If output-schema input is passed to the action, resolveOutputSchema writes a temporary file.
|
case "inline": { |
|
const dir = await createTempDir("codex-output-schema-", runAsUser); |
|
const file = path.join(dir, "schema.json"); |
|
await writeFile(file, schema.content); |
|
return { type: "temp", file, dir }; |
When safety-strategy is unprivileged-user, createTempDir calls sudo -u ${runAsUser} mktemp -d -t ${prefix}.XXXXXX, which by default creates a directory with 0700 permission, only allowing the owner to be accessible.
|
await checkOutput([ |
|
"sudo", |
|
"-u", |
|
runAsUser, |
|
"mktemp", |
|
"-d", |
|
"-t", |
|
`${prefix}.XXXXXX`, |
|
]) |
However, as writeFile is performed by the process's user(runner), which even shares group with runAsUser user as per the guide, the write fails as group does not have access to the temp directory:
node:internal/fs/promises:637
return new FileHandle(await PromisePrototypeThen(
^
Error: EACCES: permission denied, open '/tmp/codex-output-schema-.wzM3U3/schema.json'
at async open (node:internal/fs/promises:637:25)
at async writeFile (node:internal/fs/promises:1219:14)
at async resolveOutputSchema (/opt/actions-runner/_work/_actions/openai/codex-action/v1/dist/main.js:23599:7)
at async runCodexExec (/opt/actions-runner/_work/_actions/openai/codex-action/v1/dist/main.js:23462:32)
at async _Command.<anonymous> (/opt/actions-runner/_work/_actions/openai/codex-action/v1/dist/main.js:27802:7) {
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/tmp/codex-output-schema-.wzM3U3/schema.json'
}
If
output-schemainput is passed to the action,resolveOutputSchemawrites a temporary file.codex-action/src/runCodexExec.ts
Lines 280 to 284 in e0fdf01
When
safety-strategyisunprivileged-user,createTempDircallssudo -u ${runAsUser} mktemp -d -t ${prefix}.XXXXXX, which by default creates a directory with0700permission, only allowing the owner to be accessible.codex-action/src/runCodexExec.ts
Lines 313 to 321 in e0fdf01
However, as
writeFileis performed by the process's user(runner), which even shares group withrunAsUseruser as per the guide, the write fails as group does not have access to the temp directory: