diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6cbbcbe..e27ca27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -263,6 +263,16 @@ jobs: HUGO_VERSION=v${{ steps.release.outputs.version }} HUGO_EXTENDED=${{ matrix.extended }} + - name: Check container user + if: steps.needs-build.outputs.build == true + run: | + WHOAMI=$(docker run --rm hugomods/hugo:test whoami) + echo $WHOAMI + if [[ "$WHOAMI" != "hugo" ]] + then + echo "Expected user "hugo", got "$WHOAMI"." && exit 1; + fi + - id: hugo-version name: Save Hugo version for subsequent tests. if: steps.needs-build.outputs.build == true diff --git a/docker/hugo/Dockerfile-dart-sass-base b/docker/hugo/Dockerfile-dart-sass-base index 3be8f9a..741ad92 100644 --- a/docker/hugo/Dockerfile-dart-sass-base +++ b/docker/hugo/Dockerfile-dart-sass-base @@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder FROM alpine:edge -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/dart-sass + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-dart-sass-git b/docker/hugo/Dockerfile-dart-sass-git index af78e45..9a6a986 100644 --- a/docker/hugo/Dockerfile-dart-sass-git +++ b/docker/hugo/Dockerfile-dart-sass-git @@ -3,8 +3,8 @@ INCLUDE+ ./Dockerfile-builder FROM alpine:edge -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/dart-sass INCLUDE+ ./snippets/git + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-dart-sass-go b/docker/hugo/Dockerfile-dart-sass-go index 7b79af4..946f6d7 100644 --- a/docker/hugo/Dockerfile-dart-sass-go +++ b/docker/hugo/Dockerfile-dart-sass-go @@ -3,8 +3,8 @@ INCLUDE+ ./Dockerfile-builder FROM alpine:edge -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/dart-sass INCLUDE+ ./snippets/go + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-dart-sass-go-git b/docker/hugo/Dockerfile-dart-sass-go-git index 965e581..688784a 100644 --- a/docker/hugo/Dockerfile-dart-sass-go-git +++ b/docker/hugo/Dockerfile-dart-sass-go-git @@ -3,10 +3,10 @@ INCLUDE+ ./Dockerfile-builder FROM alpine:edge -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/dart-sass INCLUDE+ ./snippets/git INCLUDE+ ./snippets/go + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-git b/docker/hugo/Dockerfile-git index 03b67b1..e8e9c2b 100644 --- a/docker/hugo/Dockerfile-git +++ b/docker/hugo/Dockerfile-git @@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder FROM alpine -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/git + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-go-git b/docker/hugo/Dockerfile-go-git index 988be44..d0fca3d 100644 --- a/docker/hugo/Dockerfile-go-git +++ b/docker/hugo/Dockerfile-go-git @@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder FROM golang:alpine -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/git + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/Dockerfile-node-git b/docker/hugo/Dockerfile-node-git index 88cb784..79e0d98 100644 --- a/docker/hugo/Dockerfile-node-git +++ b/docker/hugo/Dockerfile-node-git @@ -3,6 +3,6 @@ INCLUDE+ ./Dockerfile-builder FROM node:alpine -INCLUDE+ ./snippets/common - INCLUDE+ ./snippets/git + +INCLUDE+ ./snippets/common diff --git a/docker/hugo/snippets/common b/docker/hugo/snippets/common index 18afc35..55a220a 100644 --- a/docker/hugo/snippets/common +++ b/docker/hugo/snippets/common @@ -1,3 +1,4 @@ +# this code snippet MUST be placed at the end of Dockerfile. ARG HUGO_EXTENDED= # libc6-compat & libstdc++ are required for extended SASS libraries @@ -8,8 +9,16 @@ RUN apk add --update --no-cache ca-certificates # copy Hugo binary from builder. COPY --from=builder /usr/bin/hugo /usr/bin/hugo +# create non-root user +RUN deluser --remove-home node || true +RUN addgroup -g 1000 hugo \ + && adduser -u 1000 -G hugo -s /bin/sh -D hugo +USER hugo:hugo + # working directory. WORKDIR /src +RUN chown -R hugo:hugo /src + # default command. CMD hugo env