fence repolinter docker action to prevent docker user from poisoning the filesystem permissions (#5256)

Signed-off-by: garyschulte <garyschulte@gmail.com>
pull/5257/head
garyschulte 2 years ago committed by GitHub
parent b88d037f25
commit 2c1db63927
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      .github/workflows/checks.yml
  2. 2
      .github/workflows/codeql.yml
  3. 2
      .github/workflows/dco-merge-group.yml
  4. 2
      .github/workflows/dco.yml
  5. 2
      .github/workflows/gradle-wrapper-validation.yml
  6. 2
      .github/workflows/pr-checklist-on-open.yml
  7. 2
      .github/workflows/release.yml
  8. 7
      .github/workflows/repolinter.yml

@ -7,7 +7,7 @@ on:
jobs: jobs:
spotless: spotless:
runs-on: [besu,Linux,self-hosted,X64] runs-on: [besu,Linux,self-hosted,X64,nodocker]
if: ${{ github.actor != 'dependabot[bot]' }} if: ${{ github.actor != 'dependabot[bot]' }}
steps: steps:
- name: Checkout Repo - name: Checkout Repo
@ -21,7 +21,7 @@ jobs:
- name: spotless - name: spotless
run: ./gradlew --no-daemon --parallel clean spotlessCheck run: ./gradlew --no-daemon --parallel clean spotlessCheck
javadoc_17: javadoc_17:
runs-on: [besu,Linux,self-hosted,X64] runs-on: [besu,Linux,self-hosted,X64,nodocker]
if: ${{ github.actor != 'dependabot[bot]' }} if: ${{ github.actor != 'dependabot[bot]' }}
steps: steps:
- name: Checkout Repo - name: Checkout Repo

@ -24,7 +24,7 @@ on:
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze
runs-on: [besu,Linux,self-hosted,X64] runs-on: [besu,Linux,self-hosted,X64,nodocker]
permissions: permissions:
actions: read actions: read
contents: read contents: read

@ -4,7 +4,7 @@ on:
jobs: jobs:
dco: dco:
runs-on: [besu,Linux,self-hosted] runs-on: [besu,Linux,self-hosted,nodocker]
if: ${{ github.actor != 'dependabot[bot]' }} if: ${{ github.actor != 'dependabot[bot]' }}
steps: steps:
- run: echo "This DCO job runs on merge_queue event and doesn't check PR contents" - run: echo "This DCO job runs on merge_queue event and doesn't check PR contents"

@ -5,7 +5,7 @@ on:
jobs: jobs:
dco: dco:
runs-on: [besu,Linux,self-hosted] runs-on: [besu,Linux,self-hosted,nodocker]
if: ${{ github.actor != 'dependabot[bot]' }} if: ${{ github.actor != 'dependabot[bot]' }}
steps: steps:
- run: echo "This DCO job runs on pull_request event and workflow_dispatch" - run: echo "This DCO job runs on pull_request event and workflow_dispatch"

@ -5,7 +5,7 @@ on: [push, pull_request]
jobs: jobs:
validation: validation:
name: "Gradle Wrapper Validation" name: "Gradle Wrapper Validation"
runs-on: [besu,Linux,self-hosted] runs-on: [besu,Linux,self-hosted,nodocker]
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- uses: gradle/wrapper-validation-action@v1 - uses: gradle/wrapper-validation-action@v1

@ -6,7 +6,7 @@ on:
jobs: jobs:
checklist: checklist:
name: "add checklist as a comment on newly opened PRs" name: "add checklist as a comment on newly opened PRs"
runs-on: [besu,Linux,self-hosted] runs-on: [besu,Linux,self-hosted,nodocker]
steps: steps:
- uses: actions/github-script@v5 - uses: actions/github-script@v5
with: with:

@ -4,7 +4,7 @@ on:
types: released types: released
jobs: jobs:
dockerPromoteX64: dockerPromoteX64:
runs-on: [besu,Linux,self-hosted] runs-on: [besu,Linux,self-hosted,nodocker]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: actions/setup-java@v3 - uses: actions/setup-java@v3

@ -15,15 +15,10 @@ on:
jobs: jobs:
build: build:
runs-on: [besu,Linux,self-hosted,X64] runs-on: [besu,Linux,self-hosted,X64,docker]
container: ghcr.io/todogroup/repolinter:v0.10.1 container: ghcr.io/todogroup/repolinter:v0.10.1
steps: steps:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Lint Repo - name: Lint Repo
run: bundle exec /app/bin/repolinter.js --rulesetUrl https://raw.githubusercontent.com/hyperledger-labs/hyperledger-community-management-tools/main/repo_structure/repolint.json --format markdown run: bundle exec /app/bin/repolinter.js --rulesetUrl https://raw.githubusercontent.com/hyperledger-labs/hyperledger-community-management-tools/main/repo_structure/repolint.json --format markdown
- name: Cleanup file permissions created by docker user
run: |
USER_ID=$(id -u)
GROUP_ID=$(id -g)
chown -R "$USER_ID:$GROUP_ID" .
Loading…
Cancel
Save