5

I am trying to use a shell script as a custom shell in Github Actions like this:

- name: Test bash-wrapper
  shell: bash-wrapper {0}
  run: |
    echo Hello world

However, when I try to run it, I get Permission denied.

Background: I have set up a chroot jail, which I use with QEMU user mode emulation in order to build for non-IA64 architectures with toolchains that lack cross-compilation support.

The script is intended to provide a bash shell on the target architecture and looks like this:

#!/bin/bash
sudo chroot --userspec=`whoami`:`whoami` $CROSS_ROOT qemu-arm-static /bin/bash -c "$*"

It resides in /bin/bash-wrapper and it thus on $PATH.

Digging a bit deeper, I found:

  • Running bash-wrapper "echo Hello world" in a GHA step with the default shell works as expected.
  • Running bash-wrapper 'echo Running as $(whoami)' from the default shell correctly reports we are running as user runner.
  • Removing --userspec from the chroot command in bash-wrapper (thus running the command as root) does not make a difference – the custom shell gives the same error.
  • GHA converts each step into a script file and passes it to the shell.
  • File ownership on these files is runner:docker, runner being the user that runs the job by default.
  • Interestingly, the script files generated by GHA are not executable. I suspect that is what is ultimately causing the permission error.
  • Indeed, if I modify bash-wrapper to set the executable bit on the script before running it, everything works as expected.

I imagine non-executable script files would cause all sorts of troubles with various shells, thus I would expect GHA would have a way of dealing with that – in fact I am a bit surprised these on-the-fly scripts are not executable by default.

Is there a less hacky way of fixing this, such as telling GHA to set the executable bit on temporary scripts? (How does Github expect this to be solved?)

Improve this question

1 Answer 1

Reset to default
5

When calling your script try running it like this:

- name: Test bash-wrapper
  shell: bash-wrapper {0}
  run: |
     bash <your_script>.sh

Alternatively, try running this command locally and the commit and push the repository:

git update-index --chmod=+x <your_script>.sh
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The script is not something from my repo, but a script created dynamically by GHA, using the commands in run. It resides in some temp dir within ~runner, and the file name is a GUID, potentially with a .sh extension. Your suggestion won’t work for that scenario.
how do you run the script?
The run: section is a list of shell commands. GHA processes them (resolving CI variables and the like) and saves the result to a temporary script file. This file, however, does not have the executable flag set. I have next to no influence over the creation of this file, but I figure there must be a way to tell GHA to create it with the executable bit set, as a bunch of shells would have issues otherwise.
I'm not running a custom shell or anything, but running my script via bash <your_script>.sh instead of ./<your_script>.sh fixed a "permission denied" error for me. In my case, the script was created via auto commit/push as part of the deployment workflow from another repo.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.