ci: run-as unprivileged user #3565

justinmk3 · web-flow · commit 2ca8f7ce4888 · 2023-06-11T11:20:05.000-07:00
ref 59a0a83 ref f53186e
diff --git a/buildspec/linuxTests.yml b/buildspec/linuxTests.yml
@@ -12,15 +12,12 @@ phases:
         run-as: root
         runtime-versions:
             nodejs: 16
-
         commands:
             # Without this, "Unable to locate package libatk1.0-0".
             - '>/dev/null apt-get -yqq update'
             # Dependencies for running vscode.
             - '>/dev/null apt-get -yqq install libatk1.0-0 libgtk-3-dev libxss1 xvfb libasound2 libasound2-plugins'
-            #
             # Prepare env for unprivileged user.
-            #
             - |
                 mkdir -p ~codebuild-user
                 chown -R codebuild-user:codebuild-user /tmp ~codebuild-user .
diff --git a/buildspec/packageTestVsix.yml b/buildspec/packageTestVsix.yml
@@ -1,5 +1,8 @@
 version: 0.2
 
+# Run unprivileged for most phases (except those marked "run-as: root").
+run-as: codebuild-user
+
 env:
     variables:
         AWS_TOOLKIT_TEST_USER_DIR: '/tmp/'
@@ -8,11 +11,21 @@ env:
 
 phases:
     install:
+        run-as: root
         runtime-versions:
             nodejs: 16
+        commands:
+            # Prepare env for unprivileged user.
+            - |
+                mkdir -p ~codebuild-user
+                chown -R codebuild-user:codebuild-user /tmp ~codebuild-user .
+                chmod +x ~codebuild-user
+                ls -ld ~codebuild-user
 
     pre_build:
         commands:
+            # CodeBuild ignores env.variables.HOME, so do it manually here :(
+            - export HOME=/home/codebuild-user
             # If present, log into CodeArtifact. Provides a nice safety net in case NPM is down.
             # Should only affect tests run through IDEs team-hosted CodeBuild.
             - |
@@ -23,11 +36,12 @@ phases:
                         echo "CodeArtifact connection failed. Falling back to npm"
                     fi
                 fi
-            # --unsafe-perm is needed because CodeBuild/CodePipeline runs as root
-            - npm ci --unsafe-perm
+            - npm ci
 
     build:
         commands:
+            # CodeBuild ignores env.variables.HOME, so do it manually here :(
+            - export HOME=/home/codebuild-user
             # Generate CHANGELOG.md
             - npm run createRelease
             - npm run generateNonCodeFiles
