search

renovatebot / github-action

Other
273 stars 81 forks source link

Unable to use `actions/cache` with Renovate: `EACCESS` #646

Open jamietanna opened 1 year ago

jamietanna commented 1 year ago

When using GitHub Actions' caching functionality, Renovate ends up hitting an EACCESS when trying to write to the restored cache keys.

A failing job with workflow definition reports the following error on subsequent runs:

 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "BxuFXuCsh1JmPxe_hfhG1",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
         }
       ]

It appears that:

/usr/bin/docker run --env RENOVATE_TOKEN=x-access-token:*** --env RENOVATE_CONFIG_FILE=/github-action/config.js --volume /home/runner/work/actions-testing/actions-testing/config.js:/github-action/config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user 1000:121 --rm renovate/renovate:34.2.0-slim

May be at fault, as running id -u outside of the Renovate runner shows:

uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal)

Whereas we're trying to use the uid 1000, which doesn't match, and is therefore denied from reading the files:

# this is from a different run, so not visible on the above link
/tmp/renovate-baseDir:
total 12
drwxr-xr-x  3 runner docker 4096 Nov  2 16:40 .
jamietanna commented 1 year ago

It looks like https://github.com/renovatebot/github-action/blob/d7c9fe4fd76644e3acba0da8fe63756bac210d94/src/renovate.ts#L20 is the line we'd want to change

Akaame commented 1 year ago

@jamietanna were you able to work past this?

GSala commented 1 year ago

@Akaame we are working around that like this:

- run: sudo chown -R 1000 /tmp/renovate
- // Run renovate
- run: sudo chown -R $(whoami) /tmp/renovate
jamietanna commented 1 year ago

Due to the size of our organisation, the recommendation from the Renovate team was to use Mend Renovate On-Prem (which is free!) and much less costly for our usages, and has its own means to do caching

Akaame commented 1 year ago

@GSala thanks this is what we also ended up doing.

viceice commented 1 year ago

v35 will use current host user id and use binarySource=install

viceice commented 1 year ago

Need to revert the default user change because of