[GH-ISSUE #1184] Support running an action as a non-root user

kerem commented

2026-03-01 21:45:19 +03:00

Owner

Originally created by @spkane on GitHub (May 26, 2022).
Original GitHub issue: https://github.com/nektos/act/issues/1184

Act version

act version 0.2.26

Feature description

Some things simply fail if you try to run them as root.

In my case I am installing Linuxbrew, to manage some additional software dependencies and it fails because it refuses to install when run as the root user.

[pre-commit checks/pre-commit-checks] ⭐  Run Install Linuxbrew
[pre-commit checks/pre-commit-checks]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3] user= workdir=
| Warning: Running in non-interactive mode because `$CI` is set.
| ==> Checking for `sudo` access (which may request your password)...
| Don't run this as root!
[pre-commit checks/pre-commit-checks]   ❌  Failure - Install Linuxbrew
[pre-commit checks/pre-commit-checks] exit with `FAILURE`: 1

It would be nice if the containers had another user, called something like runner or nonpriv that could be used for a single action somehow when required.

Originally created by @spkane on GitHub (May 26, 2022). Original GitHub issue: https://github.com/nektos/act/issues/1184 ### Act version act version 0.2.26 ### Feature description Some things simply fail if you try to run them as root. In my case I am installing Linuxbrew, to manage some additional software dependencies and it fails because it refuses to install when run as the root user. ```console [pre-commit checks/pre-commit-checks] ⭐ Run Install Linuxbrew [pre-commit checks/pre-commit-checks] 🐳 docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3] user= workdir= | Warning: Running in non-interactive mode because `$CI` is set. | ==> Checking for `sudo` access (which may request your password)... | Don't run this as root! [pre-commit checks/pre-commit-checks] ❌ Failure - Install Linuxbrew [pre-commit checks/pre-commit-checks] exit with `FAILURE`: 1 ``` It would be nice if the containers had another user, called something like `runner` or `nonpriv` that could be used for a single action somehow when required.

kerem added the

kind/feature-request

label

2026-03-01 21:45:19 +03:00

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@jayvdb commented on GitHub (May 29, 2022):

I also ran into this, and here is my recipe, still a bit of a WIP trying to reach installation of ktlint, and the if [ .. ] here is because I use act -r -j ... locally

      - name: Set up Homebrew (Linux)
        if: ${{ matrix.os == 'ubuntu-22.04' }}
        shell: bash
        env:
          LB_USERNAME: linuxbrew
        run: |
          if [ ! -f /home/$LB_USERNAME/.linuxbrew/bin/brew ]; then
            rm -rf /home/$LB_USERNAME/
            deluser $LB_USERNAME
            adduser --disabled-password --gecos "" $LB_USERNAME
            wget -c https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
            # https://stackoverflow.com/questions/72435188/how-to-install-brew-using-a-shallow-clone
            sed -i 's:"git" "fetch":"git" "fetch" "--depth" "1":' install.sh
            sed -i '/"update" "--force"/d' install.sh
            mv install.sh /tmp
            chmod a+r /tmp/install.sh
            echo "export HOMEBREW_NO_AUTO_UPDATE=1" >> /home/$LB_USERNAME/.profile
            su -l $LB_USERNAME -c "CI=1 USER=$LB_USERNAME bash /tmp/install.sh"
            echo "eval \"\$(/home/$LB_USERNAME/.linuxbrew/bin/brew shellenv)\"" >> /home/$LB_USERNAME/.profile
          fi
          chmod a+x /home/$LB_USERNAME/.linuxbrew/bin/brew
          chmod a+x /home/$LB_USERNAME/.linuxbrew/Homebrew/bin/brew
          su -l $LB_USERNAME -c 'brew tap holgerbrandl/tap https://github.com/holgerbrandl/homebrew-tap'
          su -l $LB_USERNAME -c 'time brew install ktlint kscript'
          eval "$(/home/$LB_USERNAME/.linuxbrew/bin/brew shellenv)"
          which ktlint kscript

@jayvdb commented on GitHub (May 29, 2022): I also ran into this, and here is my recipe, still a bit of a WIP trying to reach installation of `ktlint`, and the `if [ .. ]` here is because I use `act -r -j ...` locally ```yaml - name: Set up Homebrew (Linux) if: ${{ matrix.os == 'ubuntu-22.04' }} shell: bash env: LB_USERNAME: linuxbrew run: | if [ ! -f /home/$LB_USERNAME/.linuxbrew/bin/brew ]; then rm -rf /home/$LB_USERNAME/ deluser $LB_USERNAME adduser --disabled-password --gecos "" $LB_USERNAME wget -c https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh # https://stackoverflow.com/questions/72435188/how-to-install-brew-using-a-shallow-clone sed -i 's:"git" "fetch":"git" "fetch" "--depth" "1":' install.sh sed -i '/"update" "--force"/d' install.sh mv install.sh /tmp chmod a+r /tmp/install.sh echo "export HOMEBREW_NO_AUTO_UPDATE=1" >> /home/$LB_USERNAME/.profile su -l $LB_USERNAME -c "CI=1 USER=$LB_USERNAME bash /tmp/install.sh" echo "eval \"\$(/home/$LB_USERNAME/.linuxbrew/bin/brew shellenv)\"" >> /home/$LB_USERNAME/.profile fi chmod a+x /home/$LB_USERNAME/.linuxbrew/bin/brew chmod a+x /home/$LB_USERNAME/.linuxbrew/Homebrew/bin/brew su -l $LB_USERNAME -c 'brew tap holgerbrandl/tap https://github.com/holgerbrandl/homebrew-tap' su -l $LB_USERNAME -c 'time brew install ktlint kscript' eval "$(/home/$LB_USERNAME/.linuxbrew/bin/brew shellenv)" which ktlint kscript ```

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@ChristopherHX commented on GitHub (Sep 15, 2022):

Can anyone confirm if this is still a problem? Non root user container support should be available in the current version.

You now need to choose a non root user container:
act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:runner-latest

Change ubuntu-latest to the runs-on value you specified.

@ChristopherHX commented on GitHub (Sep 15, 2022): Can anyone confirm if this is still a problem? Non root user container support should be available in the current version. You now need to choose a non root user container: `act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:runner-latest` Change ubuntu-latest to the runs-on value you specified.

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@jayvdb commented on GitHub (Sep 15, 2022):

I see the "runner" images are documented at https://github.com/catthehacker/docker_images , but not at https://github.com/nektos/act/blob/master/IMAGES.md and IMO the root/non-root distinction is worth mentioning at https://github.com/nektos/act/blob/master/README.md#runners

@jayvdb commented on GitHub (Sep 15, 2022): I see the "runner" images are documented at https://github.com/catthehacker/docker_images , but not at https://github.com/nektos/act/blob/master/IMAGES.md and IMO the root/non-root distinction is worth mentioning at https://github.com/nektos/act/blob/master/README.md#runners

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@alvis commented on GitHub (Mar 14, 2023):

@ChristopherHX I've tried ubuntu:runner-20.04 and it's working fine for me ✅

@alvis commented on GitHub (Mar 14, 2023): @ChristopherHX I've tried `ubuntu:runner-20.04` and it's working fine for me ✅

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@Stanzilla commented on GitHub (Apr 23, 2024):

It installs fine but the brew command is not available afterwards:

Run Main Set up Homebrew
[Update Wiki API Documentation/update-wiki-api-docs]   🐳  docker cp src=/home/stan/.cache/act/Homebrew-actions-setup-homebrew@master/ dst=/var/run/act/actions/Homebrew-actions-setup-homebrew@master/
[Update Wiki API Documentation/update-wiki-api-docs]   🐳  docker exec cmd=[node /var/run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.mjs] user= workdir=
| [command]/bin/bash /run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.sh false false auto false  false
| Could not find 'brew' command in PATH or standard locations.
[Update Wiki API Documentation/update-wiki-api-docs]   ❗  ::error::The process '/bin/bash' failed with exit code 1
[Update Wiki API Documentation/update-wiki-api-docs]   ❌  Failure - Main Set up Homebrew
[Update Wiki API Documentation/update-wiki-api-docs] exitcode '1': failure

@Stanzilla commented on GitHub (Apr 23, 2024): It installs fine but the `brew` command is not available afterwards: ``` Run Main Set up Homebrew [Update Wiki API Documentation/update-wiki-api-docs] 🐳 docker cp src=/home/stan/.cache/act/Homebrew-actions-setup-homebrew@master/ dst=/var/run/act/actions/Homebrew-actions-setup-homebrew@master/ [Update Wiki API Documentation/update-wiki-api-docs] 🐳 docker exec cmd=[node /var/run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.mjs] user= workdir= | [command]/bin/bash /run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.sh false false auto false false | Could not find 'brew' command in PATH or standard locations. [Update Wiki API Documentation/update-wiki-api-docs] ❗ ::error::The process '/bin/bash' failed with exit code 1 [Update Wiki API Documentation/update-wiki-api-docs] ❌ Failure - Main Set up Homebrew [Update Wiki API Documentation/update-wiki-api-docs] exitcode '1': failure ```

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@ChristopherHX commented on GitHub (Apr 24, 2024):

I would expect that setup actions would install tools like brew and not assert that these has been preinstalled.

@ChristopherHX commented on GitHub (Apr 24, 2024): I would expect that setup actions would install tools like brew and not assert that these has been preinstalled.

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@ipatch commented on GitHub (Nov 8, 2024):

It installs fine but the brew command is not available afterwards:

Run Main Set up Homebrew
[Update Wiki API Documentation/update-wiki-api-docs]   🐳  docker cp src=/home/stan/.cache/act/Homebrew-actions-setup-homebrew@master/ dst=/var/run/act/actions/Homebrew-actions-setup-homebrew@master/
[Update Wiki API Documentation/update-wiki-api-docs]   🐳  docker exec cmd=[node /var/run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.mjs] user= workdir=
| [command]/bin/bash /run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.sh false false auto false  false
| Could not find 'brew' command in PATH or standard locations.
[Update Wiki API Documentation/update-wiki-api-docs]   ❗  ::error::The process '/bin/bash' failed with exit code 1
[Update Wiki API Documentation/update-wiki-api-docs]   ❌  Failure - Main Set up Homebrew
[Update Wiki API Documentation/update-wiki-api-docs] exitcode '1': failure

i ran into this issue yesterday regarding brew and was able to workaround it by updating the PATH stored in the GITHUB_ENV. you should probably print the contents of the GITHUB_ENV to see if in fact homebrew paths were added the PATH env var as for my setup I had to manually do this in my workflow file.

@ipatch commented on GitHub (Nov 8, 2024): > It installs fine but the `brew` command is not available afterwards: > > ``` > Run Main Set up Homebrew > [Update Wiki API Documentation/update-wiki-api-docs] 🐳 docker cp src=/home/stan/.cache/act/Homebrew-actions-setup-homebrew@master/ dst=/var/run/act/actions/Homebrew-actions-setup-homebrew@master/ > [Update Wiki API Documentation/update-wiki-api-docs] 🐳 docker exec cmd=[node /var/run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.mjs] user= workdir= > | [command]/bin/bash /run/act/actions/Homebrew-actions-setup-homebrew@master/setup-homebrew/main.sh false false auto false false > | Could not find 'brew' command in PATH or standard locations. > [Update Wiki API Documentation/update-wiki-api-docs] ❗ ::error::The process '/bin/bash' failed with exit code 1 > [Update Wiki API Documentation/update-wiki-api-docs] ❌ Failure - Main Set up Homebrew > [Update Wiki API Documentation/update-wiki-api-docs] exitcode '1': failure > ``` i ran into this issue yesterday regarding brew and was able to workaround it by updating the `PATH` stored in the `GITHUB_ENV`. you should probably print the contents of the `GITHUB_ENV` to see if in fact homebrew paths were added the `PATH` env var as for my setup I had to manually do this in my workflow file.

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@inkarkat commented on GitHub (Dec 16, 2024):

Why aren't the non-root runner- images the default? Shouldn't it be the main goal to be as compatible with GitHub's workflows, and as those use a non-root runner user, act should do the same?

I have some Bats tests that attempt to write to a read-only directory, and expect this to fail. Except with act, the root user can still write even though permissions are r-x------, causing the tests to fail.

@inkarkat commented on GitHub (Dec 16, 2024): Why aren't the non-root `runner-` images the default? Shouldn't it be the main goal to be as compatible with GitHub's workflows, and as those use a non-root `runner` user, act should do the same? I have some Bats tests that attempt to write to a read-only directory, and expect this to fail. Except with act, the root user can still write even though permissions are `r-x------`, causing the tests to fail.

kerem commented

2026-03-01 21:45:20 +03:00

Author

Owner

@ChristopherHX commented on GitHub (Dec 16, 2024):

Why aren't the non-root runner- images the default?

Given this issue is still open, I assume this enhancement is not fully implemented. Or the original issue creator don't care about this topic enough to reply to my old comments.

If you would have chosen the large/xxl images then you are rootless by default.

The GitHub Actions Platform itself doesn't support rootless container at all, this applies to images provided inside workflows.

Shouldn't it be the main goal to be as compatible with GitHub's workflows, and as those use a non-root runner user, act should do the same?

This is my opinion, a maintainer who haven't got any PR reviews for one and a half months as of today, merges are blocked by minimum review rules for non owners. I did review some third party PR's, but another inactive project member need to do it as well. A hard fork might be needed and more people working on the codebase. I'm interested in the non docker backend as this allows platform run actions that are not supported by official GitHub Actions

This goal failed by going with docker, those who have written this goal are inactive by now.

the Hosted Runner Environment is VM based
- Docker Container have noticeable differences.
the large (pseudo) docker image is a snapshot of the ubuntu-*VM
- systemd things are most likely broken, non trivial hacks are required to get them running in docker
bind mounting docker.sock breaks the docker cli commands in many ways (yes this could be fixed by DinD)
the folder layout is different (hard to change, a lot of code makes assumptions)
random bugs in act that are not present in GitHub Actions and vice versa
current implementation of rootless act makes use of performance expensive chown -R to avoid permission issues
the mounted docker.sock is not usable and you see permission errors (rootless only, no we cannot chown this one that affects your docker installation)

@ChristopherHX commented on GitHub (Dec 16, 2024): > Why aren't the non-root `runner-` images the default? Given this issue is still open, I assume this enhancement is not fully implemented. Or the original issue creator don't care about this topic enough to reply to my old comments. If you would have chosen the large/xxl images then you are rootless by default. The GitHub Actions Platform itself doesn't support rootless container at all, this applies to images provided inside workflows. > Shouldn't it be the main goal to be as compatible with GitHub's workflows, and as those use a non-root `runner` user, act should do the same? _This is my opinion, a maintainer who haven't got any PR reviews for one and a half months as of today, merges are blocked by minimum review rules for non owners. I did review some third party PR's, but another inactive project member need to do it as well. A **hard** fork might be needed and more people working on the codebase. I'm interested in the non docker backend as this allows platform run actions that are not supported by official GitHub Actions_ This goal failed by going with docker, those who have written this goal are inactive by now. - the Hosted Runner Environment is VM based - Docker Container have noticeable differences. - the large (pseudo) docker image is a snapshot of the `ubuntu-*`VM - systemd things are most likely broken, non trivial hacks are required to get them running in docker - bind mounting docker.sock breaks the docker cli commands in many ways (yes this could be fixed by DinD) - the folder layout is different (hard to change, a lot of code makes assumptions) - random bugs in act that are not present in GitHub Actions and vice versa - **current implementation of rootless act makes use of performance expensive `chown -R` to avoid permission issues** - the mounted docker.sock is not usable and you see permission errors (rootless only, no we cannot chown this one that affects your docker installation)

kerem referenced this issue

2026-03-01 21:51:37 +03:00

[PR #659] [MERGED] Mergify: configuration update #1541

Rows
Columns

[GH-ISSUE #1184] Support running an action as a non-root user #659

Act version

Feature description