The hash of the directory does not match the expected value in post job step #290
Description
I noticed an issue related to the actions/checkout action in combination with the new copy functionality. I am using the latest main of runner-container-hooks.
The bug results in the hash validation mechanism failing after copying files from the workflow pod to the runner pod. This only occurs in the 'Post' step of the job.
There are a couple of requirements that need to be met before you trigger the bug.
- You need to call a reusable action (can be local or in a different repository).
- That reusable action needs to do a checkout using
actions/checkout, but it needs to usev6. - That reusable action also needs to perform any action on your git directory, for example setting the safe dir.
Once all these requirements are met, the 'Post' step of job will indicate that there is different hash on the runner pod then on the workflow pod.
As mentioned before, using actions/checkout@v6 is a requirement as actions/checkout@v5 does not trigger the issue.
If we look into the changes done in v6, we can see the following:
Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.
This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to
access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
This is the workflow used to reproduce the issue.
name: Showcase issue
on:
workflow_dispatch:
jobs:
test:
runs-on: default-staging
container:
image: ubuntu:24.04
steps:
- name: Install git
run: |
apt-get update && apt-get install -y git
- name: Call action
uses: TrendMiner/tm-pnt-dummy@main # cannot reference local actions due to https://github.com/actions/runner-container-hooks/issues/260This is the reusable action used in the workflow. I used a local reusable action for ease, but the same occurs if your reusable action is in a separate repository.
---
name: Hello
description: Hello
runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set git safe directory
shell: bash
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
Below are the logs of the 'Post Call action' step that showcase the mismatch in hash.
##[debug]Evaluating condition for step: 'Post Call action'
##[debug]Evaluating: always()
##[debug]Evaluating always:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Post Call action
##[debug]Loading inputs
##[debug]Loading env
Post job cleanup.
##[debug]Evaluating condition for step: 'run'
##[debug]Evaluating: always()
##[debug]Evaluating always:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: run
##[debug]Loading inputs
##[debug]Evaluating: github.repository
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'repository'
##[debug]=> 'mycompany/tm-pnt-dummy'
##[debug]Result: 'mycompany/tm-pnt-dummy'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Post job cleanup.
##[debug]Running JavaScript Action with default external tool: node24
Run '/home/runner/k8s/index.js'
##[debug]/home/runner/externals/node20/bin/node /home/runner/k8s/index.js
##[debug]Copying /home/runner/_work/_temp to pod default-staging-xjndr-runner-hnpxv-workflow at /__w/_temp
(node:424) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]execPodStep response: {"metadata":{},"status":"Success"}
##[debug]Getting git version
/usr/bin/git version
git version 2.43.0
##[debug]0
##[debug]git version 2.43.0
##[debug]
##[debug]Set git useragent to: git/2.43.0 (github-actions-checkout)
::add-mask::***
Copying '/root/.gitconfig' to '/__w/_temp/0469fab8-c4c2-435c-ae26-513ada0b2849/.gitconfig'
Temporarily overriding HOME='/__w/_temp/0469fab8-c4c2-435c-ae26-513ada0b2849' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /__w/tm-pnt-dummy/tm-pnt-dummy
##[debug]0
##[debug]
Removing SSH command configuration
/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
##[debug]1
##[debug]
/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
##[debug]0
##[debug]
Removing HTTP extra header
/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
##[debug]1
##[debug]
/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
##[debug]0
##[debug]
Removing includeIf entries pointing to credentials config files
/usr/bin/git config --local --name-only --get-regexp ^includeIf\.gitdir:
includeif.gitdir:/__w/tm-pnt-dummy/tm-pnt-dummy/.git.path
includeif.gitdir:/github/workspace/.git.path
##[debug]0
##[debug]includeif.gitdir:/__w/tm-pnt-dummy/tm-pnt-dummy/.git.path
##[debug]includeif.gitdir:/github/workspace/.git.path
##[debug]
/usr/bin/git config --local --get-all includeif.gitdir:/__w/tm-pnt-dummy/tm-pnt-dummy/.git.path
/__w/_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]0
##[debug]/__w/_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]
/usr/bin/git config --local --unset includeif.gitdir:/__w/tm-pnt-dummy/tm-pnt-dummy/.git.path /__w/_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]0
##[debug]
/usr/bin/git config --local --get-all includeif.gitdir:/github/workspace/.git.path
/github/runner_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]0
##[debug]/github/runner_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]
/usr/bin/git config --local --unset includeif.gitdir:/github/workspace/.git.path /github/runner_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config
##[debug]0
##[debug]
/usr/bin/git submodule foreach --recursive git config --local --show-origin --name-only --get-regexp remote.origin.url
##[debug]0
##[debug]
Removing credentials config '/__w/_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config'
##[debug]Skipping removal of credentials config '/github/runner_temp/git-credentials-08a51a8f-a532-4af2-9653-32c5a0e88715.config' - not under RUNNER_TEMP
##[debug]Unsetting HOME override
##[debug]execPodStep response: {"metadata":{},"status":"Success"}
##[debug]Copying from job pod 'default-staging-xjndr-runner-hnpxv-workflow' /__w/_temp to /home/runner/_work/_temp
##[debug]Copying from pod default-staging-xjndr-runner-hnpxv-workflow /__w/_temp to /home/runner/_work/_temp
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]internalExecOutput response: {"metadata":{},"status":"Success"}
##[debug]The hash of the directory does not match the expected value; want='31be5782b03b197e2fb8839448edeb9dcc053bed027135014891087f66b55861' got='f729dc2ea97570b3cadc50558e05a8c893054fee2c8c3558f8fd10f639f781c0'
##[debug]Node Action run completed with exit code 0
##[debug]Finished: run
##[debug]Finishing: Post Call action