Create non-root user [build]

hugomods · Jun 26, 2024 · d235007 · d235007
1 parent f722746
commit d235007
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 14 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -263,6 +263,16 @@ jobs:
             HUGO_VERSION=v${{ steps.release.outputs.version }}
             HUGO_EXTENDED=${{ matrix.extended }}
 
+      - name: Check container user
+        if: steps.needs-build.outputs.build == true
+        run: |
+          WHOAMI=$(docker run --rm hugomods/hugo:test whoami)
+          echo $WHOAMI
+          if [[ "$WHOAMI" != "hugo" ]]
+          then
+            echo "Expected user "hugo", got "$WHOAMI"." && exit 1;
+          fi
+
       - id: hugo-version
         name: Save Hugo version for subsequent tests.
         if: steps.needs-build.outputs.build == true

diff --git a/docker/hugo/Dockerfile-dart-sass-base b/docker/hugo/Dockerfile-dart-sass-base
@@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM alpine:edge
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/dart-sass
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-dart-sass-git b/docker/hugo/Dockerfile-dart-sass-git
@@ -3,8 +3,8 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM alpine:edge
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/dart-sass
 
 INCLUDE+ ./snippets/git
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-dart-sass-go b/docker/hugo/Dockerfile-dart-sass-go
@@ -3,8 +3,8 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM alpine:edge
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/dart-sass
 
 INCLUDE+ ./snippets/go
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-dart-sass-go-git b/docker/hugo/Dockerfile-dart-sass-go-git
@@ -3,10 +3,10 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM alpine:edge
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/dart-sass
 
 INCLUDE+ ./snippets/git
 
 INCLUDE+ ./snippets/go
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-git b/docker/hugo/Dockerfile-git
@@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM alpine
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/git
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-go-git b/docker/hugo/Dockerfile-go-git
@@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM golang:alpine
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/git
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/Dockerfile-node-git b/docker/hugo/Dockerfile-node-git
@@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder
 
 FROM node:alpine
 
-INCLUDE+ ./snippets/common
-
 INCLUDE+ ./snippets/git
+
+INCLUDE+ ./snippets/common
diff --git a/docker/hugo/snippets/common b/docker/hugo/snippets/common
@@ -1,3 +1,4 @@
+# this code snippet MUST be placed at the end of Dockerfile.
 ARG HUGO_EXTENDED=
 
 # libc6-compat & libstdc++ are required for extended SASS libraries
@@ -8,8 +9,16 @@ RUN apk add --update --no-cache ca-certificates
 # copy Hugo binary from builder.
 COPY --from=builder /usr/bin/hugo /usr/bin/hugo
 
+# create non-root user
+RUN deluser --remove-home node || true
+RUN addgroup -g 1000 hugo \
+  && adduser -u 1000 -G hugo -s /bin/sh -D hugo
+USER hugo:hugo
+
 # working directory.
 WORKDIR /src
 
+RUN chown -R hugo:hugo /src
+
 # default command.
 CMD hugo env