ci: fix upload-artifact EACCES in all downstream test reusables

[renecannao]

Summary

Every downstream test reusable on GH-Actions (ci-legacy-g*, ci-mysql84-g*, ci-basictests, ci-repltests, ci-shuntest, etc.) uploads proxysql/ci_*_logs/ as a post-mortem artifact when a test fails, via actions/upload-artifact@v4 inside if: failure() && !cancelled(). That upload dies every single time with:

##[error]EACCES: permission denied, scandir '/home/runner/work/proxysql/proxysql/proxysql/ci_infra_logs/infra-mariadb10-ci-legacy-g3/mariadb1/mysql'

because ci_*_logs/ contains files that the docker build containers wrote as root, and the host-side runner user cannot scandir into those directories.

Net effect: for every failed test in the CI cascade, zero artifacts are uploaded. Maintainers trying to investigate CI failures from the Actions page get "no artifacts found" and have to reproduce locally.

Concrete proof case from today: runs 24281031531, 24281031522, 24281031524 on PR #5596 (commit 09b97547f) — all three failed with real TAP test failures (test_flush_logs-t, pgsql-servers_ssl_params-t, pgsql-ssl_keylog-t, test_read_only_actions_offline_hard_servers-t), and all three have artifacts: [] when queried via gh api. The TAP .log.gz files that would have told us why the tests failed were lost.

Fix

Insert a new Fix artifact permissions step before every actions/upload-artifact@v4 step whose path is proxysql/ci_*_logs/. The new step runs:

sudo chmod -R a+rX proxysql/ci_*_logs/ 2>/dev/null || true

• sudo because the files are root-owned (created inside docker containers)
• a+rX makes everything world-readable, with directory-traverse on directories (capital X)
• 2>/dev/null || true because the path may not exist on some failure paths (e.g. a cache-restore failure before any test runs)

Same pattern as the sudo rm -rf test/deps + sudo find ... -delete fix we shipped in PR #5605 for ci-builds.yml.

Files touched (22)

• ci-basictests.yml
• ci-legacy-clickhouse-g1.yml
• ci-legacy-g1.yml, ci-legacy-g2.yml, ci-legacy-g2-genai.yml, ci-legacy-g3.yml, ci-legacy-g4.yml, ci-legacy-g5.yml
• ci-mysql84-g1.yml through ci-mysql84-g5.yml
• ci-repltests.yml, ci-shuntest.yml, ci-selftests.yml
• ci-taptests.yml, ci-taptests-asan.yml, ci-taptests-old.yml, ci-taptests-ssl.yml, ci-taptests-groups.yml
• ci-unittests.yml

Files intentionally NOT touched

• ci-maketest.yml — uploads ./build-*.log, created by the runner user outside docker, no EACCES risk
• ci-3p-*.yml — these do not upload ci_*_logs/; their artifact uploads (if any) target 3p-specific paths created outside docker
• ci-builds.yml — already handled by PR ci: use sudo for cache-prune cleanup to avoid root-owned file errors #5605

Test plan

• All 22 patched files pass yaml.safe_load (no syntax breakage from the insertion)
• Spot-checked ci-legacy-g1.yml manually — insertion is at the correct indentation and immediately precedes the existing Archive artifacts logs step
• After merge, next failed CI test run should show a non-empty artifacts: [...] in gh api repos/sysown/proxysql/actions/runs/<id>/artifacts, with the ci_*_logs/ tarball containing the per-test .log.gz files
• The Node.js 20 deprecation warning from actions/upload-artifact@v4 is unchanged — this PR is orthogonal to that

Summary by CodeRabbit

• Chores
  • Updated multiple CI workflows to improve artifact upload reliability by ensuring log directories have appropriate read permissions before archival. This prevents permission-related failures during log collection on workflow failures.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6fdc44f3-b168-4da6-83f4-9941c0bc4a7c

📥 Commits

Reviewing files that changed from the base of the PR and between a9c1008 and 54365c4.

📒 Files selected for processing (22)

• .github/workflows/ci-basictests.yml
• .github/workflows/ci-legacy-clickhouse-g1.yml
• .github/workflows/ci-legacy-g1.yml
• .github/workflows/ci-legacy-g2-genai.yml
• .github/workflows/ci-legacy-g2.yml
• .github/workflows/ci-legacy-g3.yml
• .github/workflows/ci-legacy-g4.yml
• .github/workflows/ci-legacy-g5.yml
• .github/workflows/ci-mysql84-g1.yml
• .github/workflows/ci-mysql84-g2.yml
• .github/workflows/ci-mysql84-g3.yml
• .github/workflows/ci-mysql84-g4.yml
• .github/workflows/ci-mysql84-g5.yml
• .github/workflows/ci-repltests.yml
• .github/workflows/ci-selftests.yml
• .github/workflows/ci-shuntest.yml
• .github/workflows/ci-taptests-asan.yml
• .github/workflows/ci-taptests-groups.yml
• .github/workflows/ci-taptests-old.yml
• .github/workflows/ci-taptests-ssl.yml
• .github/workflows/ci-taptests.yml
• .github/workflows/ci-unittests.yml

📜 Recent review details

🔇 Additional comments (22)

.github/workflows/ci-unittests.yml (1)

74-84: Good failure-path permission normalization before artifact upload.

Line 75 gating and Line 84 sudo chmod -R a+rX are well-scoped for the reported upload-artifact EACCES failure mode, and placement before log upload is correct.

.github/workflows/ci-taptests-ssl.yml (1)

322-333: Looks correct and consistently applied for failure-only artifact collection.

Line 323 condition and Line 332 command should prevent root-owned ci_*_logs from breaking the subsequent upload scan.

.github/workflows/ci-basictests.yml (1)

97-108: Approved: correct placement and condition for artifact-readability fix.

Line 98 and Line 107 are aligned with the downstream upload behavior and should resolve the scandir permission failure.

.github/workflows/ci-mysql84-g1.yml (1)

103-114: LGTM for this workflow variant as well.

Line 104 failure-only gating plus Line 113 recursive a+rX on proxysql/ci_*_logs/ is appropriate for Docker-created root-owned logs.

.github/workflows/ci-taptests.yml (1)

259-270: Approved: this should unblock failed-run artifact uploads.

The step at Line 259-Line 270 is correctly conditioned and sequenced to normalize permissions before actions/upload-artifact scans log directories.

.github/workflows/ci-legacy-g3.yml (1)

103-114: Good fix for legacy-g3 failure artifact path.

Line 113’s sudo chmod -R a+rX with tolerant error handling is appropriate for root-owned files generated by containerized test infra.

.github/workflows/ci-legacy-g4.yml (1)

104-115: Looks good in ci-legacy-g4 too.

The failure-only permission adjustment at Line 105-Line 114 is correctly scoped and placed immediately ahead of artifact upload.

.github/workflows/ci-mysql84-g3.yml (1)

103-114: Approved for mysql84-g3 workflow.

Line 103-Line 114 correctly implements the same failed-run permission normalization and should prevent upload-artifact@v4 EACCES on proxysql/ci_*_logs/.

.github/workflows/ci-shuntest.yml (1)

106-116: Good failure-path hardening before upload.

This step is correctly scoped and placed: it runs only on failed, non-cancelled runs and resolves EACCES on root-owned ci_*_logs without breaking early-failure paths.

.github/workflows/ci-legacy-g5.yml (1)

103-113: Correct insertion point and condition.

Running this chmod step immediately before actions/upload-artifact on failure is the right fix for root-owned log directories.

.github/workflows/ci-legacy-g2.yml (1)

104-114: LGTM for failure artifact recovery.

The failure() && !cancelled() guard plus missing-path tolerance makes this safe across both test-failure and early-failure paths.

.github/workflows/ci-repltests.yml (1)

110-120: Nice consistency with the artifact upload path.

This step correctly targets proxysql/ci_*_logs/ and should prevent upload failures from root-owned Docker outputs.

.github/workflows/ci-mysql84-g5.yml (1)

103-113: Solid fix for the known upload-artifact permission failure.

The step is scoped narrowly to failed runs and normalizes read/traverse bits needed by the runner.

.github/workflows/ci-legacy-g2-genai.yml (1)

105-115: Well integrated with this workflow’s failure handling.

The new step addresses log readability issues without affecting the existing coverage artifact step.

.github/workflows/ci-selftests.yml (1)

130-140: Good defensive step before failure artifact upload.

This should reliably unblock scandir/upload of ci_*_logs generated with restrictive root ownership.

.github/workflows/ci-taptests-old.yml (1)

311-321: Correct pre-upload remediation for failed test shards.

Adding this just before failure artifact uploads is the right mitigation for EACCES on Docker-created log trees.

.github/workflows/ci-taptests-groups.yml (1)

338-353: Good failure-path hardening before artifact upload.

This is correctly placed before actions/upload-artifact, and the a+rX + tolerant fallback (2>/dev/null || true) addresses the EACCES scandir failure mode without making the job more brittle.

.github/workflows/ci-legacy-g1.yml (1)

103-114: Nice targeted fix for root-owned CI logs.

The permission normalization is scoped to proxysql/ci_*_logs/, runs only on failure paths, and should unblock artifact upload scans reliably.

.github/workflows/ci-legacy-clickhouse-g1.yml (1)

104-115: Looks correct and consistent with the intended EACCES mitigation.

This should prevent upload-artifact@v4 failures when Docker leaves log directories root-owned.

.github/workflows/ci-mysql84-g4.yml (1)

103-114: Solid pre-upload permissions fix.

The step is minimal, resilient to missing paths, and directly addresses the artifact scanner permission issue.

.github/workflows/ci-mysql84-g2.yml (1)

103-114: LGTM on the artifact permission normalization step.

This should remove the scandir EACCES failure mode for root-owned ci_*_logs content.

.github/workflows/ci-taptests-asan.yml (1)

307-318: Correct mitigation added in the right place.

Running this immediately before artifact upload on failed runs is the right control point to avoid permission-related upload failures.

---

📝 Walkthrough

Walkthrough

Adds a conditional failure-only step across 22 GitHub Actions workflows that recursively changes permissions on proxysql/ci_*_logs/ directories using sudo chmod -R a+rX, ensuring log files created as root-owned inside Docker containers become readable by the runner before artifact upload steps execute.

Changes

Cohort / File(s)	Summary
CI Basictests .github/workflows/ci-basictests.yml	Added failure-only "Fix artifact permissions" step to make root-owned log directories readable before artifact upload.
CI Legacy Group Workflows .github/workflows/ci-legacy-*.yml	Added identical failure-only "Fix artifact permissions" steps across 8 legacy group workflows (clickhouse-g1, g1–g5) to prevent EACCES during artifact upload.
CI MySQL 8.4 Group Workflows .github/workflows/ci-mysql84-*.yml	Added failure-only "Fix artifact permissions" steps across 5 MySQL 8.4 group workflows (g1–g5) using sudo chmod -R a+rX proxysql/ci_*_logs/ with error suppression.
CI Test Workflow Suite .github/workflows/ci-repltests.yml, ci-selftests.yml, ci-shuntest.yml, ci-unittests.yml	Added failure-only permission-fix steps to individual test workflows to ensure log artifact uploads succeed despite root-owned Docker-created directories.
CI TAP Test Variants .github/workflows/ci-taptests*.yml	Added failure-only "Fix artifact permissions" steps across 5 TAP test workflow variants (asan, groups, old, ssl, standard) conditionally executed on job failure and non-cancellation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: add missing per-group reusable workflows (legacy-g{1,3,5}, mysql84-g{1..5}, unit-tests) #5597: Introduced the ci-*-group workflow files that are modified here to add the permission-fix steps.
• Add 32 unit test files (2963 assertions) and CI workflow improvements #5549: Modified GitHub Actions workflows handling proxysql/ci_*_logs artifact uploads, directly contextualizing why this EACCES prevention step is needed.
• Migrate CI-basictests from jenkins-build-scripts to in-repo test/infra #5525: Changed ci-basictests workflow structure, providing baseline for similar permission-handling patterns across other workflows.

Poem

🐰 Hop, hop, chmod the logs with might!
Root-owned Docker files, now readable and bright!
Before the upload flow takes flight,
Permissions fixed on failure's night—
No EACCES shall dim our sight! 📜✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: fixing an upload-artifact EACCES error across all downstream test reusable workflows by adding permission-fix steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/fix-upload-artifact-eacces

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud