Skip to content

fix(actions): install CLI via raw URL, not github.action_path#30

Merged
stephane-segning merged 1 commit into
mainfrom
fix/install-cli-no-action-path
Jun 30, 2026
Merged

fix(actions): install CLI via raw URL, not github.action_path#30
stephane-segning merged 1 commit into
mainfrom
fix/install-cli-no-action-path

Conversation

@stephane-segning

Copy link
Copy Markdown
Contributor

Summary

All 13 composite actions installed the prebuilt CLI with bash "${{ github.action_path }}/../../scripts/install-cli.sh". The GitHub runner does not translate github.action_path into the job container when the runtime is podman — it leaks the host path (/home/runner-N/actions-runner/_work/_actions/...), which is not mounted in the container, so every action dies with exit 127 / "No such file or directory". This blocks Vymalo's vps-runner fleet (podman-as-docker) on every Flutter job.

Fix: fetch the installer from the pinned ref over HTTPS instead of a filesystem path — container- and runtime-agnostic:

env:
  FT_REF: ${{ github.action_ref }}
run: |
  set -euo pipefail
  curl ... "https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" | bash -s --

install-cli.sh now resolves its version without an on-disk checkout (it can be piped from stdin): arg / CLI_VERSION → on-disk cli-version.txtcli-version.txt fetched from FT_REF → baked DEFAULT_CLI_VERSION. BASH_SOURCE-derived paths are guarded so a stdin run can't abort under set -e.

Intent

Source of truth: Vymalo vps-runner CI failure — vymalo-shop#327, run 28426409853 (analyze · testinstall-cli.sh: No such file or directory at the host _actions path inside the podman container).

Scope

13 actions/*/action.yml install steps + scripts/install-cli.sh version resolution. No CLI source / behaviour change.

Verification

  • yaml.safe_load passes on all 13 action.yml.
  • bash -n scripts/install-cli.sh passes.
  • No github.action_path .../install-cli.sh references remain (grep).
  • Downstream proof: rerun vymalo-shop#327 analyze · test after v0 is moved to this commit.

Risk Assessment

Low. No behaviour change on runners where action_path already worked (real Docker / host-native); the raw-URL path is strictly more portable. Adds a small HTTPS fetch (retried) per action install.

AI Usage Declaration

  • AI-assisted: diagnosis of the podman action_path non-translation + the raw-URL refactor across all actions.
  • Human reviewed every line and is accountable.

Reviewer Focus

github.action_ref is reliably set for uses: owner/repo@ref consumers; the version-resolution precedence in install-cli.sh.

🤖 Generated with Claude Code

All 13 composite actions installed the prebuilt CLI with
`bash "${{ github.action_path }}/../../scripts/install-cli.sh"`. The GitHub
runner does NOT translate `github.action_path` into the job container when the
container runtime is podman (it leaks the host path, e.g.
`/home/runner-N/actions-runner/_work/_actions/...`, which isn't mounted in the
container) → every action dies with exit 127 / "No such file or directory".
This blocks Vymalo's vps-runner fleet (podman-as-docker) entirely.

Fix: fetch the installer from the pinned ref over HTTPS instead of a filesystem
path — container- and runtime-agnostic:

    env:
      FT_REF: ${{ github.action_ref }}
    run: |
      curl ... "https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" | bash -s --

install-cli.sh now resolves its version without an on-disk checkout (it can be
piped from stdin): arg / CLI_VERSION → on-disk cli-version.txt → cli-version.txt
fetched from FT_REF → baked DEFAULT_CLI_VERSION. BASH_SOURCE-derived paths are
guarded so a stdin run can't abort under `set -e`.

No behaviour change on runners where action_path already worked (real Docker,
host-native); the raw-URL path is strictly more portable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@stephane-segning
stephane-segning merged commit b26dd57 into main Jun 30, 2026
1 check passed
@stephane-segning
stephane-segning deleted the fix/install-cli-no-action-path branch June 30, 2026 07:17

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several GitHub Action workflows to fetch and execute the install-cli.sh script via curl from GitHub instead of running it from a local path, addressing issues in containerized environments like Podman. It also updates install-cli.sh to support execution via stdin piping. The reviewer feedback highlights two main issues: first, github.action_ref is empty when workflows run within the same repository, which will cause the curl fetch to fail with a 404, so falling back to github.sha is recommended; second, in install-cli.sh, using dirname on $0 can fail if $0 starts with a hyphen (e.g., in login shells), which can be resolved by using dirname --.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +48 to +49
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +73 to +74
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +50 to +51
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +93 to +94
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +74 to +75
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +47 to +48
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +63 to +64
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +37 to +38
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment on lines +43 to +44
env:
FT_REF: ${{ github.action_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

When the action is run within the same repository (such as in the repository's own CI/CD workflows or during local testing), github.action_ref is empty. This causes the curl command to attempt to fetch from an invalid URL (with a double slash and no ref), resulting in a 404 error and failing the step. Falling back to github.sha when github.action_ref is empty ensures that the action remains functional and always fetches the correct version of the script corresponding to the commit being tested.

      env:
        FT_REF: ${{ github.action_ref || github.sha }}

Comment thread scripts/install-cli.sh
repo_root="$(cd "$script_dir/.." && pwd)"
# When piped from stdin (curl | bash) there is no on-disk checkout, so BASH_SOURCE
# is unreliable — fall back to "." and guard every repo-relative read below.
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

When install-cli.sh is piped from stdin, BASH_SOURCE is empty, so the script falls back to $0. If $0 starts with a hyphen (for example, in a login shell like -bash), dirname will treat it as an option and fail with an invalid option error. Using -- before the argument prevents dirname from interpreting it as an option.

Suggested change
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)"
script_dir="$(cd "$(dirname -- "${BASH_SOURCE[0]:-$0}")" 2>/dev/null && pwd || echo .)"

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ab02144b14

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

# runner under podman → a path-based call ENOENTs. Fetch the installer
# from the pinned ref (container/runtime-agnostic).
curl --fail --silent --show-error --location --retry 3 \
"https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use the action repository when fetching the installer

When a workflow consumes this action from a fork or from a ref/SHA that only exists outside vymalo/flutter-tools (for example to test action changes before they are merged upstream), github.action_ref is only the ref name while this URL always fetches from the upstream repository. The previous github.action_path version read install-cli.sh from the actual checked-out action, but this now 404s before the CLI can install; the same hard-coded raw URL pattern is repeated in the other action metadata files. Pass/use github.action_repository for the raw URL instead of hard-coding the owner/repo.

Useful? React with 👍 / 👎.

# runner under podman → a path-based call ENOENTs. Fetch the installer
# from the pinned ref (container/runtime-agnostic).
curl --fail --silent --show-error --location --retry 3 \
"https://raw.githubusercontent.com/vymalo/flutter-tools/${FT_REF}/scripts/install-cli.sh" \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep installer fetch bound to the loaded action

When consumers pin a mutable action ref such as @v0 or a branch, github.action_ref is the symbolic ref, so this curl re-resolves it instead of using the action checkout that is already running. If that ref moves while earlier steps in this composite are still running (for example the Flutter/Java setup above), the action metadata can come from one commit while install-cli.sh/cli-version.txt come from another, which can install an incompatible CLI version or fail on a not-yet-published binary. Fetch using an immutable resolved revision or otherwise keep the installer version bound to the loaded action.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant