Run publish job on the host instead of in a container#58
Merged
Conversation
The publish job ran in a container where the checked-out workspace is owned by the host runner UID rather than the container user, so git rejected it with "detected dubious ownership" and rubygems/release-gem's git commands failed. Run the job directly on the runner with ruby/setup-ruby, like the rest of the host-based jobs, so git operates as the same user that owns the checkout and no ownership workaround is needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
The
publishjob inbuild.ymlfailed withfatal: detected dubious ownership in repository at '/__w/libdatadog-rb/libdatadog-rb'. The job ran in a container (ghcr.io/datadog/images-rb/engines/ruby:4.0), where the checked-out workspace is owned by the host runner UID rather than the container user, so git refuses to operate on it.actions/checkoutonly marks the directory safe under a temporaryHOMEthat does not persist, sorubygems/release-gem'sgitcommands still hit the error. This blocks publishing the libdatadog 35.0.0 gem.What does this PR do?
Runs the
publishjob directly on the runner withruby/setup-rubyinstead of inside a container, so git operates as the same user that owns the checkout and no ownership workaround is needed. This mirrors how the other host-based jobs (andpublish.yml) already run.publish.ymlis intentionally left untouched.How to test the change?
Re-run the
Buildworkflow withpushenabled onmain; thePublishjob should get pastrubygems/release-gem's git steps and publish the gems. (Note: a successful run is a real release to RubyGems.org.)Additional Notes:
A follow-up is planned to drop
rubygems/release-gemin favor of a minimalconfigure-rubygems-credentials+ vendored sigstore attestation patch +gem push, but this PR is the minimal fix to unblock the release.AI was used to accelerate implementation; all code was reviewed and understood.