From 53c7b4470acfe4c9b57c450a5a0ead16ec0a936b Mon Sep 17 00:00:00 2001
From: Piotr Mlocek <pmlocek@nvidia.com>
Date: Fri, 29 May 2026 15:48:30 -0700
Subject: [PATCH 1/3] fix(ci): add /root/.local/bin to rootless e2e PATH so
 mise is found

The rust-podman-rootless E2E suite introduced in #1623 rebuilds PATH when
dropping to the openshell-test user via runuser, but omitted
/root/.local/bin where the mise binary is installed (curl https://mise.run).
This caused 'mise: command not found' (exit 127) on every run.

Add /root/.local/bin to the PATH override and to the chmod -R a+rX loop so
the rootless user can discover and execute mise.

Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
---
 .github/workflows/e2e-test.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 014d5425f..7c4c7d9f8 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -89,7 +89,7 @@ jobs:
           chown openshell-test: "/run/user/$(id -u openshell-test)"
           chmod 700 "/run/user/$(id -u openshell-test)"
           chown -R openshell-test: .
-          for dir in /root/.cargo /root/.rustup /root/.local/share/mise /opt/mise; do
+          for dir in /root/.cargo /root/.rustup /root/.local/bin /root/.local/share/mise /opt/mise; do
             [ -d "$dir" ] && chmod -R a+rX "$dir"
           done
 
@@ -107,7 +107,7 @@ jobs:
             runuser -u openshell-test -- env \
               XDG_RUNTIME_DIR="/run/user/${TESTUID}" \
               HOME="/home/openshell-test" \
-              PATH="/root/.cargo/bin:/opt/mise/shims:/opt/mise/bin:${PATH}" \
+              PATH="/root/.cargo/bin:/root/.local/bin:/opt/mise/shims:/opt/mise/bin:${PATH}" \
               CARGO_HOME="/root/.cargo" \
               RUSTUP_HOME="/root/.rustup" \
               OPENSHELL_SUPERVISOR_IMAGE="${OPENSHELL_SUPERVISOR_IMAGE}" \

From 3952c4affec1fcb59c1f9a834bc6269cc67f0041 Mon Sep 17 00:00:00 2001
From: Piotr Mlocek <pmlocek@nvidia.com>
Date: Fri, 29 May 2026 16:11:38 -0700
Subject: [PATCH 2/3] fix(ci): allow rootless e2e user to traverse /root for
 mise and cargo

Root's home (/root) is mode 0700, so the openshell-test user could not
search into it to reach the mise binary (/root/.local/bin/mise) or cargo
(/root/.cargo/bin) listed on PATH. Bash silently skips unsearchable PATH
entries, producing 'mise: command not found' (exit 127).

Add the search bit on /root (chmod a+x) in the rootless setup step.
Verified locally against the ci:latest image: before the change mise is
not found; after it, both mise and cargo resolve and run as the rootless
user.

Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
---
 .github/workflows/e2e-test.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 7c4c7d9f8..cf0aae8c9 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -89,6 +89,10 @@ jobs:
           chown openshell-test: "/run/user/$(id -u openshell-test)"
           chmod 700 "/run/user/$(id -u openshell-test)"
           chown -R openshell-test: .
+          # Root's home is mode 0700, so the rootless user cannot traverse it
+          # to reach mise (/root/.local/bin) or cargo (/root/.cargo/bin) on
+          # PATH. Add the search bit so those binaries are reachable.
+          chmod a+x /root
           for dir in /root/.cargo /root/.rustup /root/.local/bin /root/.local/share/mise /opt/mise; do
             [ -d "$dir" ] && chmod -R a+rX "$dir"
           done

From 358d9f5269de72ed730865354beeca20d3f2efe8 Mon Sep 17 00:00:00 2001
From: Piotr Mlocek <pmlocek@nvidia.com>
Date: Fri, 29 May 2026 16:38:52 -0700
Subject: [PATCH 3/3] fix(ci): redirect mise cache to rootless user home in e2e

With mise now discoverable and runnable, 'mise run' still failed with
'Permission denied (os error 13)' at src/lock_file.rs:37. The CI image sets
MISE_CACHE_DIR=/opt/mise/cache (root-owned), which the openshell-test user
inherits but can only read (a+rX), not write. mise must write tool bin-path
caches (/opt/mise/cache/<tool>/.../bin_paths-*.msgpack) and task lock files
(/opt/mise/cache/lockfiles/*) even with --skip-deps.

Override MISE_CACHE_DIR to the rootless user's home so mise has a writable
cache, keeping the shared /opt/mise tool data dir read-only. The state dir
already defaults to the user's home; MISE_DATA_DIR stays inherited so the
prebuilt toolchain is reused.

Verified locally against ci:latest with CI=true (which makes mise auto-trust
the config, matching CI): the task now renders and runs into
e2e/rust/e2e-podman-rootless.sh with no permission or trust errors.

Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
---
 .github/workflows/e2e-test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index cf0aae8c9..cf98df2fe 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -114,6 +114,7 @@ jobs:
               PATH="/root/.cargo/bin:/root/.local/bin:/opt/mise/shims:/opt/mise/bin:${PATH}" \
               CARGO_HOME="/root/.cargo" \
               RUSTUP_HOME="/root/.rustup" \
+              MISE_CACHE_DIR="/home/openshell-test/.cache/mise" \
               OPENSHELL_SUPERVISOR_IMAGE="${OPENSHELL_SUPERVISOR_IMAGE}" \
               OPENSHELL_REGISTRY="${OPENSHELL_REGISTRY}" \
               OPENSHELL_REGISTRY_HOST="${OPENSHELL_REGISTRY_HOST}" \