fix: ensure chmod runs even when chown fails in rootless permission repair#5766
Conversation
…epair In rootless Docker, chown to the host user's UID fails because of user namespace UID remapping — the target UID inside the container maps to a subordinate UID on the host, not to the actual host UID. Because the command used &&, the subsequent chmod (which would actually fix the problem by making files world-readable) never executed. Change && to ; so chmod -R a+rwX always runs regardless of whether chown succeeds. Suppress chown stderr to avoid noisy warnings since the failure is expected in rootless mode. Observed in: github/gh-aw/actions/runs/28487107941 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes rootless Docker artifact permission repair by ensuring chmod still runs even when chown fails due to UID/GID remapping behavior in user namespaces. This improves cleanup reliability (e.g., deleting the chroot home directory) and avoids leaving behind unreadable/unremovable artifact directories.
Changes:
- Replace
chown ... && chmod ...withchown ...; chmod ...sochmodalways executes. - Suppress
chownstderr (2>/dev/null) to avoid expected noise in rootless scenarios.
Show a summary per file
| File | Description |
|---|---|
src/artifact-permissions.ts |
Ensures permission repair runs chmod even when chown fails in rootless mode, improving artifact cleanup reliability. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Low
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke Claude passed |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
🚀 Security Guard has started processing this pull request |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
✅ Contribution Check completed successfully! Contribution guidelines review complete for PR #5766. No important guideline issues found in the provided PR metadata, diff, and CONTRIBUTING.md context; no comment needed. |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
Smoke Test: Claude Engine Validation
Overall result: PASS
|
🔐 Smoke Test: Copilot PAT Auth — PASS
PR: fix: ensure chmod runs even when chown fails in rootless permission repair
|
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke test: PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
|
✅ Smoke Test Results (Direct BYOK Mode)
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) → api-proxy → api.githubcopilot.com
|
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS
|
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
🔍 Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios passed. OTEL tracing integration is working correctly.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Smoke Test: Services Connectivity
Overall: FAIL
|
|
fix: ensure chmod runs even when chown fails in rootless permission repair — ✅
|
🔥 Smoke Test Results — PASS
PR: fix: ensure chmod runs even when chown fails in rootless permission repair Overall: PASS
|
Problem
In rootless Docker, the
fixArtifactPermissionsForRootless()function fails to repair file permissions becausechownfails due to user namespace UID remapping, and the&&operator prevents the subsequentchmodfrom running.Root cause: In rootless Docker, UID 1001 inside the container maps to a subordinate UID on the host (not the actual host UID 1001). So
chown -R "$TUID:$TGID" /fixeither fails outright or produces the wrong ownership. Because the command was joined with&&, thechmod -R a+rwX /fix(which would actually solve the problem) never executed.This results in:
Fix
Change
&&to;sochmod -R a+rwXalways runs regardless of whetherchownsucceeds. Also suppresschownstderr since the failure is expected in rootless mode.The
chownstill runs first (works in rootful Docker), butchmodalways follows as a fallback (sufficient for rootless since world-readable permissions allow the host user to access files regardless of ownership).Observed in
https://github.com/github/gh-aw/actions/runs/28487107941/job/84435983514#step:35:1