Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UPM authentication and runAsHostUser on self-hosted linux runner #660

Open
eberleinNeobird opened this issue Jul 26, 2024 · 5 comments
Open
Labels
bug Something isn't working

Comments

@eberleinNeobird
Copy link

eberleinNeobird commented Jul 26, 2024

Bug description

I created a self-hosted Linux runner for GitHub, to build my unity app. When I set the unity-builder runAsHosteUser to true authentication to UPM Server fails:

An error occurred while resolving packages:
  Project has invalid dependencies:
    com.neobird.bootstrap: Request [GET <my verdaccio package>] failed because it lacks valid authentication credentials

How to reproduce

Install Linux runner like described on:
https://game.ci/docs/self-hosting/host-provisioning/ubuntu-setup

Use these two steps:

      - name: Setup UPM Authentication
        timeout-minutes: 10
        run: |
          mkdir ${{ runner.temp }}/_github_home
          cd ${{ runner.temp }}/_github_home
          echo "[npmAuth.\"my verdaccio url"]" >> .upmconfig.toml
          echo "alwaysAuth = true" >> .upmconfig.toml
          echo "token = \"${{ secrets.NPM_AUTH_TOKEN }}\"" >> .upmconfig.toml

and

      - name: Unity Build (${{ matrix.targetPlatform }}, ${{ matrix.buildProfile }}, ${{ matrix.unityVersion }})
        uses: game-ci/unity-builder@v4
        timeout-minutes: 60
        env:
          UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
          UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
          UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
        with:
          runAsHostUser: ${{ matrix.runAsHostUser }}
          versioning: Semantic
          dockerWorkspacePath: /github/workspace
          unityVersion: ${{ matrix.unityVersion }}
          targetPlatform: ${{ matrix.targetPlatform }}
          buildMethod: NeoBird.Build.BuildScript
          customParameters: '-buildProfile ${{ matrix.buildProfile }

matrix.runAsHostUser of course is true.

Expected behavior

UPM packages should be resolved.

Maybe it's because of step Setup, UPM Authentication does not run as HostUser.
Thx for your help.

@eberleinNeobird eberleinNeobird added the bug Something isn't working label Jul 26, 2024
@GabLeRoux
Copy link
Member

Here is something you might try to resolve your authentication issue with UPM. (Note: I did not try this).

When using runAsHostUser: true on a self-hosted Linux runner, the problem might be from the .upmconfig.toml file not being accessible or correctly configured for the host user.

  1. Adjust UPM Authentication Setup:
    Place the .upmconfig.toml in the host user's home directory:

    - name: Setup UPM Authentication
      timeout-minutes: 10
      run: |
        mkdir -p $HOME/.upmconfig
        echo "[npmAuth.\"<your verdaccio url>\"]" >> $HOME/.upmconfig/.upmconfig.toml
        echo "alwaysAuth = true" >> $HOME/.upmconfig/.upmconfig.toml
        echo "token = \"${{ secrets.NPM_AUTH_TOKEN }}\"" >> $HOME/.upmconfig/.upmconfig.toml
  2. Ensure Permissions:
    Ensure the file has the correct permissions for the host user:

    - name: Set Permissions for UPM Config
      run: |
        chown -R $(whoami) $HOME/.upmconfig
  3. Use the Correct User:
    Ensure the Unity build step runs as the correct user:

    - name: Unity Build
      uses: game-ci/unity-builder@v4
      timeout-minutes: 60
      env:
        UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
        UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
        UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
      with:
        runAsHostUser: true
        versioning: Semantic
        dockerWorkspacePath: /github/workspace
        unityVersion: ${{ matrix.unityVersion }}
        targetPlatform: ${{ matrix.targetPlatform }}
        buildMethod: NeoBird.Build.BuildScript
        customParameters: '-buildProfile ${{ matrix.buildProfile }}'

The UPM configuration file is documented here: https://docs.unity3d.com/Manual/upm-config.html

@JanikHelbig-NB
Copy link

Hi @GabLeRoux, I'm working on the same issue as @eberleinNeobird and I've tried to apply your suggestions.
I've checked the logs and the docker container is being correctly run with the RUN_AS_HOST_USER=true flag.
The Setup UPM Authentication step now also creates the .upmconfig.toml file inside host user home directory, as it should, and the file permissions appear correct.

Unfortunately the Unity instance inside the docker container still doesn't seem to be able to locate it. Unity doesn't log where it's looking for this configuration file and wether or not it's found anything either.

Is there a way to mount additional directories to the docker container or at least pass an additional environment variable? Ideally without needing to configure custom docker images.

@GabLeRoux
Copy link
Member

GabLeRoux commented Aug 19, 2024

Is there a way to mount additional directories to the docker container or at least pass an additional environment variable? Ideally without needing to configure custom docker images.

I'm not exactly sure how this can be achieved with github-actions. I think the most important thing here is to figure out where Unity reads .upmconfig.toml and confirm it has access to it. According to https://docs.unity3d.com/Manual/upm-config.html It should be $HOME/.upmconfig.

Maybe a way to investigate this would be to fork the game-ci/unity-builder action, update the scripts and run the action with custom commands within the docker image to print what the container has access to.

If the container can't see $HOME/.upmconfig, we'll need to figure out how it can see it.

I don't have much information on that either.

@JanikHelbig-NB
Copy link

JanikHelbig-NB commented Nov 28, 2024

Alright, so I've had some time to look at this issue again and I've managed to make it work for our case.
I've forked the action and added the following command line flag to the docker command created by the action:

--env UPM_USER_CONFIG_FILE=/root/.upmconfig.toml

UPM_USER_CONFIG_FILE is an enviroment variable that tells Unity explicitly where to look for the config file.
Curiously this the same location where I would have expected Unity to look for the file anyway. This is essentially also the same location where the template in the docs puts the config file, e.g,: mkdir -p ${{ runner.temp }}/_github_home.

I'm still not fully sure what the root cause is and if this is something that could be added to the action upstream.

@jfranco-cap
Copy link

When running as host user, the docker entrypoint fix the permissions with the user:group of the project folder. So the .upmconfig.toml should live in /home/user. When runAsHostUser is false, the container run as root and worked fine.

USERNAME=$(stat -c '%U' "$fullProjectPath")

For my use case It was enough to set runAsHostUser to false and fix the permissions manually with docker. Kind of hacky but works. It would be nice to support UPM_USER_CONFIG_FILE env var.

    - name: Fix permissions
      shell: bash
      if: always()
      run: |
        echo "Fixing permissions for $GITHUB_WORKSPACE"
        docker run --rm -v $GITHUB_WORKSPACE:/app alpine:3.21.0 sh -c "chown -R 1002 /app"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants