pulling remote actions with +x scripts fails with Permission denied on Windows

[oliverrahner]

Bug report info

act version:            0.2.71
GOOS:                   windows
GOARCH:                 amd64
NumCPU:                 24
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
        \\.\pipe\docker_engine(broken)
Config files:
        C:\Users\Oliver\AppData\Local\act\actrc:
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.23.4
        Module path:           github.com/nektos/act
        Main version:          (devel)
        Main path:             github.com/nektos/act
        Main checksum:
        Build settings:
                -buildmode:           exe
                -compiler:            gc
                -ldflags:             -s -w -X main.version=0.2.71 -X main.commit=0006dee285413b6f2a432f65a0947e5b1d8be2f7 -X main.date=2025-01-01T02:31:04Z -X main.builtBy=goreleaser
                CGO_ENABLED:          0
                GOARCH:               amd64
                GOOS:                 windows
                GOAMD64:              v1
                vcs:                  git
                vcs.revision:         0006dee285413b6f2a432f65a0947e5b1d8be2f7
                vcs.time:             2025-01-01T02:30:43Z
                vcs.modified:         false
Docker Engine:
        Engine version:        27.1.1
        Engine runtime:        runc
        Cgroup version:        1
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Docker Desktop
        OS type:               linux
        OS version:
        OS arch:               x86_64
        OS kernel:             5.15.167.4-microsoft-standard-WSL2
        OS CPU:                24
        OS memory:             31665 MB
        Security options:
                name=seccomp,profile=unconfined

Command used with act

act -v

Describe issue

My workflow uses the custom action rlespinasse/github-slug-action@v5.

When running the step, this happens:

[Build and Push Docker Image/build] [DEBUG] Writing entry to tarball workflow/2-composite-prefligth.sh len:34
[Build and Push Docker Image/build] [DEBUG] Extracting content to '/var/run/act'
[Build and Push Docker Image/build]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2-composite-prefligth.sh] user= workdir=
[Build and Push Docker Image/build] [DEBUG] Exec command '[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2-composite-prefligth.sh]'
[Build and Push Docker Image/build] [DEBUG] Working directory '/mnt/d/Coding/projectname'
| /var/run/act/workflow/2-composite-prefligth.sh: line 2: /var/run/act/actions/rlespinasse-github-slug-action@v5/preflight.sh: Permission denied
[Build and Push Docker Image/build]   ❌  Failure - Main $GITHUB_ACTION_PATH/preflight.sh
[Build and Push Docker Image/build] exitcode '126': failure

During troubleshooting, I recognized that, immediately after cloneing the action's repository, git diff from inside ~/.cache/act/rlespinasse-github-slug-action@v5 shows the following:

~/.cache/act/rlespinasse-github-slug-action@v5 $ git diff
diff --git a/preflight.sh b/preflight.sh
old mode 100755
new mode 100644

When following the trail, I found that this go-git issue describes what's going on, so it really seems to be an upstream issue.

The workflow below is the MRE, thus doesn't do anything useful.

Link to GitHub repository

private

Workflow content

name: Build and Push Docker Image

on:
  push:

jobs:
  build:
    runs-on: [ubuntu-latest]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Slugify Github Variables
        uses: rlespinasse/github-slug-action@v5

Relevant log output

# -v doesn't provide useful output

[Build and Push Docker Image/build] ⭐ Run Main $GITHUB_ACTION_PATH/preflight.sh
[Build and Push Docker Image/build]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1-composite-prefligth.sh] user= workdir=
| /var/run/act/workflow/1-composite-prefligth.sh: line 2: /var/run/act/actions/rlespinasse-github-slug-action@v5/preflight.sh: Permission denied
[Build and Push Docker Image/build]   ❌  Failure - Main $GITHUB_ACTION_PATH/preflight.sh
[Build and Push Docker Image/build] exitcode '126': failure
[Build and Push Docker Image/build]   ❌  Failure - Main Slugify Github Variables
[Build and Push Docker Image/build] exitcode '126': failure

Additional information

No response

[Redrox477]

Now experiencing the same error , using reviewdog/action-eslint@v1 getting
[reviewdog/runner / eslint] [DEBUG] Working directory '/mnt/c/Projects/Github_test/Git_Actions_test' | /var/run/act/workflow/3-composite-0.sh: line 2: /var/run/act/actions/reviewdog-action-eslint@v1/script.sh: Permission denied [reviewdog/runner / eslint] ❌ Failure - Main $GITHUB_ACTION_PATH/script.sh [reviewdog/runner / eslint] exitcode '126': failure

[mitkonikov]

I'm getting the same error, when using xu-cheng-texlive-action@v2, getting:

[Build LaTeX book/build_latex]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1-composite-0.sh] user= workdir=
| /var/run/act/workflow/1-composite-0.sh: line 2: /var/run/act/actions/xu-cheng-texlive-action@v2/action.sh: Permission denied
[Build LaTeX book/build_latex]   ❌  Failure - Main "${GITHUB_ACTION_PATH}/action.sh"
[Build LaTeX book/build_latex] exitcode '126': failure
[Build LaTeX book/build_latex]   ❌  Failure - Main xu-cheng/texlive-action@v2
[Build LaTeX book/build_latex] exitcode '126': failure

[drakonkat]

Same issue here

[Redrox477]

So, I inspected the files while the docker container is built when running act cmd, the script.sh file did not have a execute permission -rw-rw-rw-. I manually set the permission using chmod +x but when running act cmd again, the container is rebuilt and permission to execute file is revoked to just read, write

[mitkonikov]

One way I found that I could temporarily fix the issue is to modify the action repo when executing the script to execute it with bash script.sh. But this requires manually cloning the action repo locally, updating it and changing the yml path to the local action repo instead (but this complicates the job and is only a temporary solution, since there's no way to flip between local and remote action repos).

[ChristopherHX]

iff you are not using docker actions, you could enable --use-new-action-cache to have the +x bit preserved.

Yes the workdir on windows, has not the ability to preserve the executable bit

[oliverrahner]

Yes the workdir on windows, has not the ability to preserve the executable bit

This is not an inherent issue with Git on Windows! When running git clone manually, followed by git diff, there is no difference, as opposed to the thing we see here.

Refer to the upstream issue I linked above for detials

[ChristopherHX]

I want to provide you some insights, this issue is not related to any bug of go-git or git for windows

Just make the step act does yourself on windows

• git clone with go-git or not
• git checkout
• tar folder of checkout without using git / go-git api
• tar has no +x bit, on windows systems.
  How would the tar command know if the file has been executable? It can only do this on unix like systems / by using extended undocumented ntfs metadata (wsl1 has a way)

What I have done outside of act was, ask git for windows for the unix mask and merge it with the data of your disk. I no longer remember what I did in act for the workdir.

This is a design issue of the action-cache

Now using cli feature toggle --use-new-action-cache the whole thing changes

• git init
• git fetch
• go-git worktree is now tared in memory
  • no filesystem involved, no OS specific differences
  • unix permission mask copied out of the git
  • no checkout
  • +x is available after unpacking in the linux filesyste

When running git clone manually, followed by git diff, there is no difference, as opposed to the thing we see here.

As far I know, git ignores the +x bit between git worktree and filesystem on windows. You never want to commit a executable bit removal from windows without using git commands.

[mitkonikov]

Is there a way to inject a custom command when executing a docker cmd script? Is there a planned resolution for the issue?

[ChristopherHX]

Is there a way to inject a custom command when executing a docker cmd script?

No, you need to add it to your yaml and add an if: env.ACT to skip it outside of act.

Is there a planned resolution for the issue?

I had a plan last year between 30. October 2024 - 20. December (yes this predates this issue) see #2509.
But due to lack of public code reviews over a period of 2 Months, I stopped this plan and we still have this problem. Similar reason why I didn't comment of this repost of a well known defect earlier.

EDIT fixed year to 2024

[mitkonikov]

If you need help in code reviews or testing features, you can sure tag me. Sometimes, I want to relax reading code and issues. 😉

[ChristopherHX]

Update starting with upcoming act v0.2.75

Just add --use-new-action-cache as a line in your .actrc file, the fix for the docker actions has been merged and known issues are resolved.