From 36949b9718fdaf0018b29c8598661ec758ac7b39 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <vincent@yaxi.tech>
Date: Thu, 23 Feb 2023 08:41:06 +0100
Subject: [PATCH] nixos/github-runners: clean `workDir` as root

Purge contents of `workDir` as root to also allow the removal of files
marked as read-only. It is easy to create read-only files in `workDir`,
e.g., by copying files from the Nix store.
---
 .../continuous-integration/github-runner/service.nix         | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix
index db9a19815ec1..3d11728ebfdd 100644
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@@ -124,6 +124,8 @@ in
               # The state directory is entirely empty which indicates a first start
               copy_tokens
             fi
+            # Always clean workDir
+            find -H "$WORK_DIRECTORY" -mindepth 1 -delete
           '';
           configureRunner = writeScript "configure" ''
             if [[ -e "${newConfigTokenPath}" ]]; then
@@ -159,9 +161,6 @@ in
             fi
           '';
           setupWorkDir = writeScript "setup-work-dirs" ''
-            # Cleanup previous service
-            ${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete
-
             # Link _diag dir
             ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"