From 0b3d994bc5ddae4f436ba6db96015c5cc4d4b04c Mon Sep 17 00:00:00 2001
From: Cormac McCarthy <corm@microsoft.com>
Date: Wed, 8 Nov 2023 14:28:18 -0800
Subject: [PATCH] Updates for custom v0.17.2 lifecycle and deployment

---
 .github/workflows/build.yml | 30 +++++++++++++-----------------
 cmd/lifecycle/analyzer.go   | 19 ++-----------------
 cmd/lifecycle/detector.go   |  6 ++----
 cmd/lifecycle/exporter.go   | 20 ++------------------
 cmd/lifecycle/restorer.go   | 20 ++------------------
 5 files changed, 21 insertions(+), 74 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7b0ff323d..02ecf9add 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,7 @@ on:
     branches:
       - main
       - 'release/**'
+      - v0.17.2-custom
   pull_request:
     branches:
       - main
@@ -186,6 +187,7 @@ jobs:
       - uses: azure/docker-login@v1
         if: github.event_name == 'push'
         with:
+          login-server: cormtestacr.azurecr.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - uses: actions/download-artifact@v2
@@ -214,33 +216,27 @@ jobs:
           DOCKER_CLI_EXPERIMENTAL=enabled
           LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)
 
-          LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
+          LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
           echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"
 
-          LINUX_ARM64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.arm64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64 -arch arm64 | awk '{print $NF}')
+          LINUX_ARM64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.arm64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64 -arch arm64 | awk '{print $NF}')
           echo "LINUX_ARM64_SHA: $LINUX_ARM64_SHA"
 
-          WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows | awk '{print $NF}')
+          WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows | awk '{print $NF}')
           echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"
 
-          docker manifest create buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG} \
-              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
-              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
-              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}
+          docker manifest create cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG} \
+              cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
+              cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
+              cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}
 
-          MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG})
+          MANIFEST_SHA=$(docker manifest push cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG})
           echo "MANIFEST_SHA: $MANIFEST_SHA"
-
-          COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} cosign sign -r \
-            -key <(echo -n "${{ secrets.COSIGN_PRIVATE_KEY }}" | base64 --decode) \
-            -a tag=${LIFECYCLE_IMAGE_TAG} \
-            buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}@${MANIFEST_SHA}
-          cosign verify -key cosign.pub -a tag=${LIFECYCLE_IMAGE_TAG} buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}
       - name: Scan image
         if: github.event_name == 'push'
         uses: anchore/scan-action@v3
         with:
-          image: buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
+          image: cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
   pack-acceptance-linux:
     if: github.event_name == 'push'
     needs: build-and-publish
@@ -275,7 +271,7 @@ jobs:
           cd pack
           git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
           LIFECYCLE_PATH="../lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz" \
-          LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
+          LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
           make acceptance
   pack-acceptance-windows:
     if: github.event_name == 'push'
@@ -346,6 +342,6 @@ jobs:
           cd pack
           git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
           $env:LIFECYCLE_PATH="..\lifecycle-v${{ env.LIFECYCLE_VERSION }}+windows.x86-64.tgz"
-          $env:LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
+          $env:LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
           make acceptance
 
diff --git a/cmd/lifecycle/analyzer.go b/cmd/lifecycle/analyzer.go
index adba0b7ee..9693a2b47 100644
--- a/cmd/lifecycle/analyzer.go
+++ b/cmd/lifecycle/analyzer.go
@@ -80,23 +80,8 @@ func (a *analyzeCmd) Args(nargs int, args []string) error {
 
 // Privileges validates the needed privileges.
 func (a *analyzeCmd) Privileges() error {
-	var err error
-	a.keychain, err = auth.DefaultKeychain(a.RegistryImages()...)
-	if err != nil {
-		return cmd.FailErr(err, "resolve keychain")
-	}
-	if a.UseDaemon {
-		a.docker, err = priv.DockerClient()
-		if err != nil {
-			return cmd.FailErr(err, "initialize docker client")
-		}
-	}
-	if err = priv.EnsureOwner(a.UID, a.GID, a.LayersDir, a.CacheDir, a.LaunchCacheDir); err != nil {
-		return cmd.FailErr(err, "chown volumes")
-	}
-	if err = priv.RunAs(a.UID, a.GID); err != nil {
-		return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", a.UID, a.GID))
-	}
+	// Temporarily skip Privileges() call when used inside ACA builder
+	cmd.DefaultLogger.Debugf("Skipping Privileges() call inside analyzer.")
 	return nil
 }
 
diff --git a/cmd/lifecycle/detector.go b/cmd/lifecycle/detector.go
index 2fdff6528..2ab7b0ffa 100644
--- a/cmd/lifecycle/detector.go
+++ b/cmd/lifecycle/detector.go
@@ -51,10 +51,8 @@ func (d *detectCmd) Args(nargs int, _ []string) error {
 }
 
 func (d *detectCmd) Privileges() error {
-	// detector should never be run with privileges
-	if priv.IsPrivileged() {
-		return cmd.FailErr(errors.New("refusing to run as root"), "detect")
-	}
+	// Temporarily skip Privileges() call when used inside ACA builder
+	cmd.DefaultLogger.Debugf("Skipping Privileges() call inside detector.")
 	return nil
 }
 
diff --git a/cmd/lifecycle/exporter.go b/cmd/lifecycle/exporter.go
index 0c7125a6d..cc70fa423 100644
--- a/cmd/lifecycle/exporter.go
+++ b/cmd/lifecycle/exporter.go
@@ -104,24 +104,8 @@ func (e *exportCmd) Args(nargs int, args []string) error {
 }
 
 func (e *exportCmd) Privileges() error {
-	var err error
-	e.keychain, err = auth.DefaultKeychain(e.registryImages()...)
-	if err != nil {
-		return cmd.FailErr(err, "resolve keychain")
-	}
-	if e.UseDaemon {
-		var err error
-		e.docker, err = priv.DockerClient()
-		if err != nil {
-			return cmd.FailErr(err, "initialize docker client")
-		}
-	}
-	if err = priv.EnsureOwner(e.UID, e.GID, e.CacheDir, e.LaunchCacheDir); err != nil {
-		return cmd.FailErr(err, "chown volumes")
-	}
-	if err = priv.RunAs(e.UID, e.GID); err != nil {
-		return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", e.UID, e.GID))
-	}
+	// Temporarily skip Privileges() call when used inside ACA builder
+	cmd.DefaultLogger.Debugf("Skipping Privileges() call inside exporter.")
 	return nil
 }
 
diff --git a/cmd/lifecycle/restorer.go b/cmd/lifecycle/restorer.go
index baa8712e2..0c76a9e98 100644
--- a/cmd/lifecycle/restorer.go
+++ b/cmd/lifecycle/restorer.go
@@ -70,24 +70,8 @@ func (r *restoreCmd) Args(nargs int, _ []string) error {
 }
 
 func (r *restoreCmd) Privileges() error {
-	var err error
-	r.keychain, err = auth.DefaultKeychain(r.RegistryImages()...)
-	if err != nil {
-		return cmd.FailErr(err, "resolve keychain")
-	}
-	if r.UseDaemon {
-		var err error
-		r.docker, err = priv.DockerClient()
-		if err != nil {
-			return cmd.FailErr(err, "initialize docker client")
-		}
-	}
-	if err = priv.EnsureOwner(r.UID, r.GID, r.LayersDir, r.CacheDir, r.KanikoDir); err != nil {
-		return cmd.FailErr(err, "chown volumes")
-	}
-	if err = priv.RunAs(r.UID, r.GID); err != nil {
-		return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", r.UID, r.GID))
-	}
+	// Temporarily skip Privileges() call when used inside ACA builder
+	cmd.DefaultLogger.Debugf("Skipping Privileges() call inside restorer.")
 	return nil
 }