[v4,03/10] github: adapt containerized jobs to be rootless

Message ID	20250110-b4-pks-ci-fixes-v4-3-6e4613446080@pks.im (mailing list archive)
State	Accepted
Commit	2a21098b98ae2f9581a91e2e474c397e5cbede12
Headers	show Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D78C20B7ED for <git@vger.kernel.org>; Fri, 10 Jan 2025 11:32:06 +0000 (UTC) Feedback-ID: i197146af:Fastmail From: Patrick Steinhardt <ps@pks.im> Date: Fri, 10 Jan 2025 12:31:59 +0100 Subject: [PATCH v4 03/10] github: adapt containerized jobs to be rootless Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250110-b4-pks-ci-fixes-v4-3-6e4613446080@pks.im> References: <20250110-b4-pks-ci-fixes-v4-0-6e4613446080@pks.im> In-Reply-To: <20250110-b4-pks-ci-fixes-v4-0-6e4613446080@pks.im> To: git@vger.kernel.org Cc: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>, Phillip Wood <phillip.wood@dunelm.org.uk>
Series	A couple of CI improvements \| expand [v4,00/10] A couple of CI improvements [v4,01/10] t0060: fix EBUSY in MinGW when setting up runtime prefix [v4,02/10] t7422: fix flaky test caused by buffered stdout [v4,03/10] github: adapt containerized jobs to be rootless [v4,04/10] github: convert all Linux jobs to be containerized [v4,05/10] github: simplify computation of the job's distro [v4,06/10] gitlab-ci: remove the "linux-old" job [v4,07/10] gitlab-ci: add linux32 job testing against i386 [v4,08/10] ci: stop special-casing for Ubuntu 16.04 [v4,09/10] ci: use latest Ubuntu release [v4,10/10] ci: remove stale code for Azure Pipelines

Message ID

20250110-b4-pks-ci-fixes-v4-3-6e4613446080@pks.im (mailing list archive)

State

Accepted

Commit

2a21098b98ae2f9581a91e2e474c397e5cbede12

Headers

Feedback-ID: i197146af:Fastmail
From: Patrick Steinhardt <ps@pks.im>
Date: Fri, 10 Jan 2025 12:31:59 +0100
Subject: [PATCH v4 03/10] github: adapt containerized jobs to be rootless
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250110-b4-pks-ci-fixes-v4-3-6e4613446080@pks.im>
References: <20250110-b4-pks-ci-fixes-v4-0-6e4613446080@pks.im>
In-Reply-To: <20250110-b4-pks-ci-fixes-v4-0-6e4613446080@pks.im>
To: git@vger.kernel.org
Cc: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>,
 Phillip Wood <phillip.wood@dunelm.org.uk>

Series

A couple of CI improvements | expand

Commit Message

Patrick Steinhardt Jan. 10, 2025, 11:31 a.m. UTC

The containerized jobs in GitHub Actions run as root, giving them
special permissions to for example delete files even when the user
shouldn't be able to due to file permissions. This limitation keeps us
from using containerized jobs for most of our Ubuntu-based jobs as it
causes a number of tests to fail.

Adapt the jobs to create a separate user that executes the test suite.
This follows similar infrastructure that we already have in GitLab CI.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 .github/workflows/main.yml | 6 ++++--
 ci/install-dependencies.sh | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

Comments

Christian Couder Jan. 24, 2025, 9:56 a.m. UTC | #1

On Fri, Jan 10, 2025 at 12:34 PM Patrick Steinhardt <ps@pks.im> wrote:
>
> The containerized jobs in GitHub Actions run as root, giving them
> special permissions to for example delete files even when the user
> shouldn't be able to due to file permissions. This limitation keeps us
> from using containerized jobs for most of our Ubuntu-based jobs as it
> causes a number of tests to fail.
>
> Adapt the jobs to create a separate user that executes the test suite.
> This follows similar infrastructure that we already have in GitLab CI.

Nit (not worth a reroll): It might help a bit to say something like:

 "This requires installing the 'sudo' and 'shadow-utils' (for
`useradd`) packages."

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 900be9957a23fcaa64e1aefd0c8638c5f84b7997..b02f5873a540b458d38e7951b4ee3d5ca598ae23 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -371,10 +371,12 @@  jobs:
       run: apt -q update && apt -q -y install libc6-amd64 lib64stdc++6
     - uses: actions/checkout@v4
     - run: ci/install-dependencies.sh
-    - run: ci/run-build-and-tests.sh
+    - run: useradd builder --create-home
+    - run: chown -R builder .
+    - run: sudo --preserve-env --set-home --user=builder ci/run-build-and-tests.sh
     - name: print test failures
       if: failure() && env.FAILED_TEST_ARTIFACTS != ''
-      run: ci/print-test-failures.sh
+      run: sudo --preserve-env --set-home --user=builder ci/print-test-failures.sh
     - name: Upload failed tests' directories
       if: failure() && env.FAILED_TEST_ARTIFACTS != ''
       uses: actions/upload-artifact@v4
diff --git a/ci/install-dependencies.sh b/ci/install-dependencies.sh
index d1cb9fa8785388b3674fcea4dd682abc0725c968..ecb5b9d36c20d3e7e96148ac628a96c62642c308 100755
--- a/ci/install-dependencies.sh
+++ b/ci/install-dependencies.sh
@@ -31,7 +31,7 @@  alpine-*)
 	;;
 fedora-*|almalinux-*)
 	dnf -yq update >/dev/null &&
-	dnf -yq install make gcc findutils diffutils perl python3 gettext zlib-devel expat-devel openssl-devel curl-devel pcre2-devel >/dev/null
+	dnf -yq install shadow-utils sudo make gcc findutils diffutils perl python3 gettext zlib-devel expat-devel openssl-devel curl-devel pcre2-devel >/dev/null
 	;;
 ubuntu-*|ubuntu32-*|debian-*)
 	# Required so that apt doesn't wait for user input on certain packages.

[v4,03/10] github: adapt containerized jobs to be rootless

Commit Message

Comments

Patch