Skip to content

Use appropriate user in CI to avoid permissions errors on later runs #4545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 20 commits into
base: release
Choose a base branch
from
Open

Use appropriate user in CI to avoid permissions errors on later runs #4545

wants to merge 20 commits into from
+114 −43

Conversation

connorjward
Copy link
Contributor

@connorjward connorjward commented Sep 5, 2025
edited
Loading

This should fix the permissions issues that we saw building Docker images on CI.

The issue was that the regular CI runs are run in a Docker container as the root user and this means that if a job is cancelled then a bunch of files are left behind that are owned by root. If we subsequently build a Docker image on the same runner we would crash because that workflow is run as an unprivileged user.

I tried to make the regular CI runs use an unprivileged user but I don't think that it is possible. Instead the solution I've found here is to build the Docker images inside another container, and hence as root.

@connorjward connorjward marked this pull request as draft September 5, 2025 11:06
@connorjward
Copy link
Contributor Author

@JHopeCollins don't bother reviewing. Needs more thought.

connorjward
connorjward commented Sep 5, 2025
View reviewed changes
.github/workflows/pr.yml
Comment on lines +16 to +25

# UNDO ME
docker:
name: Build developer Docker containers
uses: ./.github/workflows/docker.yml
with:
tag: connorjwardtest-dev-${{ github.base_ref }}
branch: ${{ github.base_ref }}
build_dev: true
secrets: inherit
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# UNDO ME
docker:
name: Build developer Docker containers
uses: ./.github/workflows/docker.yml
with:
tag: connorjwardtest-dev-${{ github.base_ref }}
branch: ${{ github.base_ref }}
build_dev: true
secrets: inherit

@connorjward connorjward marked this pull request as ready for review September 5, 2025 16:59
connorjward
connorjward commented Sep 24, 2025
View reviewed changes
@connorjward
Copy link
Contributor Author

@JHopeCollins I think that this is ready to go now. If you have time please give this a review. The changes look daunting but the core change is we now build the Linux containers inside an ubuntu:latest container instead of directly on the runner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dham dham dham approved these changes

@JHopeCollins JHopeCollins Awaiting requested review from JHopeCollins

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@connorjward @dham