feat: make it rootless

rwaffen · rwaffen · commit 51b31f861785 · 2025-08-24T17:30:07.000+02:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -69,17 +69,24 @@ jobs:
         with:
           repository: voxpupuli/puppet-example
 
+      - name: Configure podman
+        run: |
+          systemctl start --user podman.socket
+          echo "DOCKER_HOST=unix:///run/user/$(id -u)/podman/podman.sock" >> "$GITHUB_ENV"
+          docker save ci/voxbox:${{ matrix.rubygem_puppet }} | podman load
+
       - name: Test container
         run: |
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile -T
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile lint
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile metadata_lint
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile r10k:dependencies
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile r10k:syntax
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile rubocop
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile spec
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile strings:validate:reference
-          docker run --rm -v $PWD:/repo:Z ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile syntax
+          export PODMAN_OPTIONS="--rm -v $PWD:/repo:Z --userns=keep-id"
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile -T
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile lint
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile metadata_lint
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile r10k:dependencies
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile r10k:syntax
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile rubocop
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile spec
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile strings:validate:reference
+          podman run $PODMAN_OPTIONS ci/voxbox:${{ matrix.rubygem_puppet }} -f /Rakefile syntax
 
   tests:
     needs:
diff --git a/Containerfile b/Containerfile
@@ -89,22 +89,21 @@ LABEL org.label-schema.maintainer="Voxpupuli Team <voxpupuli@groups.io>" \
       org.label-schema.dockerfile="/Containerfile"
 
 RUN apk update \
-    && apk upgrade \
-    && apk add openssh-client \
-    && apk add gpg \
-    && apk add jq \
-    && apk add yamllint \
-    && apk add git \
-    && apk add curl \
-    && rm -rf /var/cache/apk/* \
-    && rm -rf /usr/local/lib/ruby/gems
+    && apk upgrade --no-cache --prune \
+    && apk add --no-cache openssh-client gpg jq yamllint git curl \
+    && addgroup -g 1001 -S voxbox \
+    && adduser -u 1001 -S -G voxbox voxbox \
+    && rm -rf /usr/local/lib/ruby/gems \
+    && mkdir /repo \
+    && chown voxbox:voxbox /repo
 
 COPY --from=builder /usr/local/lib/ruby/gems /usr/local/lib/ruby/gems
 COPY --from=builder /usr/local/bundle /usr/local/bundle
 COPY Containerfile /
 COPY voxbox/Rakefile /
 
 WORKDIR /repo
+USER voxbox
 
 ENTRYPOINT [ "rake" ]
 CMD [ "-f", "/Rakefile", "-T" ]
