feat: check if required binaries are present (#272)

* feat: check if required binaries are present Previously the necessary binaries were copied over using the runner container. This lead to issues in case your main container was using the musl libc implementation. Instead of copying over any binaries, the initContainer now checks if the required binaries are present in the main container. * feat: get rid of the init container * fix: add _runner_file_commands * fix: do not fail if _runner_file_commands does not exist It seems that for container actions this directory does not exist.
2025-12-13 08:06:44 +00:00 · 2025-11-10 15:01:40 +01:00
parent 2934de33f8
commit ad9cb43c31
4 changed files with 4 additions and 30 deletions
--- a/packages/k8s/README.md
+++ b/packages/k8s/README.md
@@ -41,3 +41,4 @@ rules:
 - Container actions will not have access to the services network or job container network
 - Docker [create options](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions) are not supported
 - Container actions will have to specify the entrypoint, since the default entrypoint will be overridden to run the commands from the workflow.
+- Container actions need to have the following binaries in their container image: `sh`, `env`, `tail`.
--- a/packages/k8s/src/hooks/run-container-step.ts
+++ b/packages/k8s/src/hooks/run-container-step.ts
@@ -104,7 +104,7 @@ export async function runContainerStep(
    try {
      core.debug(`Executing container step script in pod ${podName}`)
      return await execPodStep(
-        ['/__e/sh', '-e', containerPath],
+        ['sh', '-e', containerPath],
        pod.metadata.name,
        JOB_CONTAINER_NAME
      )
@@ -133,7 +133,7 @@ function createContainerSpec(
  podContainer.name = JOB_CONTAINER_NAME
  podContainer.image = container.image
  podContainer.workingDir = '/__w'
-  podContainer.command = ['/__e/tail']
+  podContainer.command = ['tail']
  podContainer.args = DEFAULT_CONTAINER_ENTRY_POINT_ARGS

  podContainer.volumeMounts = CONTAINER_VOLUMES
--- a/packages/k8s/src/k8s/index.ts
+++ b/packages/k8s/src/k8s/index.ts
@@ -169,33 +169,6 @@ export async function createContainerStepPod(

  appPod.spec = new k8s.V1PodSpec()
  appPod.spec.containers = [container]
-  appPod.spec.initContainers = [
-    {
-      name: 'fs-init',
-      image:
-        process.env.ACTIONS_RUNNER_IMAGE ||
-        'ghcr.io/actions/actions-runner:latest',
-      command: [
-        'bash',
-        '-c',
-        `sudo cp $(which sh) /mnt/externals/sh \
-        && sudo cp $(which tail) /mnt/externals/tail \
-        && sudo cp $(which env) /mnt/externals/env \
-        && sudo chmod -R 777 /mnt/externals`
-      ],
-      securityContext: {
-        runAsGroup: 1001,
-        runAsUser: 1001,
-        privileged: true
-      },
-      volumeMounts: [
-        {
-          name: EXTERNALS_VOLUME_NAME,
-          mountPath: '/mnt/externals'
-        }
-      ]
-    }
-  ]

  appPod.spec.restartPolicy = 'Never'

--- a/packages/k8s/src/k8s/utils.ts
+++ b/packages/k8s/src/k8s/utils.ts
@@ -102,7 +102,7 @@ export function writeContainerStepScript(
 rm "$0" # remove script after running
 mv /__w/_temp/_github_home /github/home && \
 mv /__w/_temp/_github_workflow /github/workflow && \
-mv /__w/_temp/_runner_file_commands /github/file_commands && \
+mv /__w/_temp/_runner_file_commands /github/file_commands || true && \
 mv /__w/${parts.join('/')}/ /github/workspace && \
 cd /github/workspace && \
 exec ${environmentPrefix} ${entryPoint} ${