Release v1.7.1 errs out (permission denied) when run from an action #334
Description
Describe the bug
Release v1.7.1 reproducibly causes an error when run from a GitHub action:
/usr/bin/docker run --name ghcriogithubcontributorsv1_322634 --label afbca3 --workdir /github/workspace --rm -e "START_DATE" -e "END_DATE" -e "GH_TOKEN" -e "REPOSITORY" -e "SPONSOR_INFO" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/Flatcar/Flatcar":"/github/workspace" ghcr.io/github/contributors:v1
Traceback (most recent call last):
File "/action/workspace/contributors.py", line 199, in <module>
main()
~~~~^^
File "/action/workspace/contributors.py", line 76, in main
markdown.write_to_markdown(
~~~~~~~~~~~~~~~~~~~~~~~~~~^
contributors,
^^^^^^^^^^^^^
...<7 lines>...
ghe,
^^^^
)
^
File "/action/workspace/markdown.py", line 72, in write_to_markdown
write_markdown_file(filename, content)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
File "/action/workspace/markdown.py", line 150, in write_markdown_file
with open(filename, "w", encoding="utf-8") as markdown_file:
~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'contributors.md'
This is caused by a change in the container image build (Dockerfile) which now uses an unprivileged user to run. The change is: a274afd#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557
Since the GitHub action uses --workdir /github/workspace, which in turn is a volume mount of a host directory -v "/home/runner/work/Flatcar/Flatcar":"/github/workspace", the container depends on that directory being writable to user appuser(101), which by default it is not. In fact, the host system that runs the action most likely has no knowledge of user ID 101, or (worse) uses it for a different system user account.
To Reproduce
The simplest way to reproduce this issue is to mimic (in parts) the way GitHub runs the container in an action, providing the local directory as volume mount to /github/workspace , and using a custom entry point to simply try and create a file:
docker run -ti --rm \
--entrypoint /bin/sh \
--workdir /github/workspace \
-v "$(pwd)":/github/workspace ghcr.io/github/contributors:v1.7.1 \
-c "touch test.txt"
touch: cannot touch 'test.txt': Permission deniedExpected behavior
The action completes without issues as contributors.md can be written by the container.
Screenshots
No response
Additional context
It is implicitly unsafe to create and to use users in Docker images, as it will bake assumptions on the host system running the container image into the image. A better way to securely run the action in an unprivileged way would be to specify the container user on the docker command line, using the current user's ID (using --user "$(id -u):$(id -g)"):
docker run -ti --rm \
--user "$(id -u)" \
--entrypoint /bin/sh \
--workdir /github/workspace -v "$(pwd)":/github/workspace \
ghcr.io/github/contributors:v1.7.1 \
-c "touch test.txt"
ls -la test.txt
-rw-r--r-- 1 t-lo t-lo 0 Sep 25 14:09 test.txt
This however implies modifying the way GitHub runs the action (i.e. modifying the command line used to start the action's container image); not sure whether this is viable.