feat: run container as non-root

- also update gha setup to reflect this change
- differentiate between build and test of the container

Signed-off-by: Robert Waffen <[email protected]>

Author: rwaffen

.github/workflows/ci.yaml

@@ -34,6 +34,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build image
         uses: docker/build-push-action@v6
         with:
@@ -51,6 +54,29 @@ jobs:
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
             RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
 
+  test_ci_container:
+    name: 'Test CI container'
+    runs-on: ubuntu-latest
+    needs:
+      - setup-matrix
+      - build_test_container
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}
+          path: /tmp
+
+      - name: Load Docker image
+        run: |
+          docker load --input /tmp/voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
+          docker image ls -a
+
       - name: Clone voxpupuli/puppet-example repository
         uses: actions/checkout@v4
         with:
@@ -71,6 +97,7 @@ jobs:
   tests:
     needs:
       - build_test_container
+      - test_ci_container
     runs-on: ubuntu-latest
     name: Test suite
     steps:

Dockerfile

@@ -73,5 +73,8 @@ RUN apk update \
 
 WORKDIR /repo
 
+RUN addgroup -S voxbox && adduser -S voxbox -G voxbox
+USER voxbox
+
 ENTRYPOINT [ "rake" ]
 CMD [ "-f", "/Rakefile", "-T" ]