feat: run container as non-root

- also update gha setup to reflect this change
- differentiate between build and test of the container

Signed-off-by: Robert Waffen <[email protected]>

Author: rwaffen

.github/workflows/ci.yaml

@@ -37,11 +37,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build image
         uses: docker/build-push-action@v6
         with:
           tags: 'ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
           push: false
+          outputs: type=docker,dest=/tmp/voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
           build-args: |
             BASE_IMAGE=${{ matrix.base_image }}
             RUBYGEM_PUPPET=${{ matrix.rubygem_puppet }}
@@ -53,6 +57,12 @@ jobs:
             RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
 
+      - name: Upload voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
+        uses: actions/upload-artifact@v4
+        with:
+          name: voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}
+          path: /tmp/voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
@@ -64,36 +74,61 @@ jobs:
         uses: docker/scout-action@v1
         with:
           command: cves
-          image: 'local://ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
+          image: 'archive:///tmp/voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar'
           sarif-file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
           summary: true
 
       - name: Upload SARIF result
         id: upload-sarif
         uses: github/codeql-action/upload-sarif@v3
         with:
+          category: ${{ matrix.rubygem_puppet }}
           sarif_file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
 
+  test_ci_container:
+    name: 'Test CI container'
+    runs-on: ubuntu-latest
+    needs:
+      - setup-matrix
+      - build_test_container
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}
+          path: /tmp
+
+      - name: Load Docker image
+        run: |
+          docker load --input /tmp/voxbox-${{ matrix.rubygem_puppet }}_${{ github.sha }}.tar
+          docker image ls -a
+
       - name: Clone voxpupuli/puppet-example repository
         uses: actions/checkout@v4
         with:
           repository: voxpupuli/puppet-example
 
       - name: Test container
         run: |
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile -T
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile lint
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile metadata_lint
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile strings:validate:reference
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile rubocop
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile syntax
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile spec
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:syntax
-          docker run --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:dependencies
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile -T
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile lint
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile metadata_lint
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile strings:validate:reference
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile rubocop
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile syntax
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile spec
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:syntax
+          docker run --user 1001 --rm  -v $(pwd):/repo ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }} -f /Rakefile r10k:dependencies
 
   tests:
     needs:
       - build_test_container
+      - test_ci_container
     runs-on: ubuntu-latest
     name: Test suite
     steps:

Dockerfile

@@ -60,5 +60,8 @@ RUN apk update \
 
 WORKDIR /repo
 
+RUN addgroup -S voxbox && adduser -S voxbox -G voxbox
+USER voxbox
+
 ENTRYPOINT [ "rake" ]
 CMD [ "-f", "/Rakefile", "-T" ]