From 13aeab1d5edea5d8b613eb866d781a6cf4f75677 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Wed, 20 Dec 2023 20:53:35 +0000
Subject: [PATCH] Isolate the container home dir from the mounted github_home

---
 image/actions.sh | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/image/actions.sh b/image/actions.sh
index 43651ab9..05c73359 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -29,6 +29,26 @@ function repair_environment() {
 }
 repair_environment
 
+##
+# Isolate the home directory inside the container
+#
+# Instead of using the HOME directory mounted by the runner, we'll use one in the container
+# This is because the runner's home directory will be re-used between jobs, and we don't
+# want to leak credentials we have to place there.
+#
+# We do want to persist some data between jobs, so we'll symlink specific directories
+function isolate_home() {
+    PERSISTED_HOME="$HOME"
+
+    mkdir -p /home/.terraform.d
+    export HOME=/home
+
+    mkdir -p "$PERSISTED_HOME/.dflook-terraform-github-actions/.terraform.d/plugin-cache"
+    ln -s "$PERSISTED_HOME/.dflook-terraform-github-actions" "$HOME/.dflook-terraform-github-actions"
+    ln -s "$PERSISTED_HOME/.dflook-terraform-github-actions/.terraform.d/plugin-cache" "$HOME/.terraform.d/plugin-cache"
+}
+isolate_home
+
 # shellcheck source=../workflow_commands.sh
 source /usr/local/workflow_commands.sh
 
@@ -37,12 +57,8 @@ function debug() {
     debug_cmd pwd
     debug_cmd ls -la
     debug_cmd printenv
-
-    if [[ -L "$HOME" ]]; then
-      debug_cmd ls -la "$HOME"
-    fi
-
-    debug_cmd ls -la "$HOME/"
+    debug_cmd tree "$HOME"
+    debug_cmd tree "$PERSISTED_HOME"
     debug_file "$GITHUB_EVENT_PATH"
     echo
 }
@@ -484,14 +500,13 @@ function fix_owners() {
         debug_cmd ls -la "$GITHUB_WORKSPACE/.dflook-terraform-github-actions"
     fi
 
-    debug_cmd ls -la "$HOME"
-    if [[ -d "$HOME/.dflook-terraform-github-actions" ]]; then
-        chown -R --reference "$HOME" "$HOME/.dflook-terraform-github-actions" || true
-        debug_cmd ls -la "$HOME/.dflook-terraform-github-actions"
+    debug_cmd tree "$PERSISTED_HOME"
+    if [[ -d "$PERSISTED_HOME/.dflook-terraform-github-actions" ]]; then
+        chown -R --reference "$PERSISTED_HOME" "$PERSISTED_HOME/.dflook-terraform-github-actions" || true
     fi
-    if [[ -d "$HOME/.terraform.d" ]]; then
-        chown -R --reference "$HOME" "$HOME/.terraform.d" || true
-        debug_cmd ls -la "$HOME/.terraform.d"
+
+    if [[ -d "$PERSISTED_HOME/.terraform.d" ]]; then
+        chown -R --reference "$PERSISTED_HOME" "$PERSISTED_HOME/.terraform.d" || true
     fi
 
     if [[ -d "$INPUT_PATH" ]]; then