From 2c1db639275f21891ea8c41985e900704cba5ad5 Mon Sep 17 00:00:00 2001
From: garyschulte <garyschulte@gmail.com>
Date: Wed, 22 Mar 2023 11:41:42 -0700
Subject: [PATCH] fence repolinter docker action to prevent docker user from
 poisoning the filesystem permissions (#5256)

Signed-off-by: garyschulte <garyschulte@gmail.com>
---
 .github/workflows/checks.yml                    | 4 ++--
 .github/workflows/codeql.yml                    | 2 +-
 .github/workflows/dco-merge-group.yml           | 2 +-
 .github/workflows/dco.yml                       | 2 +-
 .github/workflows/gradle-wrapper-validation.yml | 2 +-
 .github/workflows/pr-checklist-on-open.yml      | 2 +-
 .github/workflows/release.yml                   | 2 +-
 .github/workflows/repolinter.yml                | 7 +------
 8 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 1aa919002a..6c0e11ecca 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   spotless:
-    runs-on: [besu,Linux,self-hosted,X64]
+    runs-on: [besu,Linux,self-hosted,X64,nodocker]
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - name: Checkout Repo
@@ -21,7 +21,7 @@ jobs:
       - name: spotless
         run: ./gradlew --no-daemon --parallel clean spotlessCheck
   javadoc_17:
-    runs-on: [besu,Linux,self-hosted,X64]
+    runs-on: [besu,Linux,self-hosted,X64,nodocker]
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - name: Checkout Repo
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5a7867dde3..ee85d0818a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -24,7 +24,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: [besu,Linux,self-hosted,X64]
+    runs-on: [besu,Linux,self-hosted,X64,nodocker]
     permissions:
       actions: read
       contents: read
diff --git a/.github/workflows/dco-merge-group.yml b/.github/workflows/dco-merge-group.yml
index 02b9c6bd13..f93170b1c2 100644
--- a/.github/workflows/dco-merge-group.yml
+++ b/.github/workflows/dco-merge-group.yml
@@ -4,7 +4,7 @@ on:
 
 jobs:
   dco:
-    runs-on: [besu,Linux,self-hosted]
+    runs-on: [besu,Linux,self-hosted,nodocker]
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - run: echo "This DCO job runs on merge_queue event and doesn't check PR contents"
\ No newline at end of file
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
index 49de075a1c..341e1d3877 100644
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@@ -5,7 +5,7 @@ on:
 
 jobs:
   dco:
-    runs-on: [besu,Linux,self-hosted]
+    runs-on: [besu,Linux,self-hosted,nodocker]
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - run: echo "This DCO job runs on pull_request event and workflow_dispatch"
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 6419157c4e..7fe460d36c 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -5,7 +5,7 @@ on: [push, pull_request]
 jobs:
   validation:
     name: "Gradle Wrapper Validation"
-    runs-on: [besu,Linux,self-hosted]
+    runs-on: [besu,Linux,self-hosted,nodocker]
     steps:
       - uses: actions/checkout@v2
       - uses: gradle/wrapper-validation-action@v1
diff --git a/.github/workflows/pr-checklist-on-open.yml b/.github/workflows/pr-checklist-on-open.yml
index 678c11705c..9f89092934 100644
--- a/.github/workflows/pr-checklist-on-open.yml
+++ b/.github/workflows/pr-checklist-on-open.yml
@@ -6,7 +6,7 @@ on:
 jobs:
   checklist:
     name: "add checklist as a comment on newly opened PRs"
-    runs-on: [besu,Linux,self-hosted]
+    runs-on: [besu,Linux,self-hosted,nodocker]
     steps:
       - uses: actions/github-script@v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 54bcc7fc42..36ea3ab50f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,7 +4,7 @@ on:
     types: released
 jobs:
   dockerPromoteX64:
-    runs-on: [besu,Linux,self-hosted]
+    runs-on: [besu,Linux,self-hosted,nodocker]
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
index d9e33e18ae..5d06df6b8c 100644
--- a/.github/workflows/repolinter.yml
+++ b/.github/workflows/repolinter.yml
@@ -15,15 +15,10 @@ on:
 
 jobs:
   build:
-    runs-on: [besu,Linux,self-hosted,X64]
+    runs-on: [besu,Linux,self-hosted,X64,docker]
     container: ghcr.io/todogroup/repolinter:v0.10.1
     steps:
       - name: Checkout Code
         uses: actions/checkout@v2
       - name: Lint Repo
         run: bundle exec /app/bin/repolinter.js --rulesetUrl https://raw.githubusercontent.com/hyperledger-labs/hyperledger-community-management-tools/main/repo_structure/repolint.json --format markdown
-      - name: Cleanup file permissions created by docker user
-        run: |
-          USER_ID=$(id -u)
-          GROUP_ID=$(id -g)
-          chown -R "$USER_ID:$GROUP_ID" .
\ No newline at end of file