Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
GitHub needs to digitally sign the ps1 scripts.
See original GitHub issueDescription
GitHub/Microsoft does not sign autogenerated ps1 scripted steps, this causes a failure on a self-hosted Windows runners.
For example, let’s take this step:
Run dotnet restore some.csproj
Which is turned into the following ps1 file that gets downloaded to the runner:
C:\actions-runner\_work\_temp\7af2df60-c729-42fb-85a1-d9de2fd74369.ps1
However, when the runner tries to execute it, you get the expected trust error:
The file C:\actions-runner\_work\_temp\7af2df60-c729-42fb-85a1-d9de2fd74369.ps1 is not digitally signed. You cannot run this script on the current system.
The workaround is to change execution policy, but this is extremely dangerous and a very bad idea. Microsoft should sign any ps1 steps it creates.
Area for Triage:
- .NET Core
- Scripting and command line
Question, Bug, or Feature?:
Bug
Virtual environments affected
- macOS 10.15
- Ubuntu 16.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 20.04 LTS
- Windows Server 2016 R2
- Windows Server 2019
- Self-Hosted Windows Runner
Expected behavior
Steps work
Actual behavior
Steps fail due to unsigned ps1 file.
Run dotnet restore $env:SolutionPath --configfile $env:NugetConfigPath --runtime $env:RID
. : File C:\actions-runner\_work\_temp\7af2df60-c729-42fb-85a1-d9de2fd74369.ps1 cannot be loaded. The file
C:\actions-runner\_work\_temp\7af2df60-c729-42fb-85a1-d9de2fd74369.ps1 is not digitally signed. You cannot run this
script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . 'C:\actions-runner\_work\_temp\7af2df60-c729-42fb-85a1-d9de2fd74369 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
##[error]Process completed with exit code 1.
Repro steps
A description with steps to reproduce the issue. If your have a public example or repo to share,
please provide the link.
- Create a Windows self-hosted runner
- Run a workflow that uses any steps that creates a ps1 file for the step’s instructions.
For a repro example, you can use the following:
name: GitHub Actions Repro
on:
push
jobs:
build:
runs-on: self-hosted
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-dotnet@v1
with:
dotnet-version: '3.1.302'
# This will fail
- name: NuGet Restore
run: dotnet restore some.csproj --runtime win-x86
Issue Analytics
- State:
- Created 3 years ago
- Reactions:7
- Comments:13
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The net result is that Runners are broken for windows.
Assuming a default install of the runner on Windows,
psexec -i -u "nt authority\network service" powershell.exeSet-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUserIdeally the service should run with a virtual account instead of network service.