I am using this action and love it. One issue that I have at work is that we are using rootless mode in which docker daemon is executed by the user and not by root.
Somehow, because this action uses
runs:
using: 'docker'
image: 'Dockerfile'
to invoke docker, the resulting docker call will be something like /usr/bin/docker run --name cbc94a5e31a432d984f5c9c68f20aee_b5c4a7 --label 015029 --workdir /github/workspace --rm -e "INPUT_DOCS-FOLDER" -e "INPUT_BUILD-COMMAND" -e "INPUT_PRE-BUILD-COMMAND" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/scratch/actions-runner/_work/_temp/_github_home":"/github/home" -v "/scratch/actions-runner/_work/_temp/_github_workflow":"/github/workflow" -v "/scratch/actions-runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/scratch/actions-runner/_work/quark-examples/quark-examples":"/github/workspace" 015029:4cbc94a5e31a432d984f5c9c68f20aee
and the key part is the docker run argument -v "/var/run/docker.sock":"/var/run/docker.sock" which essentially maps the root docker PID instead of the user (rootless) docker PID at unix://$XDG_RUNTIME_DIR/docker.sock. My environment already sets
docker context use rootless
export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
but it is superseeded by the docker run -v "/var/run/docker.sock":"/var/run/docker.sock" argument.
Thus, my feature request is to refactor sphinx-action/action.yml to not use
runs:
using: 'docker'
image: 'Dockerfile'
but something else, such as
which allows rootless mode to work properly
Rootless mode support fixes #62, for example and is a lot safer to execute on critical environments in the case someone hacks into docker daemon
I am using this action and love it. One issue that I have at work is that we are using rootless mode in which docker daemon is executed by the user and not by root.
Somehow, because this action uses
to invoke docker, the resulting docker call will be something like
/usr/bin/docker run --name cbc94a5e31a432d984f5c9c68f20aee_b5c4a7 --label 015029 --workdir /github/workspace --rm -e "INPUT_DOCS-FOLDER" -e "INPUT_BUILD-COMMAND" -e "INPUT_PRE-BUILD-COMMAND" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/scratch/actions-runner/_work/_temp/_github_home":"/github/home" -v "/scratch/actions-runner/_work/_temp/_github_workflow":"/github/workflow" -v "/scratch/actions-runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/scratch/actions-runner/_work/quark-examples/quark-examples":"/github/workspace" 015029:4cbc94a5e31a432d984f5c9c68f20aeeand the key part is the docker run argument
-v "/var/run/docker.sock":"/var/run/docker.sock"which essentially maps the root docker PID instead of the user (rootless) docker PID atunix://$XDG_RUNTIME_DIR/docker.sock. My environment already setsdocker context use rootless export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"but it is superseeded by the docker run
-v "/var/run/docker.sock":"/var/run/docker.sock"argument.Thus, my feature request is to refactor sphinx-action/action.yml to not use
but something else, such as
which allows rootless mode to work properly
Rootless mode support fixes #62, for example and is a lot safer to execute on critical environments in the case someone hacks into docker daemon