Isolate the container home dir from the mounted github_home

dflook · Dec 20, 2023 · 13aeab1 · 13aeab1
1 parent 57e4e48
commit 13aeab1
Showing 1 changed file with 28 additions and 13 deletions.
diff --git a/image/actions.sh b/image/actions.sh
@@ -29,6 +29,26 @@ function repair_environment() {
 }
 repair_environment
 
+##
+# Isolate the home directory inside the container
+#
+# Instead of using the HOME directory mounted by the runner, we'll use one in the container
+# This is because the runner's home directory will be re-used between jobs, and we don't
+# want to leak credentials we have to place there.
+#
+# We do want to persist some data between jobs, so we'll symlink specific directories
+function isolate_home() {
+    PERSISTED_HOME="$HOME"
+
+    mkdir -p /home/.terraform.d
+    export HOME=/home
+
+    mkdir -p "$PERSISTED_HOME/.dflook-terraform-github-actions/.terraform.d/plugin-cache"
+    ln -s "$PERSISTED_HOME/.dflook-terraform-github-actions" "$HOME/.dflook-terraform-github-actions"
+    ln -s "$PERSISTED_HOME/.dflook-terraform-github-actions/.terraform.d/plugin-cache" "$HOME/.terraform.d/plugin-cache"
+}
+isolate_home
+
 # shellcheck source=../workflow_commands.sh
 source /usr/local/workflow_commands.sh
 
@@ -37,12 +57,8 @@ function debug() {
     debug_cmd pwd
     debug_cmd ls -la
     debug_cmd printenv
-
-    if [[ -L "$HOME" ]]; then
-      debug_cmd ls -la "$HOME"
-    fi
-
-    debug_cmd ls -la "$HOME/"
+    debug_cmd tree "$HOME"
+    debug_cmd tree "$PERSISTED_HOME"
     debug_file "$GITHUB_EVENT_PATH"
     echo
 }
@@ -484,14 +500,13 @@ function fix_owners() {
         debug_cmd ls -la "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
     fi
 
-    debug_cmd ls -la "$HOME"
-    if [[ -d "$HOME/.dflook-terraform-github-actions" ]]; then
-        chown -R --reference "$HOME" "$HOME/.dflook-terraform-github-actions" || true
-        debug_cmd ls -la "$HOME/.dflook-terraform-github-actions"
+    debug_cmd tree "$PERSISTED_HOME"
+    if [[ -d "$PERSISTED_HOME/.dflook-terraform-github-actions" ]]; then
+        chown -R --reference "$PERSISTED_HOME" "$PERSISTED_HOME/.dflook-terraform-github-actions" || true
     fi
-    if [[ -d "$HOME/.terraform.d" ]]; then
-        chown -R --reference "$HOME" "$HOME/.terraform.d" || true
-        debug_cmd ls -la "$HOME/.terraform.d"
+
+    if [[ -d "$PERSISTED_HOME/.terraform.d" ]]; then
+        chown -R --reference "$PERSISTED_HOME" "$PERSISTED_HOME/.terraform.d" || true
     fi
 
     if [[ -d "$INPUT_PATH" ]]; then