From b2fdd80112e5f140e097b11d7a3d9edf0b226fd0 Mon Sep 17 00:00:00 2001 From: Octavian Guzu Date: Wed, 8 Apr 2026 10:20:15 +0100 Subject: [PATCH] Use pinned bun binary for post-steps when allowed_non_write_users is set (#1190) Copies the bun binary into $GITHUB_ACTION_PATH/bin before the claude step runs and uses that copy in the two post-steps that invoke bun. Falls back to PATH-resolved bun when allowed_non_write_users is empty. :house: Remote-Dev: homespace --- action.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 460a0a3..2e3388c 100644 --- a/action.yml +++ b/action.yml @@ -223,6 +223,16 @@ runs: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi + - name: Pin bun binary for post-steps + if: ${{ inputs.allowed_non_write_users != '' }} + continue-on-error: true + shell: bash + run: | + # Keep a copy of the bun binary alongside the action's own files so + # post-steps use the same version that was on PATH at action start. + mkdir -p "$GITHUB_ACTION_PATH/bin" + cp "$(command -v bun)" "$GITHUB_ACTION_PATH/bin/bun" + - name: Run Claude Code Action id: run shell: bash @@ -336,7 +346,9 @@ runs: if: always() && inputs.ssh_signing_key != '' shell: bash run: | - bun --no-env-file \ + BUN_BIN="${GITHUB_ACTION_PATH}/bin/bun" + [ -x "$BUN_BIN" ] || BUN_BIN="bun" + "$BUN_BIN" --no-env-file \ --config="${GITHUB_ACTION_PATH}/bunfig.toml" \ --tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \ run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts @@ -351,7 +363,9 @@ runs: PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }} run: | - bun --no-env-file \ + BUN_BIN="${GITHUB_ACTION_PATH}/bin/bun" + [ -x "$BUN_BIN" ] || BUN_BIN="bun" + "$BUN_BIN" --no-env-file \ --config="${GITHUB_ACTION_PATH}/bunfig.toml" \ --tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \ run ${GITHUB_ACTION_PATH}/src/entrypoints/post-buffered-inline-comments.ts