Github-runners: cp read-only filesystem

ymstnt · December 5, 2023, 11:43pm

Hi Everyone,
Recently I’ve migrated my server to NixOS from Debian because of the reproducibility and other reasons.

On Debian my server hosted my website, which is a static site made in Astro. For convenience I have a self-hosted Github runner which builds my website upon every push and copies the result into the directory which nginx serves the site from.

I’ve successfully ported most of the runner to Nix. However, the build always fails at the last step: it cannot copy the built files to the nginx site folder:

Run cp -r *** ***
  cp -r *** ***
  shell: /nix/store/lm10ywzflq9qfhr4fl0zqxrhiksf28ks-bash-5.2-p15/bin/bash -e {0}
cp: cannot create regular file '***/404.html': Read-only file system
cp: cannot create regular file '***/_astro/hoisted.c588e9ee.js': Read-only file system
cp: cannot create regular file '***/_astro/hoisted.77292c35.js': Read-only file system
cp: cannot create regular file '***/_astro/hoisted.77775e67.js': Read-only file system
cp: cannot create regular file '***/blog/index.html': Read-only file system
...

(The asterisks represent the nginx folder, which resides in /var/www/…)

Could anyone tell me why is the folder a read-only file system? (the folder exists, I gave the github-runner user permissions, and nginx accesses it fine) I suspect it has something to do with NixOS’s immutability but I don’t really have enough Nix knowledge for this. Is there any workaround I could use?

My config:

services.github-runners = {
    website = {
      enable = true;
      replace = true;
      user = "shared";
      url = "https://github.com/ymstnt/ymstnt.com";
      tokenFile = builtins.toFile "token" secrets.runners.runner1;
      extraPackages = with pkgs; [ 
        bun
        nodejs_20  
      ];
      nodeRuntimes = [ "node20" ];
      workDir = "/var/runners/website";
    };
  };

workflow.yml:

# Simple CD

name: push_cd

on:
  push:
    branches: ["main"]
  workflow_dispatch:
    branches: ["main"]

jobs:
  build:
    runs-on: self-hosted

    strategy:
     matrix:
      node-version: [20.x]

    steps:
      - uses: actions/checkout@v4
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4
        with:
         node-version: ${{ matrix.node-version }}
      - name: Install dependencies
        run: bun i
      - name: Build production bundle
        run: bun run build
      - name: Copy folder where nginx expects to be
        run: cp -r ${{secrets.COPY_FROM_FOLDER}} ${{secrets.COPY_TO_FOLDER}}

Any help would be greatly appreciated.

ymstnt · December 28, 2023, 11:11pm

UPDATE: I found out it was due to the sandboxing and it can be easily overriden with an option.

services.github-runners.<name>.serviceOverrides = {
  ReadWritePaths = [
    "/some/path"
  ];
};

This gaves read/write acess to the provided paths.