opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-23 02:18:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix secrets scanning GHA Workflow

Browse Source 
The podman in `ubuntu-latest` environment apparently is too old to
support `--userns=keep-id:uid=1000,gid=1000`.  Employ workaround in GHA
workflow and in `prebuild.sh` check.

Signed-off-by: Chris Evich <cevich@redhat.com>
This commit is contained in:
Chris Evich
2023-10-30 12:06:17 -04:00
parent 1146f2ca78
commit 4c67a6aed2
2 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/scan-secrets.yml vendored
View File

@ -162,10 +162,21 @@ jobs:
# gitleaks entrypoint runs as gitleaks user (UID/GID 1000) # gitleaks entrypoint runs as gitleaks user (UID/GID 1000)
run: | run: |
set -exuo pipefail set -exuo pipefail
# TODO: Workaround podman < v4.3.0 support for `--userns=keep-id:uid=1000,gid=1000`.
declare -a workaround_args
workaround_args=(\
--user 1000:1000
--uidmap 0:1:1000
--uidmap 1000:0:1
--uidmap 1001:1001:64536
--gidmap 0:1:1000
--gidmap 1000:0:1
--gidmap 1001:1001:64536
)
# Careful: Changes need coordination with contrib/cirrus/prebuild.sh # Careful: Changes need coordination with contrib/cirrus/prebuild.sh
podman run --rm \ podman run --rm \
--security-opt=label=disable \ --security-opt=label=disable \
--userns=keep-id:uid=1000,gid=1000 \ "${workaround_args[@]}" \
-v ${{ github.workspace }}/_default:/default:ro \ -v ${{ github.workspace }}/_default:/default:ro \
-v ${{ github.workspace }}/_subject:/subject:ro \ -v ${{ github.workspace }}/_subject:/subject:ro \
-v ${{ github.workspace }}/_report:/report:rw \ -v ${{ github.workspace }}/_report:/report:rw \

15
contrib/cirrus/prebuild.sh
View File

@ -77,12 +77,25 @@ if [[ "${DISTRO_NV}" == "$PRIOR_FEDORA_NAME" ]]; then
# simply here to... # simply here to...
msg "Checking GitLeaks functions with current CLI args, configuration, and baseline JSON" msg "Checking GitLeaks functions with current CLI args, configuration, and baseline JSON"
# TODO: Workaround for GHA Environment, duplicate here for consistency.
# Replace with `--userns=keep-id:uid=1000,gid=1000` w/ newer podman in GHA environment.
declare -a workaround_args
workaround_args=(\
--user 1000:1000
--uidmap 0:1:1000
--uidmap 1000:0:1
--uidmap 1001:1001:64536
--gidmap 0:1:1000
--gidmap 1000:0:1
--gidmap 1001:1001:64536
)
brdepth=$(get_env_key 'brdepth') brdepth=$(get_env_key 'brdepth')
glfqin=$(get_env_key 'glfqin') glfqin=$(get_env_key 'glfqin')
glargs=$(get_env_key 'glargs') glargs=$(get_env_key 'glargs')
showrun podman run --rm \ showrun podman run --rm \
--security-opt=label=disable \ --security-opt=label=disable \
--userns=keep-id:uid=1000,gid=1000 \ "${workaround_args[@]}" \
-v $CIRRUS_WORKING_DIR:/subject:ro \ -v $CIRRUS_WORKING_DIR:/subject:ro \
-v $CIRRUS_WORKING_DIR:/default:ro \ -v $CIRRUS_WORKING_DIR:/default:ro \
--tmpfs /report:rw,size=256k,mode=1777 \ --tmpfs /report:rw,size=256k,mode=1777 \