Improve permissions and cleanup

Signed-off-by: Benoit Donneaux <benoit@leastauthority.com>
2024-05-23 11:21:02 +02:00 · 2024-05-23 11:21:02 +02:00 · 4c11a160f4
parent 444b318ee3
commit 4c11a160f4
3 changed files with 18 additions and 17 deletions
--- a/.gitea/workflows/jekyll.yaml
+++ b/.gitea/workflows/jekyll.yaml
@ -2,8 +2,11 @@ name: Jekyll
 run-name: ${{ gitea.actor }} is running some Gitea Actions 🚀
 on: [push]

+env:
+  _UID: 1000
+  _GID: 1000
 jobs:
-  test-ci-actions:
+  jekyll:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out repository code
@ -12,14 +15,7 @@ jobs:
      - name: Fix file permissions
        id: fix_permissions
        run: |
-          export uid=1000
-          export gid=1000
-          export user=ubuntu
-          export group=ubuntu
-          id ${user} > /dev/null 2>&1 && \
-          { groupmod -g "${gid}" "${group}" && usermod -md /home/${user} -s /bin/bash -g "${group}" -u "${uid}" "${user}"; } || \
-          { groupadd -g "${gid}" "${group}" && useradd -md /home/${user} -s /bin/bash -g "${group}" -u "${uid}" "${user}"; }
-          chown -R ubuntu:ubuntu .
+          chown -R ${_UID}:${_GID} .
      - name: Install docker
        id: install_docker
        run: |
@ -37,17 +33,19 @@ jobs:
      - name: Build Jekyll image
        id: build_image
        run: |
+          # The environment variables _UID and _GID will impact this image
          docker-compose build jekyll
      - name: Verify Jekyll container
        id: verify_image
        run: |
-          docker volume inspect "${JOB_CONTAINER_NAME}"
-          docker-compose run --rm --entrypoint bash -v "${JOB_CONTAINER_NAME}:/home/ubuntu/workspace" jekyll -c "whoami; pwd; ls -lA ."
+          docker-compose run --rm -v "/var/lib/docker/volumes/${JOB_CONTAINER_NAME}/_data:/home/ubuntu/workspace" \
+          --entrypoint bash \
+          jekyll -c "whoami; pwd; ls -lA ."
      - name: Build Jekyll site
        id: build_site
        run: |
-          docker volume inspect "${JOB_CONTAINER_NAME}"
-          docker-compose run --rm -v "/var/lib/docker/volumes/${JOB_CONTAINER_NAME}/_data:/home/ubuntu/workspace" jekyll build --verbose
+          docker-compose run --rm -v "/var/lib/docker/volumes/${JOB_CONTAINER_NAME}/_data:/home/ubuntu/workspace" \
+          jekyll build --verbose
      - name: Verify site
        id: verify_site
        # uses: LeastAuthority/broken-links-action@v1
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -5,7 +5,9 @@ services:
      context: docker/jekyll
      args:
        uid: "${_UID:-1000}"
+        user: "${_USER:-appuser}"
        gid: "${_GID:-1000}"
+        group: "${_GROUP:-appgroup}"
    volumes:
      - .:/home/ubuntu/workspace
    working_dir: /home/ubuntu/workspace
--- a/docker/jekyll/Dockerfile
+++ b/docker/jekyll/Dockerfile
@ -14,10 +14,11 @@ ARG user=ubuntu
 ARG gid=1000
 ARG group=ubuntu

-# Add or modify user and group for build and runtime (convenient)
-#RUN id ${user} > /dev/null 2>&1 && \
-#    { groupmod -g "${gid}" "${group}" && usermod -md /home/${user} -s /bin/bash -g "${group}" -u "${uid}" "${user}"; } || \
-#    { groupadd -g "${gid}" "${group}" && useradd -md /home/${user} -s /bin/bash -g "${group}" -u "${uid}" "${user}"; }
+# Ensure desired user and group for build and runtime (convenient)
+RUN userdel --force --remove $(getent passwd ${uid} | cut -d: -f1) || true; \
+    groupdel $(getent group ${gid} | cut -d: -f1) || true; \
+    groupadd -g "${gid}" "${group}" && \
+    useradd -md /home/${user} -s /bin/bash -g "${group}" -u "${uid}" "${user}";

 # Copy requirements in non-root user home directory
 COPY Gemfile Gemfile.lock "/home/${user}/"