fix(actions): install CLI via raw URL, not github.action_path#30
Conversation
All 13 composite actions installed the prebuilt CLI with
`bash "${{ github.action_path }}/../../scripts/install-cli.sh"`. The GitHub
runner does NOT translate `github.action_path` into the job container when the
container runtime is podman (it leaks the host path, e.g.
`/home/runner-N/actions-runner/_work/_actions/...`, which isn't mounted in the
container) → every action dies with exit 127 / "No such file or directory".
This blocks Vymalo's vps-runner fleet (podman-as-docker) entirely.
Fix: fetch the installer from the pinned ref over HTTPS instead of a filesystem
path — container- and runtime-agnostic:
env:
FT_REF: ${{ github.action_ref }}
run: |
curl ... "https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" | bash -s --
install-cli.sh now resolves its version without an on-disk checkout (it can be
piped from stdin): arg / CLI_VERSION → on-disk cli-version.txt → cli-version.txt
fetched from FT_REF → baked DEFAULT_CLI_VERSION. BASH_SOURCE-derived paths are
guarded so a stdin run can't abort under `set -e`.
No behaviour change on runners where action_path already worked (real Docker,
host-native); the raw-URL path is strictly more portable.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request updates several GitHub Action workflows to fetch and execute the install-cli.sh script via curl from GitHub instead of running it from a local path, addressing issues in containerized environments like Podman. It also updates install-cli.sh to support execution via stdin piping. The reviewer feedback highlights two main issues: first, github.action_ref is empty when workflows run within the same repository, which will cause the curl fetch to fail with a 404, so falling back to github.sha is recommended; second, in install-cli.sh, using dirname on $0 can fail if $0 starts with a hyphen (e.g., in login shells), which can be resolved by using dirname --.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| env: | ||
| FT_REF: ${{ github.action_ref }} |
There was a problem hiding this comment.
When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.
env:
FT_REF: ${{ github.action_ref || github.sha }}| repo_root="$(cd "$script_dir/.." && pwd)" | ||
| # When piped from stdin (curl | bash) there is no on-disk checkout, so BASH_SOURCE | ||
| # is unreliable — fall back to "." and guard every repo-relative read below. | ||
| script_dir="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)" |
There was a problem hiding this comment.
When install-cli.sh is piped from stdin, BASH_SOURCE is empty, so the script falls back to $0. If $0 starts with a hyphen (for example, in a login shell like -bash), dirname will treat it as an option and fail with an invalid option error. Using -- before the argument prevents dirname from interpreting it as an option.
| script_dir="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)" | |
| script_dir="$(cd "$(dirname -- "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)" |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ab02144b14
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # runner under podman → a path-based call ENOENTs. Fetch the installer | ||
| # from the pinned ref (container/runtime-agnostic). | ||
| curl --fail --silent --show-error --location --retry 3 \ | ||
| "https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" \ |
There was a problem hiding this comment.
Use the action repository when fetching the installer
When a workflow consumes this action from a fork or from a ref/SHA that only exists outside vymalo/flutter-tools (for example to test action changes before they are merged upstream), github.action_ref is only the ref name while this URL always fetches from the upstream repository. The previous github.action_path version read install-cli.sh from the actual checked-out action, but this now 404s before the CLI can install; the same hard-coded raw URL pattern is repeated in the other action metadata files. Pass/use github.action_repository for the raw URL instead of hard-coding the owner/repo.
Useful? React with 👍 / 👎.
| # runner under podman → a path-based call ENOENTs. Fetch the installer | ||
| # from the pinned ref (container/runtime-agnostic). | ||
| curl --fail --silent --show-error --location --retry 3 \ | ||
| "https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" \ |
There was a problem hiding this comment.
Keep installer fetch bound to the loaded action
When consumers pin a mutable action ref such as @v0 or a branch, github.action_ref is the symbolic ref, so this curl re-resolves it instead of using the action checkout that is already running. If that ref moves while earlier steps in this composite are still running (for example the Flutter/Java setup above), the action metadata can come from one commit while install-cli.sh/cli-version.txt come from another, which can install an incompatible CLI version or fail on a not-yet-published binary. Fetch using an immutable resolved revision or otherwise keep the installer version bound to the loaded action.
Useful? React with 👍 / 👎.
Summary
All 13 composite actions installed the prebuilt CLI with
bash "${{ github.action_path }}/../../scripts/install-cli.sh". The GitHub runner does not translategithub.action_pathinto the job container when the runtime is podman — it leaks the host path (/home/runner-N/actions-runner/_work/_actions/...), which is not mounted in the container, so every action dies with exit 127 / "No such file or directory". This blocks Vymalo'svps-runnerfleet (podman-as-docker) on every Flutter job.Fix: fetch the installer from the pinned ref over HTTPS instead of a filesystem path — container- and runtime-agnostic:
install-cli.shnow resolves its version without an on-disk checkout (it can be piped from stdin): arg /CLI_VERSION→ on-diskcli-version.txt→cli-version.txtfetched fromFT_REF→ bakedDEFAULT_CLI_VERSION.BASH_SOURCE-derived paths are guarded so a stdin run can't abort underset -e.Intent
Source of truth: Vymalo vps-runner CI failure — vymalo-shop#327, run 28426409853 (
analyze · test→install-cli.sh: No such file or directoryat the host_actionspath inside the podman container).Scope
13
actions/*/action.ymlinstall steps +scripts/install-cli.shversion resolution. No CLI source / behaviour change.Verification
yaml.safe_loadpasses on all 13 action.yml.bash -n scripts/install-cli.shpasses.github.action_path .../install-cli.shreferences remain (grep).analyze · testafterv0is moved to this commit.Risk Assessment
Low. No behaviour change on runners where
action_pathalready worked (real Docker / host-native); the raw-URL path is strictly more portable. Adds a small HTTPS fetch (retried) per action install.AI Usage Declaration
action_pathnon-translation + the raw-URL refactor across all actions.Reviewer Focus
github.action_refis reliably set foruses: owner/repo@refconsumers; the version-resolution precedence ininstall-cli.sh.🤖 Generated with Claude Code