Unable to use actions/cache with Renovate: EACCESS

[jamietanna]

When using GitHub Actions' caching functionality, Renovate ends up hitting an EACCESS when trying to write to the restored cache keys.

A failing job with workflow definition reports the following error on subsequent runs:

 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "BxuFXuCsh1JmPxe_hfhG1",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
         }
       ]

It appears that:

/usr/bin/docker run --env RENOVATE_TOKEN=x-access-token:*** --env RENOVATE_CONFIG_FILE=/github-action/config.js --volume /home/runner/work/actions-testing/actions-testing/config.js:/github-action/config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user 1000:121 --rm renovate/renovate:34.2.0-slim

May be at fault, as running id -u outside of the Renovate runner shows:

uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal)

Whereas we're trying to use the uid 1000, which doesn't match, and is therefore denied from reading the files:

# this is from a different run, so not visible on the above link
/tmp/renovate-baseDir:
total 12
drwxr-xr-x  3 runner docker 4096 Nov  2 16:40 .

[jamietanna]

It looks like

github-action/src/renovate.ts

Line 20 in d7c9fe4

const renovateDockerUser = '1000';

is the line we'd want to change

[Akaame]

@jamietanna were you able to work past this?

[GSala]

@Akaame we are working around that like this:

- run: sudo chown -R 1000 /tmp/renovate
- // Run renovate
- run: sudo chown -R $(whoami) /tmp/renovate

[jamietanna]

Due to the size of our organisation, the recommendation from the Renovate team was to use Mend Renovate On-Prem (which is free!) and much less costly for our usages, and has its own means to do caching

[Akaame]

@GSala thanks this is what we also ended up doing.

[viceice]

v35 will use current host user id and use binarySource=install

[viceice]

Need to revert the default user change because of

• Nix lockFileMaintenance is broken #713
• poetry No user exists for uid 1001 #736

[mering]

One can now specify the docker user. When setting this to the runner user, it seems to work fine.

As I couldn't find a predefined variable/context for the current runner user/group, I added a step to determine this via id command.

I am using the following snippet:

      - uses: actions/[email protected]
      - uses: actions/[email protected]
        if: github.event.inputs.repoCache != 'disabled'
        with:
          path: /tmp/renovate/cache
          key: renovate
      - name: Determine current user
        id: id
        run: |
          echo "user=$(id -u)" >> $GITHUB_OUTPUT
          echo "group=$(id -g)" >> $GITHUB_OUTPUT
      - name: Generate app token
        id: renovate-token
        uses: getsentry/[email protected]
        with:
          app_id: ${{ secrets.RENOVATE_APP_ID }}
          private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
      - uses: renovatebot/[email protected]
        with:
          configurationFile: renovate.json5
          token: "${{ steps.renovate-token.outputs.token }}"
          docker-user: "${{ steps.id.outputs.user }}:${{ steps.id.outputs.group }}"
          docker-volumes: /tmp/renovate/cache:/tmp/renovate/cache
        env:
          RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}