Post Clean Up Issue

[juliusoh]

TL;DR

Error: google-github-actions/auth post failed with: failed to remove "/home/runner/work//gha-creds-7d2206b70566553e.json": EACCES: permission denied, unlink '/home/runner/work//gha-creds-7d2206b70566553e.json'

Expected behavior

No response

Observed behavior

No response

Action YAML

permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    environment:
      name: stage

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}

Log output

No response

Additional information

No response

[github-actions]

Hi there @juliusoh 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Are you using self-hosted runners? Does this happen all the time? Please provide the full debug logs.

[juliusoh]

Are you using self-hosted runners? Does this happen all the time? Please provide the full debug logs.

These are GitHub hosted runners and happens all the time

[sethvargo]

Could you please provide the full debug logs? They are instructions in the Troubleshooting steps above. Please also provide your complete action.yml.

[jacek-jablonski]

Same problem here. I sent the debug logs by email as instructed.

[lucianxquatium]

Same here. It started to fail 4 days ago. Followed the troubleshooting guide but nothing helped.

We are also using a GH-hosted runner, not the latest version, and it happens all the time.
For authentication, we use WIP with a SA.

  job-name:
    runs-on: ubuntu-20.04
    permissions:
      id-token: 'write'
      contents: 'read'

    steps:
      - name: Checkout source code
        uses: actions/checkout@v4
      
      - name: Authenticate to Google Cloud
        uses: 'google-github-actions/auth@v2'
        with:
          create_credentials_file: 'true'
          workload_identity_provider: 'projects/....../providers/githubwif'
          service_account: '......iam.gserviceaccount.com'

[sethvargo]

Hmm - thank you for sharing those logs. Confirming I got them. What's strange is that nothing has changed in this GitHub Action since Feb 25, so I'm wondering if this is a change on GitHub's end? There was a runner release 5 days ago. I don't see how that diff could cause this, but ¯_(ツ)_/¯.

@jacek-jablonski @lucianxquatium was this previously working? If you have a successful workflow run, can you send me the logs (ideally that include the GitHub Actions Runner version)? I'm thinking something changed on GitHub's end, probably unintentionally.

[jacek-jablonski]

Hi @sethvargo,
freezing runner version didn't fix the problem. However, I noticed another issue that is the cause for us: gruntwork-io/terragrunt-action#64
So my problem is caused by terragrunt-action changing permissions.

[lucianxquatium]

Hi, @sethvargo, on the same runner version, it was previously working and started to fail once terragrunt-action@v2.1.1 was released few days ago. Same as @jacek-jablonski described above.

Many thanks, @jacek-jablonski! Downgrading terragrunt-action to 2.1.0 worked. 💪

[sethvargo]

Ah interesting. Unfortunately there's nothing we can do in auth to address this, since gruntworks is modifying the file permissions in a way that we cannot cleanup. If you're using GitHub-hosted runners, you can disable the credential cleanup. This is highly discouraged on self-hosted runners though, since it will persist credentials between runs. I see gruntwork-io/terragrunt-action#64 is filed upstream.