[03/10] github: adapt containerized jobs to be rootless

Message ID	20250103-b4-pks-ci-fixes-v1-3-a9bb95dff833@pks.im (mailing list archive)
State	Superseded
Headers	show Received: from fhigh-a7-smtp.messagingengine.com (fhigh-a7-smtp.messagingengine.com [103.168.172.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34AB81FA8DB for <git@vger.kernel.org>; Fri, 3 Jan 2025 14:47:08 +0000 (UTC) Feedback-ID: i197146af:Fastmail From: Patrick Steinhardt <ps@pks.im> Date: Fri, 03 Jan 2025 15:46:40 +0100 Subject: [PATCH 03/10] github: adapt containerized jobs to be rootless Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250103-b4-pks-ci-fixes-v1-3-a9bb95dff833@pks.im> References: <20250103-b4-pks-ci-fixes-v1-0-a9bb95dff833@pks.im> In-Reply-To: <20250103-b4-pks-ci-fixes-v1-0-a9bb95dff833@pks.im> To: git@vger.kernel.org Cc: X-Mailer: b4 0.14.2
Series	A couple of CI improvements \| expand [00/10] A couple of CI improvements [01/10] t0060: fix EBUSY in MinGW when setting up runtime prefix [02/10] t7422: fix flaky test caused by buffered stdout [03/10] github: adapt containerized jobs to be rootless [04/10] github: convert all Linux jobs to be containerized [05/10] github: simplify computation of the job's distro [06/10] gitlab-ci: remove the "linux-old" job [07/10] gitlab-ci: add linux32 job testing against i386 [08/10] ci: stop special-casing for Ubuntu 16.04 [09/10] ci: use latest Ubuntu release [10/10] ci: remove stale code for Azure Pipelines

Message ID

20250103-b4-pks-ci-fixes-v1-3-a9bb95dff833@pks.im (mailing list archive)

State

Superseded

Headers

Feedback-ID: i197146af:Fastmail
From: Patrick Steinhardt <ps@pks.im>
Date: Fri, 03 Jan 2025 15:46:40 +0100
Subject: [PATCH 03/10] github: adapt containerized jobs to be rootless
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250103-b4-pks-ci-fixes-v1-3-a9bb95dff833@pks.im>
References: <20250103-b4-pks-ci-fixes-v1-0-a9bb95dff833@pks.im>
In-Reply-To: <20250103-b4-pks-ci-fixes-v1-0-a9bb95dff833@pks.im>
To: git@vger.kernel.org
Cc: 

Series

A couple of CI improvements | expand

Commit Message

Patrick Steinhardt Jan. 3, 2025, 2:46 p.m. UTC

The containerized jobs in GitHub Actions run as root, giving them
special permissions to for example delete files even when the user
shouldn't be able to due to file permissions. This limitation keeps us
from using containerized jobs for most of our Ubuntu-based jobs as it
causes a number of tests to fail.

Adapt the jobs to create a separate user that executes the test suite.
This follows similar infrastructure that we already have in GitLab CI.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 .github/workflows/main.yml | 6 ++++--
 ci/install-dependencies.sh | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 900be9957a23fcaa64e1aefd0c8638c5f84b7997..b02f5873a540b458d38e7951b4ee3d5ca598ae23 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -371,10 +371,12 @@  jobs:
       run: apt -q update && apt -q -y install libc6-amd64 lib64stdc++6
     - uses: actions/checkout@v4
     - run: ci/install-dependencies.sh
-    - run: ci/run-build-and-tests.sh
+    - run: useradd builder --create-home
+    - run: chown -R builder .
+    - run: sudo --preserve-env --set-home --user=builder ci/run-build-and-tests.sh
     - name: print test failures
       if: failure() && env.FAILED_TEST_ARTIFACTS != ''
-      run: ci/print-test-failures.sh
+      run: sudo --preserve-env --set-home --user=builder ci/print-test-failures.sh
     - name: Upload failed tests' directories
       if: failure() && env.FAILED_TEST_ARTIFACTS != ''
       uses: actions/upload-artifact@v4
diff --git a/ci/install-dependencies.sh b/ci/install-dependencies.sh
index d1cb9fa8785388b3674fcea4dd682abc0725c968..ecb5b9d36c20d3e7e96148ac628a96c62642c308 100755
--- a/ci/install-dependencies.sh
+++ b/ci/install-dependencies.sh
@@ -31,7 +31,7 @@  alpine-*)
 	;;
 fedora-*|almalinux-*)
 	dnf -yq update >/dev/null &&
-	dnf -yq install make gcc findutils diffutils perl python3 gettext zlib-devel expat-devel openssl-devel curl-devel pcre2-devel >/dev/null
+	dnf -yq install shadow-utils sudo make gcc findutils diffutils perl python3 gettext zlib-devel expat-devel openssl-devel curl-devel pcre2-devel >/dev/null
 	;;
 ubuntu-*|ubuntu32-*|debian-*)
 	# Required so that apt doesn't wait for user input on certain packages.

[03/10] github: adapt containerized jobs to be rootless

Commit Message

Patch