pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(ci): fix Docker push permissions, macOS disk space, and audit summary overflow

Browse Source 
- build-publish-images: replace silent sudo chown failure (2>/dev/null || true)
  with proper error handling and fallback cleanup for all 7 push jobs.
  Root cause: container build jobs create root-owned files, non-container push
  jobs on runner2 couldn't sudo chown without sudoers config.
- tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free
  space before cargo check (remove Android SDK, old CLT SDKs, etc.)
- security-audit: truncate cargo-audit output to 500 lines before writing to
  GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.
This commit is contained in:
Kurdistan Tech Ministry
2026-03-02 13:58:38 +03:00
parent 233f6fcb9d
commit f8c4bca688
3 changed files with 59 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/build-publish-images.yml
+42 -7
View File
@@ -490,7 +490,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -518,7 +523,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -546,7 +556,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -574,7 +589,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -602,7 +622,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -638,7 +663,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -683,7 +713,12 @@ jobs:
timeout-minutes: 180 timeout-minutes: 180
steps: steps:
- name: Fix workspace permissions - name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true run: |
sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" || {
echo "::warning::sudo chown failed - attempting cleanup"
rm -rf "${GITHUB_WORKSPACE:?}"/* 2>/dev/null || true
rm -rf "${GITHUB_WORKSPACE:?}"/.[!.]* 2>/dev/null || true
}
- name: Checkout - name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
.github/workflows/security-audit.yml
+5 -1
View File
@@ -60,7 +60,11 @@ jobs:
if [ $RESULT -ne 0 ]; then if [ $RESULT -ne 0 ]; then
echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY
cat audit-output.txt >> $GITHUB_STEP_SUMMARY # Truncate output to avoid GITHUB_STEP_SUMMARY 1MB limit
head -500 audit-output.txt >> $GITHUB_STEP_SUMMARY
if [ "$(wc -l < audit-output.txt)" -gt 500 ]; then
echo "... (truncated, see full output in job logs)" >> $GITHUB_STEP_SUMMARY
fi
echo '```' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY
exit $RESULT exit $RESULT
else else
.github/workflows/tests-misc.yml
+12
View File
@@ -427,6 +427,18 @@ jobs:
continue-on-error: true continue-on-error: true
steps: steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Free disk space
run: |
echo "Disk space before cleanup:"
df -h /
# Remove large pre-installed tools to free disk space
sudo rm -rf /Library/Developer/CommandLineTools/SDKs 2>/dev/null || true
sudo rm -rf /Users/runner/Library/Android 2>/dev/null || true
sudo rm -rf /usr/local/share/powershell 2>/dev/null || true
sudo rm -rf /usr/local/lib/node_modules 2>/dev/null || true
brew cleanup --prune=all 2>/dev/null || true
echo "Disk space after cleanup:"
df -h /
- name: Set rust version from env file - name: Set rust version from env file
run: | run: |
RUST_VERSION=$(cat .github/env | sed -E 's/.*ci-unified:([^-]+)-([^-]+).*/\2/') RUST_VERSION=$(cat .github/env | sed -E 's/.*ci-unified:([^-]+)-([^-]+).*/\2/')