Skip to content

go-ci.yaml: build-and-test fails on self-hosted Hetzner runner due to sudo in coverage step #12

Description

@monsieurleberre

Summary

The reusable workflow .github/workflows/go-ci.yaml@v1 fails in the build-and-test job on the self-hosted Hetzner runner because the coverage step calls sudo, which is not available passwordlessly on that runner.

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
##[error]Process completed with exit code 1.

Where

build-and-test job → step "Augment coverage report with cyclomatic complexity":

# Workaround: CodeCoverageSummary runs inside a Docker container
# that writes code-coverage-results.md as root, so chown it back
# before editing.
sudo chown "$(id -un)" code-coverage-results.md

Root cause

PR #9 ("default CI runner from repository visibility") now routes internal/private repos to the self-hosted Hetzner pool (["self-hosted","hetzner"]). On GitHub-hosted ubuntu-latest, passwordless sudo works, so this step succeeded. On the Hetzner runners there is no passwordless sudo, so the sudo chown fails and the whole job fails — even though go build and all unit tests pass first.

Confirmed by comparing two identical dependabot dep-bump PRs in terraform-provider-canton-internal:

  • PR #47 (before the change) ran on ubuntu-latest → green.
  • PR #48 (after the change) runs on hetznerbuild-and-test red on the sudo chown line. Build + all tests pass; only the coverage post-processing step fails.

Suggested fixes (pick one)

  1. Avoid sudo. The Docker action (irongut/CodeCoverageSummary) writes code-coverage-results.md as root. Instead of sudo chown, either:
    • run the chown without sudo guarded by an ownership check, or
    • have the Docker step write to a path the runner user owns, or
    • use docker run --user "$(id -u):$(id -g)"-style ownership so the file is created as the runner user (no chown needed).
  2. Make the chown tolerant: sudo -n chown ... || chown ... || true so it degrades gracefully where passwordless sudo is unavailable.
  3. Configure passwordless sudo for the runner user on the Hetzner self-hosted runners (infra change).

Notes

  • The earlier lint failure (/bin/sh: 1: version: not found right after setup-go) on the Hetzner runner appears to have been resolved after a runner fix + re-run; lint is now green. Only the sudo chown issue in build-and-test remains.

Example failing run: https://github.com/peacefulstudio/terraform-provider-canton-internal/actions/runs/27114199688

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions