[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lmi-commits] [lmi] master e94f977 15/28: Run CI job steps as non-root c
|
From: |
Greg Chicares |
|
Subject: |
[lmi-commits] [lmi] master e94f977 15/28: Run CI job steps as non-root container user |
|
Date: |
Wed, 12 May 2021 18:14:44 -0400 (EDT) |
branch: master
commit e94f9771547276bda50f94fcadebc31913ba8df4
Author: Vadim Zeitlin <vadim@tt-solutions.com>
Commit: Gregory W. Chicares <gchicares@sbcglobal.net>
Run CI job steps as non-root container user
Create a normal user inside the container rather than running everything
is root, to avoid any unexpected problems due to this, e.g. incorrect
permissions would be ignored in the CI builds if we continued running
everything as root.
---
.github/workflows/ci.yml | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4493d6e..808b27e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,22 +44,32 @@ jobs:
LMI_COMPILER: ${{ matrix.compiler || 'gcc' }}
LMI_TRIPLET: ${{ matrix.triplet || 'x86_64-pc-linux-gnu' }}
+ # Run all commands as the normal user, created by the first step below.
+ #
+ # Note that the Bash options used here are the same as for the default
+ # shell used by GitHub Actions to minimize any surprises.
+ defaults:
+ run:
+ shell: /usr/bin/setpriv --reuid=runner --regid=adm --clear-groups
--inh-caps=-all bash --noprofile --norc -eo pipefail {0}
+
steps:
+ - name: Set up container user
+ # Specify the default shell explicitly to override the default value
above.
+ shell: bash
+ run: |
+ apt-get -q -o=Dpkg::Use-Pty=0 update
+ apt-get -qq install sudo
+
+ # Create a user with the same UID/GID and name as the existing user
+ # outside of the container and allow it using sudo without password.
+ useradd --home-dir $HOME --no-create-home --gid adm --uid 1001 runner
+
+ echo 'runner ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/runner
+
- name: Install required packages
run: |
export DEBIAN_FRONTEND=noninteractive
- # We don't really need it with the currently used container, as we're
- # running as root inside it anyhow, but this allows to keep using the
- # same commands as before, with the standard Ubuntu container where
- # using sudo is required.
- if ! command -v sudo > /dev/null; then
- apt-get -q -o=Dpkg::Use-Pty=0 update
- apt-get -qq install sudo
- else
- sudo apt-get -q -o=Dpkg::Use-Pty=0 update
- fi
-
packages="\
automake bc bsdmainutils bzip2 curl cvs default-jre \
g++-multilib git jing libarchive-tools \
- [lmi-commits] [lmi] master updated (f62151a -> 0ed65f7), Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 9c3addb 04/28: Combine "libtool" and "environment variables" steps, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 2b7bd98 01/28: Don't run CI builds when some irrelevant files change, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master f597cba 03/28: Run CI jobs in Debian Sid container, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 8e237e4 16/28: Change the keys used for caching files, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master afebc70 10/28: Use boost_regex.hpp wrapper in configure test too, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 2537153 26/28: Fix test_path_validation() for compilers without char8_t support, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 0ed65f7 28/28: Restore (commented out) a test that failed spectacularly, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 2808a1b 13/28: Use consistent flags for Boost.Regex build in the CI job, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 521017e 05/28: Show environment and compiler information in the CI output, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master e94f977 15/28: Run CI job steps as non-root container user,
Greg Chicares <=
- [lmi-commits] [lmi] master 2213a23 22/28: Disable clang deprecated declarations warnings in uBLAS headers, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 7e32f37 02/28: Don't build Boost.Filesystem library in the CI builds any more, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 0713a8f 14/28: Don't put NORMAL_UID in the environment unnecessarily, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master aa750df 12/28: Work around global_settings_test failure in autotools builds, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 0d89ef3 07/28: Install sudo without using sudo, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 2814dec 11/28: Check for comparison operator defaulting in configure C++ test, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master e5160fe 20/28: Revert "Add workaround for Boost.Regex compilation with clang 11", Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master d09dfce 17/28: Merge lmi directories creation step with the system setup one, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 95c9f72 08/28: Use Debian Wine version in CI job, Greg Chicares, 2021/05/12
- [lmi-commits] [lmi] master 4a1c735 19/28: Rename CI job and build names for brevity and consistency, Greg Chicares, 2021/05/12