Update package-lock.json after dependency updates

Co-authored-by: nikola-jokic <97525037+nikola-jokic@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+  # Group updates into a single PR per workspace package
+  - package-ecosystem: npm
+    directory: "/packages/docker"
+    schedule:
+      interval: weekly
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+  - package-ecosystem: npm
+    directory: "/packages/hooklib"
+    schedule:
+      interval: weekly
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+  - package-ecosystem: npm
+    directory: "/packages/k8s"
+    schedule:
+      interval: weekly
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"

package-lock.json

@@ -3165,9 +3165,9 @@
       "license": "MIT"
     },
     "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
       "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"

package.json

@@ -12,6 +12,7 @@
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
     "lint": "eslint packages/**/*.ts",
+    "lint:fix": "eslint packages/**/*.ts --fix",
     "build-all": "npm run build --prefix packages/hooklib && npm run build --prefix packages/k8s && npm run build --prefix packages/docker"
   },
   "repository": {

packages/docker/package.json

@@ -14,20 +14,20 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
+    "@actions/exec": "^2.0.0",
     "hooklib": "file:../hooklib",
     "shlex": "^3.0.0",
-    "uuid": "^11.1.0"
+    "uuid": "^13.0.0"
   },
   "devDependencies": {
-    "@babel/core": "^7.25.2",
-    "@babel/preset-env": "^7.25.4",
+    "@babel/core": "^7.28.5",
+    "@babel/preset-env": "^7.28.5",
     "@types/jest": "^30.0.0",
     "@types/node": "^24.0.14",
-    "@typescript-eslint/parser": "^8.37.0",
+    "@typescript-eslint/parser": "^8.49.0",
     "@vercel/ncc": "^0.38.3",
     "jest": "^30.0.4",
-    "ts-jest": "^29.4.0",
+    "ts-jest": "^29.4.6",
     "ts-node": "^10.9.2",
     "tsconfig-paths": "^4.2.0",
     "typescript": "^5.8.3"

packages/hooklib/package-lock.json

@@ -433,7 +433,6 @@
       "integrity": "sha512-TGf22kon8KW+DeKaUmOibKWktRY8b2NSAZNdtWh798COm1NWx8+xJ6iFBtk3IvLdv6+LGLJLRlyhrhEDZWargQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.45.0",
         "@typescript-eslint/types": "8.45.0",
@@ -663,7 +662,6 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -967,7 +965,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.8.9",
         "caniuse-lite": "^1.0.30001746",
@@ -1464,7 +1461,6 @@
       "integrity": "sha512-hB4FIzXovouYzwzECDcUkJ4OcfOEkXTv2zRY6B9bkwjx/cprAq0uvm1nl7zvQ0/TsUk0zQiN4uPfJpB9m+rPMQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -1526,7 +1522,6 @@
       "integrity": "sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -2808,9 +2803,9 @@
       "license": "ISC"
     },
     "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3294,7 +3289,6 @@
       "integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -3984,7 +3978,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"

packages/k8s/README.md

@@ -1,15 +1,11 @@
 # K8s Hooks
 
 ## Description
-
 This implementation provides a way to dynamically spin up jobs to run container workflows, rather then relying on the default docker implementation. It is meant to be used when the runner itself is running in k8s, for example when using the [Actions Runner Controller](https://github.com/actions-runner-controller/actions-runner-controller)
 
-## Pre-requisites
-
+## Pre-requisites 
 Some things are expected to be set when using these hooks
-
 - The runner itself should be running in a pod, with a service account with the following permissions
-
 ```
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -30,23 +26,19 @@ rules:
   resources: ["secrets"]
   verbs: ["get", "list", "create", "delete"]
 ```
-
 - The `ACTIONS_RUNNER_POD_NAME` env should be set to the name of the pod
 - The `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER` env should be set to true to prevent the runner from running any jobs outside of a container
 - The runner pod should map a persistent volume claim into the `_work` directory
-  - The `ACTIONS_RUNNER_CLAIM_NAME` env should be set to the persistent volume claim that contains the runner's working directory, otherwise it defaults to `${ACTIONS_RUNNER_POD_NAME}-work`
+    - The `ACTIONS_RUNNER_CLAIM_NAME` env should be set to the persistent volume claim that contains the runner's working directory, otherwise it defaults to `${ACTIONS_RUNNER_POD_NAME}-work`
 - Some actions runner env's are expected to be set. These are set automatically by the runner.
-  - `RUNNER_WORKSPACE` is expected to be set to the workspace of the runner
-  - `GITHUB_WORKSPACE` is expected to be set to the workspace of the job
+    - `RUNNER_WORKSPACE` is expected to be set to the workspace of the runner
+    - `GITHUB_WORKSPACE` is expected to be set to the workspace of the job
+
 
 ## Limitations
-
 - A [job containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) will be required for all jobs
 - Building container actions from a dockerfile is not supported at this time
 - Container actions will not have access to the services network or job container network
 - Docker [create options](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions) are not supported
 - Container actions will have to specify the entrypoint, since the default entrypoint will be overridden to run the commands from the workflow.
-- The job container is expected to have the following tools:
-  - `sh`
-  - `tar`
-  - `tail` - to download/upload the workspace
+- Container actions need to have the following binaries in their container image: `sh`, `env`, `tail`.

packages/k8s/package-lock.json

@@ -112,7 +112,6 @@
       "integrity": "sha512-2BCOP7TN8M+gVDj7/ht3hsaO/B/n5oDbiAyyvnRlNOs+u1o+JWNYTQrmpuNp1/Wq2gcFrI01JAW+paEKDMx/CA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.27.1",
         "@babel/generator": "^7.28.3",
@@ -3273,7 +3272,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.8.9",
         "caniuse-lite": "^1.0.30001746",
@@ -4073,9 +4071,9 @@
       }
     },
     "node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
+      "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -4459,7 +4457,6 @@
       "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@jest/core": "30.2.0",
         "@jest/types": "30.2.0",
@@ -5093,7 +5090,6 @@
       "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.4.0.tgz",
       "integrity": "sha512-B7qPcEVE3NVkmSJbaYxvv4cHkVW7DQsZz13pUMrfS8z8Q/BuShN+gcTXrUlPiGqM2/t/EEaI030bpxMqY8gMlw==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">= 10.16.0"
       }
@@ -6474,7 +6470,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -6822,7 +6817,6 @@
       "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
       "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=10.0.0"
       },

packages/k8s/src/hooks/run-script-step.ts

@@ -6,6 +6,7 @@ import { execCpFromPod, execCpToPod, execPodStep } from '../k8s'
 import { writeRunScript, sleep, listDirAllCommand } from '../k8s/utils'
 import { JOB_CONTAINER_NAME } from './constants'
 import { dirname } from 'path'
+import * as shlex from 'shlex'
 
 export async function runScriptStep(
   args: RunScriptStepArgs,
@@ -22,9 +23,52 @@ export async function runScriptStep(
   )
 
   const workdir = dirname(process.env.RUNNER_WORKSPACE as string)
-  const containerTemp = '/__w/_temp'
   const runnerTemp = `${workdir}/_temp`
-  await execCpToPod(state.jobPod, runnerTemp, containerTemp)
+  const containerTemp = '/__w/_temp'
+  const containerTempSrc = '/__w/_temp_pre'
+  // Ensure base and staging dirs exist before copying
+  await execPodStep(
+    [
+      'sh',
+      '-c',
+      'mkdir -p /__w && mkdir -p /__w/_temp && mkdir -p /__w/_temp_pre'
+    ],
+    state.jobPod,
+    JOB_CONTAINER_NAME
+  )
+  await execCpToPod(state.jobPod, runnerTemp, containerTempSrc)
+
+  // Copy GitHub directories from temp to /github
+  // Merge strategy:
+  // - Overwrite files in _runner_file_commands
+  // - Append files not already present elsewhere
+  const mergeCommands = [
+    'set -e',
+    'mkdir -p /__w/_temp /__w/_temp_pre',
+    'SRC=/__w/_temp_pre',
+    'DST=/__w/_temp',
+    // Overwrite _runner_file_commands
+    `find "$SRC" -type f ! -path "*/_runner_file_commands/*" -exec sh -c '
+    rel="\${1#$2/}"
+    target="$3/$rel"
+    mkdir -p "$(dirname "$target")"
+    cp -a "$1" "$target"
+  ' _ {} "$SRC" "$DST" \\;`,
+    // Remove _temp_pre after merging
+    'rm -rf /__w/_temp_pre'
+  ]
+
+  try {
+    await execPodStep(
+      ['sh', '-c', mergeCommands.join(' && ')],
+      state.jobPod,
+      JOB_CONTAINER_NAME
+    )
+  } catch (err) {
+    core.debug(`Failed to merge temp directories: ${JSON.stringify(err)}`)
+    const message = (err as any)?.response?.body?.message || err
+    throw new Error(`failed to merge temp dirs: ${message}`)
+  }
 
   // Execute the entrypoint script
   args.entryPoint = 'sh'
@@ -51,7 +95,11 @@ export async function runScriptStep(
     core.debug(
       `Copying from job pod '${state.jobPod}' ${containerTemp} to ${runnerTemp}`
     )
-    await execCpFromPod(state.jobPod, containerTemp, workdir)
+    await execCpFromPod(
+      state.jobPod,
+      `${containerTemp}/_runner_file_commands`,
+      `${workdir}/_temp`
+    )
   } catch (error) {
     core.warning('Failed to copy _temp from pod')
   }

packages/k8s/src/k8s/index.ts

@@ -20,8 +20,10 @@ import {
   listDirAllCommand,
   sleep,
   EXTERNALS_VOLUME_NAME,
-  GITHUB_VOLUME_NAME
+  GITHUB_VOLUME_NAME,
+  WORK_VOLUME
 } from './utils'
+import * as shlex from 'shlex'
 
 const kc = new k8s.KubeConfig()
 
@@ -91,13 +93,33 @@ export async function createJobPod(
 
   appPod.spec = new k8s.V1PodSpec()
   appPod.spec.containers = containers
+  appPod.spec.securityContext = {
+    fsGroup: 1001
+  }
+
+  // Extract working directory from GITHUB_WORKSPACE
+  // GITHUB_WORKSPACE is like /__w/repo-name/repo-name
+  const githubWorkspace = process.env.GITHUB_WORKSPACE
+  const workingDirPath = githubWorkspace?.split('/').slice(-2).join('/') ?? ''
+
+  const initCommands = [
+    'mkdir -p /mnt/externals',
+    'mkdir -p /mnt/work',
+    'mkdir -p /mnt/github',
+    'mv /home/runner/externals/* /mnt/externals/'
+  ]
+
+  if (workingDirPath) {
+    initCommands.push(`mkdir -p /mnt/work/${workingDirPath}`)
+  }
+
   appPod.spec.initContainers = [
     {
       name: 'fs-init',
       image:
         process.env.ACTIONS_RUNNER_IMAGE ||
         'ghcr.io/actions/actions-runner:latest',
-      command: ['sh', '-c', 'mv /home/runner/externals/* /mnt/externals'],
+      command: ['sh', '-c', initCommands.join(' && ')],
       securityContext: {
         runAsGroup: 1001,
         runAsUser: 1001
@@ -106,6 +128,14 @@ export async function createJobPod(
         {
           name: EXTERNALS_VOLUME_NAME,
           mountPath: '/mnt/externals'
+        },
+        {
+          name: WORK_VOLUME,
+          mountPath: '/mnt/work'
+        },
+        {
+          name: GITHUB_VOLUME_NAME,
+          mountPath: '/mnt/github'
         }
       ]
     }
@@ -121,6 +151,10 @@ export async function createJobPod(
     {
       name: GITHUB_VOLUME_NAME,
       emptyDir: {}
+    },
+    {
+      name: WORK_VOLUME,
+      emptyDir: {}
     }
   ]
 
@@ -173,9 +207,17 @@ export async function createContainerStepPod(
   appPod.spec.restartPolicy = 'Never'
 
   appPod.spec.volumes = [
+    {
+      name: EXTERNALS_VOLUME_NAME,
+      emptyDir: {}
+    },
     {
       name: GITHUB_VOLUME_NAME,
       emptyDir: {}
+    },
+    {
+      name: WORK_VOLUME,
+      emptyDir: {}
     }
   ]
 
@@ -347,7 +389,15 @@ export async function execCpToPod(
   while (true) {
     try {
       const exec = new k8s.Exec(kc)
-      const command = ['tar', 'xf', '-', '-C', containerPath]
+      // Use tar to extract with --no-same-owner to avoid ownership issues.
+      // Then use find to fix permissions. The -m flag helps but we also need to fix permissions after.
+      const command = [
+        'sh',
+        '-c',
+        `tar xf - --no-same-owner -C ${shlex.quote(containerPath)} 2>/dev/null; ` +
+          `find ${shlex.quote(containerPath)} -type f -exec chmod u+rw {} \\; 2>/dev/null; ` +
+          `find ${shlex.quote(containerPath)} -type d -exec chmod u+rwx {} \\; 2>/dev/null`
+      ]
       const readStream = tar.pack(runnerPath)
       const errStream = new WritableStreamBuffer()
       await new Promise((resolve, reject) => {
@@ -365,7 +415,7 @@ export async function execCpToPod(
               if (errStream.size()) {
                 reject(
                   new Error(
-                    `Error from cpFromPod - details: \n ${errStream.getContentsAsString()}`
+                    `Error from execCpToPod - status: ${status.status}, details: \n ${errStream.getContentsAsString()}`
                   )
                 )
               }
@@ -387,16 +437,16 @@ export async function execCpToPod(
     }
   }
 
-  const want = await localCalculateOutputHashSorted([
-    'sh',
-    '-c',
-    listDirAllCommand(runnerPath)
-  ])
-
   let attempts = 15
   const delay = 1000
   for (let i = 0; i < attempts; i++) {
     try {
+      const want = await localCalculateOutputHashSorted([
+        'sh',
+        '-c',
+        listDirAllCommand(runnerPath)
+      ])
+
       const got = await execCalculateOutputHashSorted(
         podName,
         JOB_CONTAINER_NAME,
@@ -428,11 +478,6 @@ export async function execCpFromPod(
   core.debug(
     `Copying from pod ${podName} ${containerPath} to ${targetRunnerPath}`
   )
-  const want = await execCalculateOutputHashSorted(
-    podName,
-    JOB_CONTAINER_NAME,
-    ['sh', '-c', listDirAllCommand(containerPath)]
-  )
 
   let attempt = 0
   while (true) {
@@ -493,6 +538,12 @@ export async function execCpFromPod(
   const delay = 1000
   for (let i = 0; i < attempts; i++) {
     try {
+      const want = await execCalculateOutputHashSorted(
+        podName,
+        JOB_CONTAINER_NAME,
+        ['sh', '-c', listDirAllCommand(containerPath)]
+      )
+
       const got = await localCalculateOutputHashSorted([
         'sh',
         '-c',
@@ -780,7 +831,7 @@ export async function isPodContainerAlpine(
       [
         'sh',
         '-c',
-        `'[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1'`
+        `[ $(cat /etc/*release* | grep -i -e "^ID=*alpine*" -c) != 0 ] || exit 1`
       ],
       podName,
       containerName

packages/k8s/src/k8s/utils.ts

@@ -15,12 +15,17 @@ export const ENV_USE_KUBE_SCHEDULER = 'ACTIONS_RUNNER_USE_KUBE_SCHEDULER'
 
 export const EXTERNALS_VOLUME_NAME = 'externals'
 export const GITHUB_VOLUME_NAME = 'github'
+export const WORK_VOLUME = 'work'
 
 export const CONTAINER_VOLUMES: k8s.V1VolumeMount[] = [
   {
     name: EXTERNALS_VOLUME_NAME,
     mountPath: '/__e'
   },
+  {
+    name: WORK_VOLUME,
+    mountPath: '/__w'
+  },
   {
     name: GITHUB_VOLUME_NAME,
     mountPath: '/github'
@@ -102,7 +107,7 @@ export function writeContainerStepScript(
 rm "$0" # remove script after running
 mv /__w/_temp/_github_home /github/home && \
 mv /__w/_temp/_github_workflow /github/workflow && \
-mv /__w/_temp/_runner_file_commands /github/file_commands && \
+mv /__w/_temp/_runner_file_commands /github/file_commands || true && \
 mv /__w/${parts.join('/')}/ /github/workspace && \
 cd /github/workspace && \
 exec ${environmentPrefix} ${entryPoint} ${
@@ -283,6 +288,11 @@ function mergeLists<T>(base?: T[], from?: T[]): T[] {
 }
 
 export function fixArgs(args: string[]): string[] {
+  // Preserve shell command strings passed via `sh -c` without re-tokenizing.
+  // Retokenizing would split the script into multiple args, breaking `sh -c`.
+  if (args.length >= 2 && args[0] === 'sh' && args[1] === '-c') {
+    return args
+  }
   return shlex.split(args.join(' '))
 }
 
@@ -291,5 +301,5 @@ export async function sleep(ms: number): Promise<void> {
 }
 
 export function listDirAllCommand(dir: string): string {
-  return `cd ${shlex.quote(dir)} && find . -not -path '*/_runner_hook_responses*' -exec stat -c '%b %n' {} \\;`
+  return `cd ${shlex.quote(dir)} && find . -not -path '*/_runner_hook_responses*' -exec stat -c '%s %n' {} \\;`
 }

packages/k8s/tests/e2e-test.ts

@@ -26,6 +26,7 @@ describe('e2e', () => {
   afterEach(async () => {
     await testHelper.cleanup()
   })
+
   it('should prepare job, run script step, run container step then cleanup without errors', async () => {
     await expect(
       prepareJob(prepareJobData.args, prepareJobOutputFilePath)

packages/k8s/tests/prepare-job-test.ts

@@ -45,7 +45,7 @@ describe('Prepare job', () => {
       process.env.GITHUB_WORKSPACE as string,
       'myvolume'
     )
-    fs.mkdirSync(userVolumeMount)
+    fs.mkdirSync(userVolumeMount, { recursive: true })
     fs.writeFileSync(path.join(userVolumeMount, 'file.txt'), 'hello')
     prepareJobData.args.container.userMountVolumes = [
       {
@@ -63,11 +63,7 @@ describe('Prepare job', () => {
     )
 
     await execPodStep(
-      [
-        'sh',
-        '-c',
-        '\'[ "$(cat /__w/myvolume/file.txt)" = "hello" ] || exit 5\''
-      ],
+      ['sh', '-c', '[ "$(cat /__w/myvolume/file.txt)" = "hello" ] || exit 5'],
       content!.state!.jobPod,
       JOB_CONTAINER_NAME
     ).then(output => {
@@ -231,4 +227,20 @@ describe('Prepare job', () => {
       expect(() => content.context.services[0].image).not.toThrow()
     }
   )
+
+  it('should prepare job with container with non-root user', async () => {
+    prepareJobData.args!.container!.image =
+      'ghcr.io/actions/actions-runner:latest' // known to use user 1001
+    await expect(
+      prepareJob(prepareJobData.args, prepareJobOutputFilePath)
+    ).resolves.not.toThrow()
+
+    const content = JSON.parse(
+      fs.readFileSync(prepareJobOutputFilePath).toString()
+    )
+    expect(content.state.jobPod).toBeTruthy()
+    expect(content.context.container.image).toBe(
+      'ghcr.io/actions/actions-runner:latest'
+    )
+  })
 })