Permissions errors on runners with Ruby preinstalled

mhashizume commented 1 month ago

Ensure the following before filing this issue

[X] I verified it reproduces with the latest version with - uses: ruby/setup-ruby@v1 (see Versioning policy)
[X] I tried to reproduce the issue locally by following the workflow steps (including all commands done by ruby/setup-ruby, except for Downloading Ruby & Extracting Ruby), and it did not reproduce locally (if it does reproduce locally, it's not a ruby/setup-ruby issue)

Are you running on a GitHub-hosted runner or a self-hosted runner?

GitHub-hosted runner

Link to the failed workflow job (must be a public workflow job, so the necessary information is available)

https://github.com/puppetlabs/puppet-agent/actions/runs/9945835021/job/27475015085?pr=2548

Any other notes?

GitHub recently updated its Ubuntu 22.04 runner images to come preinstalled with Ruby 3.2. Since then, when attempting to install gems with Bundler after using the setup-ruby action to install Ruby 3.2, we get this error message:

The installation path is insecure. Bundler cannot continue.
/opt/hostedtoolcache/Ruby/3.2.4/x64/lib/ruby/gems/3.2.0/gems is world-writable
(without sticky bit).
Bundler cannot safely replace gems in world-writeable directories due to
potential vulnerabilities.
Please change the permissions of this directory or choose a different install
path.
Error: Process completed with exit code 38.

dentarg commented 1 month ago

Upstream issue: https://github.com/actions/runner-images/issues/10215

dentarg commented 1 month ago

This does not sound like an issue in setup-ruby, seeing the ubuntu-20.04 image has Ruby 3.0, 3.1 and 3.2 installed https://github.com/actions/runner-images/blob/d8dce39e5fa208d80fdfbd0171017fece66c0621/images/ubuntu/Ubuntu2004-Readme.md#ruby and we are not getting any reports about problems with that. I guess something went wrong when adding Ruby 3.2 for https://github.com/actions/runner-images/pull/10190. I suggest you add feedback to the upstream issue: https://github.com/actions/runner-images/issues/10215

eregon commented 1 month ago

Mmh, I wonder if this is actually due to a recent bundler change. Because some permission issue has been there for a while in GitHub Actions, at least for /home/runner: https://github.com/actions/runner-images/issues/267

eregon commented 4 weeks ago

Taking a look at this, yes this seems clearly an upstream issue as @dentarg analyzed. https://github.com/ruby/ruby-builder/releases/download/toolcache/ruby-3.2.4-ubuntu-22.04.tar.gz is fine and has correct permissions for x64/lib/ruby/gems/3.2.0/gems:

$ tar tfv ruby-3.2.4-ubuntu-22.04.tar.gz|grep x64/lib/ruby/gems/3.2.0/gems
drwxr-xr-x runner/docker        0 2024-04-23 15:04 x64/lib/ruby/gems/3.2.0/gems/

And https://github.com/puppetlabs/puppet-agent/actions/runs/9945835021/job/27475015085?pr=2548 clearly used the already-on-the-filesystem Ruby 3.2.4.

eregon commented 4 weeks ago

OTOH it seems the permissions for Ruby already in the runner image is wrong for all ubuntu versions: https://github.com/actions/runner-images/issues/10215#issuecomment-2263152071

And it seems odd Bundler would complain so late about this, after installing many other gems.

eregon commented 4 weeks ago

@mhashizume Could you report this to https://github.com/rubygems/rubygems/issues/new/choose ?

I don't think there is anything we can do in setup-ruby about this so I'll close this issue.

eregon commented 1 day ago

Filed at https://github.com/rubygems/rubygems/issues/7983, thanks @ioquatix

ruby / setup-ruby