feat: ensure git repository access as prerequisite #518
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maxrake
added a commit
that referenced
this pull request
Dec 26, 2024
This change updates the `phylum-ci` Docker images to operate with a non- root user. This works (assuming the changes from #518) for most of the CI environments but GitHub directly contradicts this course of actions, specifying that: > Docker actions must be run by the default Docker user (root). Do not > use the USER instruction in your Dockerfile, because you won't be able > to access the GITHUB_WORKSPACE directory. It is possible to work around this restriction albeit in a hacky manner. Creating an image with the same `runner` user, with the same UID, will satisfy GitHub and ensure the user information matches between the running container and the host OS (which is also in a container). This is not fool-proof because the UID for the `runner` user is different depending on the GitHub-hosted runner in use (e.g., standard vs. large) and there is no guarantee that the user name or ID will remain consistent. The `docker` group is used to further match the configuration from the `actions-runner-dind` image. References: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/ https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user https://github.com/orgs/community/discussions/26811 actions/runner-images#6930 actions/runner#2411 https://github.com/actions/actions-runner-controller/blob/1e10417be8341df564a11abc970fe8f41a3b102c/runner/actions-runner-dind.ubuntu-22.04.dockerfile#L36 Needs #518 BREAKING CHANGE: GitHub container jobs will not work until the container options are updated to specify `options: --user=root` BREAKING CHANGE: The GitHub action and GitHub container steps no longer support providing analysis results of just the newly added dependencies. The `--all-deps` flag must be specified for these CI environments.
maxrake
added a commit
that referenced
this pull request
Dec 26, 2024
This change updates the `phylum-ci` Docker images to operate with a non- root user. This works (assuming the changes from #518) for most of the CI environments but GitHub directly contradicts this course of actions, specifying that: > Docker actions must be run by the default Docker user (root). Do not > use the USER instruction in your Dockerfile, because you won't be able > to access the GITHUB_WORKSPACE directory. It is possible to work around this restriction albeit in a hacky manner. Creating an image with the same `runner` user, with the same UID, will satisfy GitHub and ensure the user information matches between the running container and the host OS (which is also in a container). This is not fool-proof because the UID for the `runner` user is different depending on the GitHub-hosted runner in use (e.g., standard vs. large) and there is no guarantee that the user name or ID will remain consistent. The `docker` group is used to further match the configuration from the `actions-runner-dind` image. References: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/ https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user https://github.com/orgs/community/discussions/26811 actions/runner-images#6930 actions/runner#2411 https://github.com/actions/actions-runner-controller/blob/1e10417be8341df564a11abc970fe8f41a3b102c/runner/actions-runner-dind.ubuntu-22.04.dockerfile#L36 Needs #518 BREAKING CHANGE: GitHub container jobs will not work until the container options are updated to specify `options: --user=root` BREAKING CHANGE: The GitHub action and GitHub container steps no longer support providing analysis results of just the newly added dependencies. The `--all-deps` flag must be specified for these CI environments.
This change adds a new base prerequisite such that the user account executing `git` has access to the repository. This is accomplished with a new function, `ensure_git_repo_access`, that checks for the two likely reasons to fail a git repo membership test: 1. Not actually in git repo, in which case nothing can be done. 2. The repository is owned by a different user and we don't have access to it. This is detected and remedied with a configuration change. References: https://confluence.atlassian.com/pages/viewpage.action?pageId=1167744132 https://confluence.atlassian.com/pages/viewpage.action?pageId=1384121844 https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory The second reason is encountered when the user account used to mount the container created from the `phylum-ci` image does not match the one owning the git repository. This happens for some CI environments and was encountered while attempting to add a non-root user to the `phylum-ci` image. That effort may be put on hold or abandoned outright, but the feature here is still worth adding now since it adds functionality for operating in more environments. Additional changes made include: * Clarify command used to build from the `Dockerfile.slim` file * Update `docker_tests.sh` script to include the most basic test command * Fix typo: `git_curent_branch_name` --> `git_current_branch_name` * Add `is_in_git_repo` predicate as helper function in `git` module * Add more tests for the `git` module
maxrake
changed the title
maxrake
changed the title
|
There is an ongoing issue with the "Semantic PR" check...waiting for it to be resolved: Ezard/semantic-prs#754 |
maxrake
changed the title
maxrake
changed the title
|
The "Semantic PR" check has been fixed...all checks passing again! |
mathew-horner
approved these changes
Jan 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds a new base prerequisite such that the user account executing
githas access to the repository. This is accomplished with a new function,ensure_git_repo_access, that checks for the two likely reasons to fail a git repo membership test:References:
https://confluence.atlassian.com/pages/viewpage.action?pageId=1167744132 https://confluence.atlassian.com/pages/viewpage.action?pageId=1384121844 https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory
The second reason is encountered when the user account used to mount the container created from the
phylum-ciimage does not match the one owning the git repository. This happens for some CI environments and was encountered while attempting to add a non-root user to thephylum-ciimage (#519). That effort was abandoned, but the feature here is still worth adding now since it adds functionality for operating in more environments.Additional changes made include:
Dockerfile.slimfiledocker_tests.shscript to include the most basic test commandgit_curent_branch_name-->git_current_branch_nameis_in_git_repopredicate as helper function ingitmodulegitmoduletests/unit/test_git.pyTesting
This is what it looks like when using an image created with a non-root user in the BitBucket CI environment. Notice that the stderr message contains the command needed to "correct" the error.
This is what it looks like when using an image created from the changes in this PR (and still with a non-root user). Notice that the suggested command was used to meet the prerequisite.