Summary
The reusable workflow .github/workflows/go-ci.yaml@v1 fails in the build-and-test job on the self-hosted Hetzner runner because the coverage step calls sudo, which is not available passwordlessly on that runner.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
##[error]Process completed with exit code 1.
Where
build-and-test job → step "Augment coverage report with cyclomatic complexity":
# Workaround: CodeCoverageSummary runs inside a Docker container
# that writes code-coverage-results.md as root, so chown it back
# before editing.
sudo chown "$(id -un)" code-coverage-results.md
Root cause
PR #9 ("default CI runner from repository visibility") now routes internal/private repos to the self-hosted Hetzner pool (["self-hosted","hetzner"]). On GitHub-hosted ubuntu-latest, passwordless sudo works, so this step succeeded. On the Hetzner runners there is no passwordless sudo, so the sudo chown fails and the whole job fails — even though go build and all unit tests pass first.
Confirmed by comparing two identical dependabot dep-bump PRs in terraform-provider-canton-internal:
- PR #47 (before the change) ran on
ubuntu-latest → green.
- PR #48 (after the change) runs on
hetzner → build-and-test red on the sudo chown line. Build + all tests pass; only the coverage post-processing step fails.
Suggested fixes (pick one)
- Avoid sudo. The Docker action (
irongut/CodeCoverageSummary) writes code-coverage-results.md as root. Instead of sudo chown, either:
- run the chown without sudo guarded by an ownership check, or
- have the Docker step write to a path the runner user owns, or
- use
docker run --user "$(id -u):$(id -g)"-style ownership so the file is created as the runner user (no chown needed).
- Make the chown tolerant:
sudo -n chown ... || chown ... || true so it degrades gracefully where passwordless sudo is unavailable.
- Configure passwordless sudo for the runner user on the Hetzner self-hosted runners (infra change).
Notes
- The earlier
lint failure (/bin/sh: 1: version: not found right after setup-go) on the Hetzner runner appears to have been resolved after a runner fix + re-run; lint is now green. Only the sudo chown issue in build-and-test remains.
Example failing run: https://github.com/peacefulstudio/terraform-provider-canton-internal/actions/runs/27114199688
Summary
The reusable workflow
.github/workflows/go-ci.yaml@v1fails in thebuild-and-testjob on the self-hosted Hetzner runner because the coverage step callssudo, which is not available passwordlessly on that runner.Where
build-and-testjob → step "Augment coverage report with cyclomatic complexity":Root cause
PR #9 ("default CI runner from repository visibility") now routes internal/private repos to the self-hosted Hetzner pool (
["self-hosted","hetzner"]). On GitHub-hostedubuntu-latest, passwordlesssudoworks, so this step succeeded. On the Hetzner runners there is no passwordless sudo, so thesudo chownfails and the whole job fails — even thoughgo buildand all unit tests pass first.Confirmed by comparing two identical dependabot dep-bump PRs in
terraform-provider-canton-internal:ubuntu-latest→ green.hetzner→build-and-testred on thesudo chownline. Build + all tests pass; only the coverage post-processing step fails.Suggested fixes (pick one)
irongut/CodeCoverageSummary) writescode-coverage-results.mdas root. Instead ofsudo chown, either:docker run --user "$(id -u):$(id -g)"-style ownership so the file is created as the runner user (no chown needed).sudo -n chown ... || chown ... || trueso it degrades gracefully where passwordless sudo is unavailable.Notes
lintfailure (/bin/sh: 1: version: not foundright aftersetup-go) on the Hetzner runner appears to have been resolved after a runner fix + re-run;lintis now green. Only thesudo chownissue inbuild-and-testremains.Example failing run: https://github.com/peacefulstudio/terraform-provider-canton-internal/actions/runs/27114199688