v2.332.0: Container jobs fail with permission denied on GITHUB_ENV and workspace after upgrade from v2.330.0 #4302
Description
Description
After upgrading ARC (Actions Runner Controller) runners from v2.330.0 to v2.332.0, container jobs fail in multiple ways due to UID/ownership mismatches between the runner and job containers.
Environment
- Runner version: v2.332.0 (upgraded from v2.330.0)
- Platform: ARC on Kubernetes (EKS)
- Container hooks: v0.8.1 (bundled with v2.332.0)
Problems
1. $GITHUB_ENV / $GITHUB_OUTPUT permission denied in container: jobs
Workflows using the native container: directive with a non-root user fail when any step writes to $GITHUB_ENV or $GITHUB_OUTPUT:
/__w/_temp/36e38446.sh: 5: cannot create /__w/_temp/_runner_file_commands/set_env_7bb88aaa: Permission denied
The runner file command directories under /__w/_temp/_runner_file_commands/ are owned by a UID that doesn't match the container user.
Workflow example:
jobs:
test:
runs-on: self-hosted
container:
image: my-image:latest
options: --user 1000
steps:
- run: echo "FOO=bar" >> $GITHUB_ENV # Permission denied2. Git "dubious ownership" in job containers
Containers launched by job steps get git ownership errors because the container user doesn't match the workspace volume owner:
fatal: detected dubious ownership in repository at '/workspace'
The Ubuntu 24.04 base image (introduced in v2.331.0) ships git 2.43+ which has stricter safe.directory enforcement than the previous Ubuntu 22.04 base.
3. Workspace not writable by non-root container users
Non-root users inside job containers cannot write to the mounted workspace volume:
/workspace/vendor does not exist and could not be created
Root cause
The v2.330.0 → v2.332.0 upgrade introduced several compounding changes:
- v2.331.0: Base image changed from Ubuntu 22.04 to Ubuntu 24.04 (PR Bump docker image to use ubuntu 24.04 #4018), shipping git 2.43+ with stricter
safe.directorychecks - v2.332.0: Container hooks bumped to v0.8.1 (PR Bump hook to 0.8.1 #4222), which changes workspace ownership handling but only for the runner container — not for job containers
The container hooks v0.8.1 fix (PRs #264, #283) correctly sets workspace permissions for the runner pod itself, but downstream job containers still see UID mismatches because the runner file command directories and mounted volumes are owned by the runner UID.
Expected behavior
Container jobs using non-root users should work the same way they did before the upgrade. The runner should ensure that /__w/_temp/_runner_file_commands/ and workspace volumes are accessible by the container user specified in container.options.
Related issues
- Permissions issue on runners v2.330.0 #4131 — Permissions issue on runners v2.330.0 (
/home/runnerownership regression) - TempFirectoryManager fails to clean temp directory due to error in info gathering phase. #4251 — TempDirectoryManager fails to clean temp directory (permission denied on v2.331.0)
- Permissions denied on workingDir (__w/repo) runner-container-hooks#282 — Permissions denied on workingDir