Fix: Use init container to populate /github/workflow directories#29
Open
Fix: Use init container to populate /github/workflow directories#29
Conversation
…tion Add a dummy EmptyDir volume mount to the cached-privileged-kubernetes container mode to work around a bug in GitHub's runner-container-hooks that prevents /github/workflow/event.json from being populated. The bug is in the k8s-novolume hook's prepare-job.ts where the prepare script (which copies /github/workflow and /github/home content) only gets created and executed if there are userMountVolumes. Without any user volumes, the prepare script is never run, leaving /github/workflow empty and causing Docker Buildx and other actions to fail. This workaround adds a dummy volume mount at /tmp/dummy-prepare to trigger the conditional logic that creates the prepare script. The prepare script itself handles the case where userMountVolumes exist and performs the necessary GitHub workspace directory copies as a side effect. Fixes #26
Replace the dummy volume workaround with an explicit init container that copies GitHub workspace directories from /__w/_temp/ to /github/ before the main container starts. This fixes the issue where /github/workflow/event.json doesn't exist in cached-privileged-kubernetes mode, causing actions like Docker Buildx that require GITHUB_EVENT_PATH to fail. The GitHub Actions runner-container-hooks package has a bug where the prepare script only runs when userMountVolumes are defined. This init container provides a more reliable and explicit solution. Changes: - Add prepare-github-workspace init container to hook extension spec - Remove dummy-prepare-trigger volume mount and volume workaround - Update all test expected outputs to reflect new init container Fixes #28
The ARC controller was missing patch permissions for rolebindings and serviceaccounts, causing finalizers to get stuck during runner scale set deletion. This resulted in 'deskrun up' hanging indefinitely. Changes: - Add patch permission to rolebindings in controller ClusterRole overlay - Add create/delete/get/patch permissions to serviceaccounts in overlay - Update generate-base-templates.sh to include ConfigMap placeholder for privileged mode (required for ytt overlay to work after helm regeneration) - Update test expected files to reflect new RBAC permissions and ConfigMap ordering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the init container solution described in #28 to fix the issue where
/github/workflow/event.jsondoesn't exist incached-privileged-kubernetesmode, causing actions like Docker Buildx to fail.Problem
When using
cached-privileged-kubernetesmode, the GitHub Actionsrunner-container-hookspackage has a bug where the prepare script only executes whenuserMountVolumesare defined. This script is responsible for copying GitHub workspace directories from/__w/_temp/to/github/, including the critical/github/workflow/event.jsonfile.Solution
Replace the dummy volume workaround with an explicit
prepare-github-workspaceinit container that:/__wand/githubvolumes_github_homeand_github_workflowdirectoriesChanges
prepare-github-workspaceinit container to hook extension specdummy-prepare-triggervolume mount and volume workaroundBenefits
✅ Reliable: Explicit copy operation independent of hook internals
✅ Clear: Obvious intent and easy to debug
✅ Visible: Init container logs show preparation progress
✅ Standard: Uses common Kubernetes init container pattern
Testing
All tests have been updated and pass:
The init container will appear in the hook extension ConfigMap and execute before the main job container starts, ensuring
/github/workflow/event.jsonexists for all actions that requireGITHUB_EVENT_PATH.Related Issues
Fixes #28
Future Work
Once this workaround is verified in production, we should:
actions/runner-container-hooks