From 265cac024ec85e8eb6acf6d22377b0e9e97a90a6 Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 16:56:36 +0100
Subject: [PATCH] ci(bluebuild): chown /etc/sudo* to root before sudo
 (userns=host fix)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index a386a3b..2062d26 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -55,6 +55,15 @@ jobs:
         # Pinned to last v4 tag confirmed to ship on node20.
         uses: actions/checkout@v4.1.7
 
+      - name: Fix sudo perms (userns=host artefact)
+        run: |
+          # Daemon has userns-remap=default; the act job container is
+          # launched with --userns=host. The image was pulled under
+          # remap so /etc/sudo.conf + /etc/sudoers ship as uid 100000.
+          # sudo refuses to read either unless owned by uid 0. Restore.
+          chown -R 0:0 /etc/sudo.conf /etc/sudoers /etc/sudoers.d 2>/dev/null || true
+          ls -la /etc/sudo.conf /etc/sudoers 2>&1 | head -5
+
       - name: Install build tooling (Fedora)
         run: |
           set -euxo pipefail