skip to Main Content

In our project, we’re using the super-linter to lint our code. The problem is that it’s based on a docker container that runs as root. Files written to the mounted volumes are written as root, and based on that we have trouble with e.g. cached files etc. I would love to run the action as the non-root user on my self-hosted runner, but do not know how to do that or if it’s even possible. In the GitHub Actions Docs, I’ve found how to add arguments, but it seems I can’t use that to pass a --user <myUser> to the docker run command. I can’t use a USER <myUser> inside the dockerfile either since I’m taking the existing action and can’t change the dockerfile.

Any idea how to run an existing GitHub Action as a non-root user?

2

Answers


  1. Chosen as BEST ANSWER

    I add this answer to provide more details on the 3rd option @Rob Bos mentioned above.

    I've added the following script to my self-hosted runner

    cat /localdisk/github-action-scripts/cleanup.sh
    #!/bin/sh
    docker run --rm -i 
            -v $GITHUB_WORKSPACE/../../:/workspace 
            busybox:latest 
            /bin/sh -c "chown -R $(id -u):$(id -g) /workspace"
    

    then added the file .env

    cat /localdisk/action-runner/.env
    ACTIONS_RUNNER_HOOK_JOB_COMPLETED=/localdisk/github-action-scripts/cleanup.sh
    

    followed by a

    sudo systemctl restart actions.runner.*
    

    and it works:

    enter image description here


  2. This is a common issue when using containers on long-lived self-hosted runners, as well as a big reason not to use these runners, but switch to ephemeral runners (with other security concerns for long-lived runners).

    But for this issue: you can use the container configuration for a self-hosted runner to have a custom cleanup step.

    The cleanup step still does run in the context of the runner’s service account, but you can add elevation inside of the script if needed.

    Another option is to include a sidecar container in the cleanup step and then run your custom container that cleans up. This container can be your own, and can run with ‘root’ access.

    An extra option could be to use this action from the marketplace as an extra step in the workflow, as it will run inside of a container and cleanup. But this means the end-user has to include this in their workflow file. This docker image could also be used as the sidecar container in the cleanup step.

    The easiest option is adding the config for ACTIONS_RUNNER_HOOK_JOB_COMPLETED and execute the cleanup commands (from a Docker container with root user).

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search