From 9dc04020a4fd246ff42eb5b9aaf29db8cf4659e0 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 23 Mar 2026 17:59:23 -0700
Subject: [PATCH] fix: run as runner user + redirect bun temp to writable
 /home/runner

Running as root breaks Claude CLI (refuses to start). Running as runner
breaks bun (can't write to root-owned /tmp dirs from Docker build).

Fix: run as --user runner, but redirect BUN_TMPDIR and TMPDIR to
/home/runner/.cache/bun which is writable by the runner user.
GITHUB_ENV exports apply to all subsequent steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/docker/Dockerfile.ci |  7 ++-----
 .github/workflows/evals.yml  | 12 ++++++++++--
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index 6fbfefb0..1bb0ffbd 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -59,8 +59,5 @@ RUN useradd -m -s /bin/bash runner \
     && chmod -R a+rX /opt/node_modules_cache \
     && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack \
     && chmod 1777 /tmp \
-    && mkdir -p /home/runner/.bun && chown -R runner:runner /home/runner/.bun
-
-# NOTE: Do NOT use USER runner here — GH Actions overrides USER and HOME
-# anyway, creating permission conflicts. Instead, we run as root (GH default)
-# and use gosu/su-exec for claude commands that refuse root.
+    && mkdir -p /home/runner/.bun && chown -R runner:runner /home/runner/.bun \
+    && chmod -R 1777 /tmp
diff --git a/.github/workflows/evals.yml b/.github/workflows/evals.yml
index 4a26716a..05c67370 100644
--- a/.github/workflows/evals.yml
+++ b/.github/workflows/evals.yml
@@ -62,6 +62,7 @@ jobs:
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
+      options: --user runner
     timeout-minutes: 20
     strategy:
       fail-fast: false
@@ -97,9 +98,16 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Bun creates root-owned temp dirs during Docker build. GH Actions runs as
+      # runner user with HOME=/github/home. Redirect bun's cache to a writable dir.
+      - name: Fix bun temp
+        run: |
+          mkdir -p /home/runner/.cache/bun
+          echo "BUN_INSTALL_CACHE_DIR=/home/runner/.cache/bun" >> "$GITHUB_ENV"
+          echo "BUN_TMPDIR=/home/runner/.cache/bun" >> "$GITHUB_ENV"
+          echo "TMPDIR=/home/runner/.cache" >> "$GITHUB_ENV"
+
       # Restore pre-installed node_modules from Docker image via symlink (~0s vs ~15s install)
-      # If package.json changed since image was built, fall back to fresh install
-      # Note: GITHUB_ENV vars from previous step are now active
       - name: Restore deps
         run: |
           if [ -d /opt/node_modules_cache ] && diff -q /opt/node_modules_cache/.package.json package.json >/dev/null 2>&1; then