/github/workspace/node_modules/@aws-cdk/core/lib/private/cache.ts:24:13)
    at new AssetStaging (/github/workspace/node_modules/@aws-cdk/core/lib/asset-staging.ts:162:44)
    at new Asset (/github/workspace/node_modules/@aws-cdk/aws-s3-assets/lib/asset.ts:68:21)
    at AssetCode.bind (/github/workspace/node_modules/@aws-cdk/aws-lambda/lib/code.ts:180:20)
    at new Function (/github/workspace/node_modules/@aws-cdk/aws-lambda/lib/function.ts:327:29)
    at new DnsValidatedCertificate (/github/workspace/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:49:31)

Reproduction Steps

/* eslint-disable no-new */
import * as cdk from '@aws-cdk/core'
import { Duration, RemovalPolicy } from '@aws-cdk/core'
import { HostedZone, ARecord, RecordTarget } from '@aws-cdk/aws-route53'
import { DnsValidatedCertificate } from '@aws-cdk/aws-certificatemanager'
import { Bucket } from '@aws-cdk/aws-s3'
import {
  CloudFrontWebDistribution,
  CloudFrontAllowedMethods,
  CloudFrontAllowedCachedMethods,
  ViewerProtocolPolicy,
  PriceClass,
  OriginProtocolPolicy,
  SSLMethod,
  SecurityPolicyProtocol
} from '@aws-cdk/aws-cloudfront'
import { CloudFrontTarget } from '@aws-cdk/aws-route53-targets'
import { BucketDeployment, Source } from '@aws-cdk/aws-s3-deployment'
import * as path from 'path'

export class VisitorAppStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props)

    const zone = HostedZone.fromLookup(this, 'Zone', {
      domainName: "example.com"
    })

    const certificate = new DnsValidatedCertificate(this, 'SiteCertificate', {
      domainName: "app.example.com",
      hostedZone: zone,
      region: 'us-east-1'
    })

    const bucket = new Bucket(this, 'FrontEndCdkConstructBucket', {
      websiteIndexDocument: 'index.html',
      websiteErrorDocument: '404/index.html',
      publicReadAccess: true,
      removalPolicy: RemovalPolicy.DESTROY
    })

    const distribution = new CloudFrontWebDistribution(
      this,
      'FrontEndDistribution',
      {
        aliasConfiguration: {
          acmCertRef: certificate.certificateArn,
          names: ["app.example.com"],
          sslMethod: SSLMethod.SNI,
          securityPolicy: SecurityPolicyProtocol.TLS_V1_1_2016
        },
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
        priceClass: PriceClass.PRICE_CLASS_ALL,
        originConfigs: [
          {
            customOriginSource: {
              domainName: bucket.bucketWebsiteDomainName,
              originProtocolPolicy: OriginProtocolPolicy.HTTP_ONLY
            },
            behaviors: [
              {
                isDefaultBehavior: true,
                allowedMethods: CloudFrontAllowedMethods.GET_HEAD_OPTIONS,
                cachedMethods: CloudFrontAllowedCachedMethods.GET_HEAD_OPTIONS,
                compress: true,
                defaultTtl: Duration.seconds(3600),
                forwardedValues: {
                  cookies: {
                    forward: 'none'
                  },
                  queryString: false
                },
                maxTtl: Duration.seconds(84600),
                minTtl: Duration.seconds(60)
              }
            ]
          }
        ],
        errorConfigurations: [
          {
            errorCode: 403,
            responseCode: 404,
            responsePagePath: '/404/index.html'
          }
        ]
      }
    )

    new ARecord(this, 'SiteRecord', {
      recordName: "app.example.com",
      target: RecordTarget.fromAlias(new CloudFrontTarget(distribution)),
      zone
    })

    new BucketDeployment(this, 'DeployWithInvalidation', {
      sources: [Source.asset(path.join(process.cwd(), 'out'))],
      destinationBucket: bucket,
      distribution,
      distributionPaths: ['/*']
    })
  }
}

package.json dependencies:

"devDependencies": {
    "@aws-cdk/assert": "1.109.0",
    "@babel/core": "^7.14.6",
    "@fullhuman/postcss-purgecss": "^4.0.3",
    "@storybook/addon-actions": "^6.2.9",
    "@storybook/addon-essentials": "^6.2.9",
    "@storybook/addon-links": "^6.2.9",
    "@storybook/addon-postcss": "^2.0.0",
    "@storybook/react": "^6.2.9",
    "@testing-library/dom": "^7.31.2",
    "@testing-library/jest-dom": "^5.14.1",
    "@testing-library/react": "^11.2.7",
    "@testing-library/user-event": "^13.1.9",
    "@types/jest": "^26.0.23",
    "@types/node": "15.12.2",
    "@types/react": "^17.0.11",
    "@typescript-eslint/eslint-plugin": "^4.27.0",
    "@typescript-eslint/parser": "^4.27.0",
    "aws-amplify": "^4.1.0",
    "aws-cdk": "1.109.0",
    "babel-jest": "^27.0.2",
    "babel-loader": "^8.2.2",
    "cross-env": "^7.0.3",
    "cypress": "^7.5.0",
    "dotenv": "^10.0.0",
    "dotenv-flow": "^3.2.0",
    "eslint": "^7.28.0",
    "eslint-config-next": "^11.0.0",
    "eslint-config-prettier": "^8.3.0",
    "eslint-config-standard": "^16.0.3",
    "eslint-plugin-cypress": "^2.11.3",
    "eslint-plugin-import": "^2.23.4",
    "eslint-plugin-node": "^11.1.0",
    "eslint-plugin-prettier": "^3.4.0",
    "eslint-plugin-promise": "^5.1.0",
    "eslint-plugin-react": "^7.24.0",
    "eslint-plugin-react-hooks": "^4.2.0",
    "jest": "^27.0.4",
    "jest-canvas-mock": "^2.3.1",
    "pre-commit": "^1.2.2",
    "prettier": "^2.3.1",
    "prettier-config-standard": "^4.0.0",
    "ts-jest": "^27.0.3",
    "ts-node": "^10.0.0",
    "typescript": "~4.3.3"
  },
  "dependencies": {
    "@apollo/client": "^3.3.20",
    "@aws-cdk/aws-certificatemanager": "^1.109.0",
    "@aws-cdk/aws-cloudfront": "^1.109.0",
    "@aws-cdk/aws-route53": "^1.109.0",
    "@aws-cdk/aws-route53-targets": "^1.109.0",
    "@aws-cdk/aws-s3-deployment": "^1.109.0",
    "@aws-cdk/core": "1.109.0",
    "@datadog/browser-logs": "^2.14.0",
    "@hookform/devtools": "^3.1.0",
    "autoprefixer": "^10.2.6",
    "classnames": "^2.3.1",
    "dexie": "^3.0.3",
    "graphql": "^15.5.0",
    "next": "11.0.0",
    "next-pwa": "^5.2.21",
    "postcss": "^8.3.5",
    "postcss-import": "^14.0.2",
    "react": "17.0.2",
    "react-dom": "17.0.2",
    "react-feather": "^2.0.9",
    "react-hook-form": "^7.8.8",
    "react-swipeable": "^6.1.2",
    "react-zoom-pan-pinch": "^2.0.2",
    "source-map-support": "^0.5.19",
    "tailwindcss": "^2.1.4"

GitHub Actions config:

- name: CDK Deploy
        id: deploy
        uses: youyo/aws-cdk-github-actions@master
        with:
          cdk_subcommand: 'deploy --context DEPLOY_ENV=development'
          actions_comment: false
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}

What did you expect to happen?

CDK will deploy as it did before I upgraded

What actually happened?

Failed with an error trying to create a directory

Environment

• **CDK CLI Version :
• **Framework Version: v1.109.0
• **Node.js Version: 14
• **OS : Ubuntu
• **Language (Version): Typescript

Other

---

This is :bug: Bug Report

[NGL321]

Hi @g-farrow,

Thank you for reporting this. I havent had an opportunity to reproduce yet, but someone will take a look when they have an opportunity. We have marked this issue as a p2, this means it may be some time before it gets addressed. If you think this should be a higher priority, feel free to get upvotes and we will escalate.

If you need this done more quickly than we can offer, please feel free to submit a PR with a fix.

😸 😷

[g-farrow]

Hi @NGL321

It looks like this is not a CDK issue - but actually, an issue caused by a change to the GitHub Action's base image: https://github.com/youyo/aws-cdk-github-actions/issues/36

Therefore I'm going to close this issue - thanks!

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[a-h]

I had this issue, however, I don't believe the issue to be a problem in CDK.

If you're running a CDK deploy within a container on Github Actions, then there's a mismatch between the user inside the Docker container, and the permissions of the __w directory.

The issue is described at https://github.com/actions/runner/issues/1203

A workaround and issue to track is at https://github.com/actions/runner/issues/691

In case it disappears, I've extracted the workaround:

jobs:
  configure:
    runs-on: ubuntu-latest
    outputs:
      uid_gid: ${{ steps.get-user.outputs.uid_gid }}
    steps:
      - id: get-user
        run: echo "::set-output name=uid_gid::$(id -u):$(id -g)"

  clone-and-install:
    needs: configure
    runs-on: ubuntu-latest
    container:
      image: mcr.microsoft.com/vscode/devcontainers/base:ubuntu
      options: --user ${{ needs.configure.outputs.uid_gid }}
    steps:
      - uses: actions/checkout@v2