[BUG] Action doesn't work when using a COPY heredoc containing "*"?

[joshuar]

Version

redhat-actions/buildah-build@v2

Describe the bug

I have a Containerfile that is using a COPY command with a heredoc:

FROM ubuntu

COPY <<EOF /etc/dpkg/dpkg.cfg.d/excludes
# Drop all man pages
path-exclude=/usr/share/man/*
# Drop all translations
path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo
# Drop all documentation ...
path-exclude=/usr/share/doc/*
# ... except copyright files ...
path-include=/usr/share/doc/*/copyright
# ... and Debian changelogs for native & non-native packages
path-include=/usr/share/doc/*/changelog.*
EOF

This fails to build with the following GitHub actions workflow configuration:

name: Build

on:
  push:
    branches: [ main ]

jobs:
  build_container:
    runs-on: ubuntu-20.04
    env:
      REGISTRY: ghcr.io
      IMAGE: ${{ github.repository }}    
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Build container image
        id: build_image
        uses: redhat-actions/buildah-build@v2
        with:
          archs: amd64
          image: ${{ env.IMAGE }}
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
          containerfiles: Containerfile
          layers: false
          oci: true

The error in the actions log is:

Run redhat-actions/buildah-build@v2
  with:
    archs: amd64
    image: joshuar/buildah-action-test
    tags: ghcr.io/joshuar/buildah-action-test:latest
    containerfiles: Containerfile
    layers: false
    oci: true
    context: .
    tls-verify: true
  env:
    REGISTRY: ghcr.io
    IMAGE: joshuar/buildah-action-test
/usr/bin/buildah version
  /usr/bin/buildah version
  time="2024-05-07T07:53:47Z" level=warning msg="Failed to decode the keys [\"machine\"] from \"/usr/share/containers/containers.conf\"."
  Version:         1.22.3
  Go Version:      go1.15.2
  Image Spec:      1.0.1-dev
  Runtime Spec:    1.0.2-dev
  CNI Spec:        0.4.0
  libcni Version:  
  image Version:   5.15.2
  Git Commit:      
  Built:           Thu Jan  1 00:00:00 1970
  OS/Arch:         linux/amd64
Overriding storage mount_program with "fuse-overlayfs" in environment
Performing build from Containerfile
/usr/bin/buildah bud --arch amd64 -f /home/runner/work/buildah-action-test/buildah-action-test/Containerfile --format oci --tls-verify=true --layers=false -t ghcr.io/joshuar/buildah-action-test:latest /home/runner/work/buildah-action-test/buildah-action-test
time="2024-05-07T07:53:47Z" level=warning msg="Failed to decode the keys [\"machine\"] from \"/usr/share/containers/containers.conf\"."
time="2024-05-07T07:53:47Z" level=warning msg="Failed to decode the keys [\"machine\"] from \"/usr/share/containers/containers.conf\"."
STEP 1/8: FROM ubuntu
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob sha256:49b384cc7b4aa0dfd16ff7817ad0ea04f1d0a8072e62114efcd99119f8ceb9ed
Copying blob sha256:49b384cc7b4aa0dfd16ff7817ad0ea04f1d0a8072e62114efcd99119f8ceb9ed
Copying config sha256:bf3dc08bfed031182827888bb15977e316ad797ee2ccb63b4c7a57fdfe7eb31d
Writing manifest to image destination
Storing signatures
STEP 2/8: COPY <<EOF /etc/dpkg/dpkg.cfg.d/excludes
error building at STEP "COPY <<EOF /etc/dpkg/dpkg.cfg.d/excludes": checking on sources under "/home/runner/work/buildah-action-test/buildah-action-test": copier: stat: "/<<EOF": no such file or directory
time="2024-05-07T07:53:50Z" level=error msg="exit status 125"
Error: Error: buildah exited with code 125
time="2024-05-07T07:53:47Z" level=warning msg="Failed to decode the keys [\"machine\"] from \"/usr/share/containers/containers.conf\"."
time="2024-05-07T07:53:47Z" level=warning msg="Failed to decode the keys [\"machine\"] from \"/usr/share/containers/containers.conf\"."
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob sha256:49b384cc7b4aa0dfd16ff7817ad0ea04f1d0a8072e62114efcd99119f8ceb9ed
Copying blob sha256:49b384cc7b4aa0dfd16ff7817ad0ea04f1d0a8072e62114efcd99119f8ceb9ed
Copying config sha256:bf3dc08bfed031182827888bb15977e316ad797ee2ccb63b4c7a57fdfe7eb31d
Writing manifest to image destination
Storing signatures
error building at STEP "COPY <<EOF /etc/dpkg/dpkg.cfg.d/excludes": checking on sources under "/home/runner/work/buildah-action-test/buildah-action-test": copier: stat: "/<<EOF": no such file or directory
time="2024-05-07T07:5

This builds fine using buildah on the command-line:

🐟  ❯ buildah bud --format oci --tls-verify=true --layers=false
STEP 1/2: FROM ubuntu
STEP 2/2: COPY <<EOF /etc/dpkg/dpkg.cfg.d/excludes (# Drop all man pages...)
COMMIT
Getting image source signatures
Copying blob 80098e3d304c skipped: already exists  
Copying blob 5864f17201c3 done   | 
Copying config 860f3edebd done   | 
Writing manifest to image destination
--> 860f3edebd31
860f3edebd31b8e6c305530f2a14523762967624d5b24136bf00ab83a9226de9

I am unsure what the cause is here. The only issue I could find that might be remotely relevant was containers/buildah#5391. However I am not knowledgeable on buildah and its internals, just an end-user of the GitHub action.

If it helps, I create a repo with the Containerfile and workflow action that reliably reproduces this issue:

https://github.com/joshuar/buildah-action-test

[joshuar]

I've just discovered that it fails with a RUN heredoc as well. I've updated the https://github.com/joshuar/buildah-action-test repo with example containerfiles and jobs for both heredoc to a file and heredoc to run some commands.

Both containerfiles still work fine on the command-line with buildah, outside of the buildah-build action.