Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use actions/cache with Renovate: EACCESS #646

Open
jamietanna opened this issue Nov 2, 2022 · 9 comments · Fixed by #700
Open

Unable to use actions/cache with Renovate: EACCESS #646

jamietanna opened this issue Nov 2, 2022 · 9 comments · Fixed by #700
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@jamietanna
Copy link

When using GitHub Actions' caching functionality, Renovate ends up hitting an EACCESS when trying to write to the restored cache keys.

A failing job with workflow definition reports the following error on subsequent runs:

 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "BxuFXuCsh1JmPxe_hfhG1",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
         }
       ]

It appears that:

/usr/bin/docker run --env RENOVATE_TOKEN=x-access-token:*** --env RENOVATE_CONFIG_FILE=/github-action/config.js --volume /home/runner/work/actions-testing/actions-testing/config.js:/github-action/config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user 1000:121 --rm renovate/renovate:34.2.0-slim

May be at fault, as running id -u outside of the Renovate runner shows:

uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal)

Whereas we're trying to use the uid 1000, which doesn't match, and is therefore denied from reading the files:

# this is from a different run, so not visible on the above link
/tmp/renovate-baseDir:
total 12
drwxr-xr-x  3 runner docker 4096 Nov  2 16:40 .
@jamietanna
Copy link
Author

It looks like

const renovateDockerUser = '1000';
is the line we'd want to change

jamietanna pushed a commit to jamietanna/github-action that referenced this issue Nov 2, 2022
As mentioned in renovatebot#646, we're receiving permissions issues due to the use
of the wrong UID for our user binding.

Closes renovatebot#646.
@viceice viceice added bug Something isn't working help wanted Extra attention is needed labels Jan 4, 2023
@Akaame
Copy link

Akaame commented Jan 31, 2023

@jamietanna were you able to work past this?

@GSala
Copy link

GSala commented Feb 1, 2023

@Akaame we are working around that like this:

- run: sudo chown -R 1000 /tmp/renovate
- // Run renovate
- run: sudo chown -R $(whoami) /tmp/renovate

@jamietanna
Copy link
Author

Due to the size of our organisation, the recommendation from the Renovate team was to use Mend Renovate On-Prem (which is free!) and much less costly for our usages, and has its own means to do caching

@Akaame
Copy link

Akaame commented Feb 11, 2023

@GSala thanks this is what we also ended up doing.

@viceice
Copy link
Member

viceice commented Mar 10, 2023

v35 will use current host user id and use binarySource=install

@viceice
Copy link
Member

viceice commented May 12, 2023

Need to revert the default user change because of

@mering
Copy link

mering commented Nov 8, 2024

One can now specify the docker user. When setting this to the runner user, it seems to work fine.

As I couldn't find a predefined variable/context for the current runner user/group, I added a step to determine this via id command.

We are using something similar to:

      - uses: actions/[email protected]
      - uses: actions/[email protected]
        if: github.event.inputs.repoCache != 'disabled'
        with:
          path: /tmp/renovate/cache
          key: renovate
      - name: Determine current user
        id: id
        run: |
          echo "user=$(id -u)" >> $GITHUB_OUTPUT
          echo "group=$(id -g)" >> $GITHUB_OUTPUT
      - name: Generate app token
        id: renovate-token
        uses: getsentry/[email protected]
        with:
          app_id: ${{ secrets.RENOVATE_APP_ID }}
          private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
      - uses: renovatebot/[email protected]
        with:
          configurationFile: renovate.json5
          token: "${{ steps.renovate-token.outputs.token }}"
          docker-user: "${{ steps.id.outputs.user }}:${{ steps.id.outputs.group }}"
          docker-volumes: /tmp/renovate:/tmp/renovate
        env:
          RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}

korosuke613 added a commit to korosuke613/homepage-2nd that referenced this issue Nov 18, 2024
ref: renovatebot/github-action#646 (comment)

```log
DEBUG: Using platform gitAuthor: kiba-renovate[bot] <154907007+kiba-renovate[bot]@users.noreply.github.com>
DEBUG: Adding token authentication for api.github.com (hostType=github) to hostRules
DEBUG: Using baseDir: /tmp/renovate
DEBUG: Using cacheDir: /tmp/renovate/cache
DEBUG: Using containerbaseDir: /tmp/renovate/cache/containerbase
FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "f9smkP2QF64Uoz2kYhyHI",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]
Error: The process '/usr/bin/docker' failed with exit code 1
    at ExecState._setResult (/home/runner/work/_actions/renovatebot/github-action/180db1547505e30c02d41959fe65ada1523ee207/dist/index.js:1702:25)
    at ExecState.CheckComplete (/home/runner/work/_actions/renovatebot/github-action/180db1547505e30c02d41959fe65ada1523ee207/dist/index.js:1685:18)
    at ChildProcess.<anonymous> (/home/runner/work/_actions/renovatebot/github-action/180db1547505e30c02d41959fe65ada1523ee207/dist/index.js:1579:27)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)
```
@viceice
Copy link
Member

viceice commented Dec 5, 2024

One can now specify the docker user. When setting this to the runner user, it seems to work fine.

As I couldn't find a predefined variable/context for the current runner user/group, I added a step to determine this via id command.

We are using something similar to:

      - uses: actions/[email protected]
      - uses: actions/[email protected]
        if: github.event.inputs.repoCache != 'disabled'
        with:
          path: /tmp/renovate/cache
          key: renovate
      - name: Determine current user
        id: id
        run: |
          echo "user=$(id -u)" >> $GITHUB_OUTPUT
          echo "group=$(id -g)" >> $GITHUB_OUTPUT
      - name: Generate app token
        id: renovate-token
        uses: getsentry/[email protected]
        with:
          app_id: ${{ secrets.RENOVATE_APP_ID }}
          private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
      - uses: renovatebot/[email protected]
        with:
          configurationFile: renovate.json5
          token: "${{ steps.renovate-token.outputs.token }}"
          docker-user: "${{ steps.id.outputs.user }}:${{ steps.id.outputs.group }}"
          docker-volumes: /tmp/renovate:/tmp/renovate
        env:
          RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}

this doesn't work if you need nix manager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
6 participants
@viceice @jamietanna @GSala @Akaame @mering and others