Cache permission error in self-hosted runners

[jesus-linares]

I have this Github action:

name: "Security: Scan Docker images"
description: "Scan Docker images for OS vulnerabilities using Trivy"
inputs:
  image:
    description: "Docker image name"
    required: true
runs:
  using: "composite"
  steps:

    # Trivy scan
    - name: "Run Trivy vulnerability scanner"
      uses: aquasecurity/[email protected]
      with:
        image-ref: '${{ inputs.image }}'
        scan-type: 'image'
        vuln-type: 'os'
        # cache-dir doesn't work as argument, so we need to use trivi-config file
        # this implies using 'format' and 'output' in the trivi-config file
        trivy-config: .github/actions/sec-scan-images/trivy.yml

    # Upload results
    - name: "Upload Trivy scan results to GitHub Security tab"
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'
        category: 'trivy-image-${{ inputs.image }}'

Trivy file:

cache-dir: ./trivy-cache
format: sarif
output: trivy-results.sarif

If I run it in a Github runner, it works. But, if I run it in my runner, I got this error:

Running Trivy with trivy.yaml config from:  .github/actions/sec-scan-images/trivy.yml
INFO Loaded file_path=.github/actions/sec-scan-images/trivy.yml
FATAL	Fatal error	init error: cache error: unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /github/home/.cache: permission denied

As you can see, the file is properly read but it still tries to use the /github/home/.cache path instead of ./trivy-cache.

I tried to use cache-dir as argument, but I think it is not read when using the sarif output. This would be a different issue (parsing arguments).