more fixes? · evan.jarrett.net/loom@53c5322

··· 133 133 // These will be merged with pipeline env vars by the framework 134 134 workflowEnv := map[string]string{ 135 135 "TANGLED_ARCHITECTURE": spec.Architecture, 136 + // HOME must be writable; we run as user 10000 so default /root won't work 137 + "HOME": "/tmp", 136 138 } 137 139 138 140 workflow := &models.Workflow{

+5 -2

internal/jobbuilder/job_template.go

··· 291 291 AllowPrivilegeEscalation: &[]bool{false}[0], 292 292 RunAsNonRoot: &[]bool{true}[0], 293 293 RunAsUser: &[]int64{10000}[0], 294 - ReadOnlyRootFilesystem: &[]bool{true}[0], 294 + // Note: ReadOnlyRootFilesystem is NOT set for the runner container 295 + // because user-defined images may need to write to various locations 296 + // (e.g., /go/pkg, ~/.cache, /var/tmp) that we can't predict or mount 295 297 Capabilities: &corev1.Capabilities{ 296 298 Drop: []corev1.Capability{"ALL"}, 297 299 }, ··· 332 334 333 335 // buildEnvironmentVariables creates the environment variables for the runner container. 334 336 // All environment variables come from WorkflowSpec.Environment, which includes: 335 - // - Engine-specific vars (PATH, TANGLED_ARCHITECTURE) set in InitWorkflow 337 + // - Engine-specific vars (PATH, TANGLED_ARCHITECTURE, HOME) set in InitWorkflow 336 338 // - Pipeline-level vars (TANGLED_REPO_*, TANGLED_REF, CI, etc.) injected by framework 337 339 func buildEnvironmentVariables(config WorkflowConfig) []corev1.EnvVar { 338 340 var env []corev1.EnvVar ··· 375 377 // Add set -e for error handling, safe.directory config to handle ownership mismatch 376 378 // (emptyDir volumes are root-owned but we run as user 10000) 377 379 script := "set -e\n" + 380 + "git config --global init.defaultBranch main\n" + 378 381 "git config --global advice.detachedHead false\n" + 379 382 "git config --global safe.directory /tangled/workspace\n" + 380 383 strings.Join(config.CloneCommands, "\n") + "\n" +