The pod doesn't have securityContext when it create by workflow_call

[Rory-Z]

Checks

• I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• I am using charts that are officially provided

Controller Version

0.9.1

Deployment Method

Helm

Checks

• This isn't a question or user support case (For Q&A and community support, go to Discussions).
• I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

1.Deploy arc and arc-runner-set by helm, the arc-runner-set's value like this

githubConfigUrl: https://github.com/own/repo
githubConfigSecret: arc-github-token

containerMode:
  type: kubernetes
  kubernetesModeWorkVolumeClaim:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi

runnerScaleSetName: aws-eks-platform-manager-stack

template:
  spec:
    securityContext:
      fsGroup: 123 ## This is the GID of the docker group in the container
    containers:
      - name: runner
        image: ghcr.io/actions/actions-runner:latest
        command: ["/home/runner/run.sh"]

2. Create a workflow file

name: Actions Runner Controller Demo
on:
  push:
    branches:
      - ci/**
  workflow_dispatch:

jobs:
  deploy:
    uses: ./.github/workflows/deploy.yaml

3. Running this workflow

Describe the bug

when running my workflow, I got error: Error: EACCES: permission denied, open '/__w/_temp/_runner_file_commands/set_env_6fe63793-a7e7-41c6-8549-b41736783cc5'

watch my k8s pod, I found when running workflow, double pods will be created, it is runner-name-wp8ht-runner-b22sr and runner-name-wp8ht-runner-b22sr-workflow

And I check these double pods, I found the runner-name-wp8ht-runner-b22sr has .spec.securityContext.fsGroup: 123, I think this configure from my helm values.yaml, it is good, but the runner-name-wp8ht-runner-b22sr-workflow doesn't have this, it's .spec.securityContext: {}, I think this is why I got permission denied error

Describe the expected behavior

the runner-name-wp8ht-runner-b22sr-workflow has correct securityContext

Additional Context

githubConfigUrl: https://github.com/own/repo
githubConfigSecret: arc-github-token

containerMode:
  type: kubernetes
  kubernetesModeWorkVolumeClaim:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi

runnerScaleSetName: runner-name

template:
  spec:
    securityContext:
      fsGroup: 123 ## This is the GID of the docker group in the container
    containers:
      - name: runner
        image: ghcr.io/actions/actions-runner:latest
        command: ["/home/runner/run.sh"]

Controller Logs

https://gist.github.com/Rory-Z/056060fe813263c127e997d4f08afad9#file-gistfile1-txt

Runner Pod Logs

https://gist.github.com/Rory-Z/056060fe813263c127e997d4f08afad9#file-runner-fd47b7ff-listener-logs

[github-actions]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[nikola-jokic]

Hey @Rory-Z,

The spec applied to the runner pod is not inherited by the workflow pod created by the hook. To apply security context, please use hook extensions.