npm install -g in onCreateCommand doesn't work in GitHub Actions

[Rabadash8820]

I'm not sure if this is an issue with devcontainers/ci, GitHub Actions, npm, or what, but I'm hoping that someone here can provide some insight.

Here is my setup:

My devcontainer.json

{
  "name": "Jekyll Site With AWS Backend",
  "image": "mcr.microsoft.com/devcontainers/jekyll:2.2.7-3.4-bookworm",
  "features": {
    "ghcr.io/devcontainers/features/git:1": {
      "version": "os-provided"
    },
    "ghcr.io/devcontainers/features/git-lfs:1": {
      "autoPull": true,
      "installDirectlyFromGitHubRelease": true,
      "version": "latest"
    },
    "ghcr.io/devcontainers/features/aws-cli:1": {
      "version": "2.34.12"
    },
    "ghcr.io/devcontainers/features/node:1": {
      "version": "24"
    }
  },
  "forwardPorts": [
    4000, // Jekyll server
    9229  // Node.js debugging
  ],
  // Ensure the ~/.gnupg dir exists, otherwise the bind mount below will fail.
  // mkdir -p option ensures no error if the dir already exists.
  "initializeCommand": "mkdir -p ${localEnv:HOME}${localEnv:USERPROFILE}/.gnupg/",
  "onCreateCommand": {
    "updateNpm": "npm install --global npm@11.12.0",
    "aptUpdate": "sudo apt-get update && sudo apt-get upgrade --yes"
  },
  "updateContentCommand": {
    "npm": "cd cdk/ && npm install",
    "bundle": "cd web/ && bundle install"
  },
  "mounts": [
    "source=${localEnv:HOME}${localEnv:USERPROFILE}/.gnupg/,target=/home/vscode/.gnupg/,type=bind"
  ]
}

My GitHub Actions workflow definition (`cdk.yml`)

name: CDK Synth and Deploy

on:
  push:
    branches: [main]
    paths: [cdk/**, ".github/workflows/cdk.yml", ".devcontainer/**"]
  pull_request:
    branches: [main]
    paths: [cdk/**, ".github/workflows/cdk.yml", ".devcontainer/**"]
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  cdk:
    runs-on: ubuntu-latest  # Ubuntu version doesn't matter, everything will be running in our devcontainer anyway
    environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'test' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          lfs: true

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2 
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # This step builds the devcontainer and runs commands inside it, so CI env matches developer machines.
      - name: CDK Synth and Deploy in Devcontainer
        uses: devcontainers/ci@v0.3
        env:
          IMAGE_NAME: ghcr.io/dansite/devcontainer
        with:
          imageName: ${{ env.IMAGE_NAME }}
          cacheFrom: ${{ env.IMAGE_NAME }}  # Pre-build devcontainer image
          inheritEnv: true
          skipContainerUserIdUpdate: true # Don't update the user of the devcontainer to match the host (i.e., keep it `vscode` not `runner`)
          runCmd: |
            cd cdk/
            npm ci

            # Do other stuff

When building and opening this devcontainer locally in VS Code on Windows, everything works fine. However, when the devcontainers/ci step runs in GitHub Actions, I get the following error logs):

Error message

npm error code EACCES
  npm error syscall mkdir
  npm error path /home/runner
  npm error errno EACCES
  npm error FetchError: Invalid response body while trying to fetch https://registry.npmjs.org/npm: EACCES: permission denied, mkdir '/home/runner'
  npm error     at /usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/node_modules/minipass-fetch/lib/body.js:174:15
  npm error     at async Response.json (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/node_modules/minipass-fetch/lib/body.js:75:17)
  npm error     at async RegistryFetcher.packument (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/node_modules/pacote/lib/registry.js:98:25)
  npm error     at async RegistryFetcher.manifest (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/node_modules/pacote/lib/registry.js:128:23)
  npm error     at async Install.exec (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/lib/commands/install.js:114:27)
  npm error     at async Npm.exec (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/lib/npm.js:209:9)
  npm error     at async module.exports (/usr/local/share/nvm/versions/node/v24.14.1/lib/node_modules/npm/lib/cli/entry.js:67:5) {
  npm error   code: 'EACCES',
  npm error   errno: 'EACCES',
  npm error   syscall: 'mkdir',
  npm error   path: '/home/runner',
  npm error   type: 'system'
  npm error }
  npm error
  npm error The operation was rejected by your operating system.
  npm error It is likely you do not have the permissions to access this file as the current user
  npm error
  npm error If you believe this might be a permissions issue, please double-check the
  npm error permissions of the file and its containing directories, or try running
  npm error the command again as root/Administrator.
  npm error Log files were not written due to an error writing to the directory: /home/runner/.npm/_logs
  npm error You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

The EACCES: permission denied, mkdir '/home/runner' part is super confusing to me. If commands in my devcontainer are running as the default vscode user, then why is npm trying to create a directory at /home/runner, especially when I have skipContainerUserIdUpdate: true set on the GitHub Actions step? For that matter, why is npm trying to create a home directory at all? How can I modify the above files to ensure that my devcontainer has the latest npm version both locally and in GitHub Actions workflows? Thanks in advance!