From ed85673d7f37b4ef5555b43b41135b2cc6116d31 Mon Sep 17 00:00:00 2001 From: Caleb Maclennan Date: Sat, 4 Feb 2023 17:35:35 +0300 Subject: [PATCH 1/2] refactor(docker): avoid copying volume inside container --- Dockerfile | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 194bfbce28..9efbc1a362 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,12 +15,26 @@ RUN cargo build --release --locked --no-default-features RUN rm -f target/release/deps/git_cliff* FROM debian:buster-slim as runner + +# Everything inside this container will be explicitly mounted by the end user, +# so we can sidestep some Git security restrictions. This app recommends +# mounting data to /app, but this *can* be changed externally and *will* be +# changed when run by GitHub Actions, so we need to cover our bases. +RUN echo '[safe]\n\tdirectory = *' > /etc/gitconfig + COPY --from=builder /app/target/release/git-cliff /usr/local/bin -WORKDIR git-home -RUN cat <<'EOF' > entrypoint.sh +WORKDIR app + +# Even if the repository as marked as safe, GitHub Actions and some other +# environments insist on running the entrypoint as root inside the container +# even when being run by a non priviledged user on their own files. Here we +# check the ownership of the workdir (which may or may not be /app) and change +# our effective user/group ID to match. +RUN cat <<'EOF' > /usr/local/bin/entrypoint.sh #!/bin/sh -cp -r /app /git-home/app -cd /git-home/app -exec git-cliff "$@" +if [ "$(id -u)" -ne "$(stat -c '%u' .)" ]; then + eids="$(stat -c '--euid %u --egid %g' .)" +fi +exec ${eids:+setpriv --clear-groups $eids} git-cliff $@ EOF -ENTRYPOINT ["sh", "entrypoint.sh"] +ENTRYPOINT ["sh", "/usr/local/bin/entrypoint.sh"] From 8f3d4b2a0302d7329dacef7cb5303cc87224f191 Mon Sep 17 00:00:00 2001 From: Caleb Maclennan Date: Sat, 22 Apr 2023 22:56:07 +0300 Subject: [PATCH 2/2] docs(readme): Fix Docker tips to mount project, not just repository Otherwise any project configs have no chance of being read... --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fdafb38dac..9c130c1629 100644 --- a/README.md +++ b/README.md @@ -344,13 +344,13 @@ Also, see the [release script](./release.sh) of this project which sets the chan The easiest way of running **git-cliff** (in the git root directory with [configuration file](#configuration-file) present) is to use the [available tags](https://hub.docker.com/repository/docker/orhunp/git-cliff/tags) from [Docker Hub](https://hub.docker.com/repository/docker/orhunp/git-cliff): ```sh -docker run -t -v "$(pwd)/.git":/app/ orhunp/git-cliff:latest +docker run -t -v "$(pwd)":/app/ orhunp/git-cliff:latest ``` Or you can use the image from the [GitHub Package Registry](https://github.com/orhun/git-cliff/packages/841947): ```sh -docker run -t -v "$(pwd)/.git":/app/ docker.pkg.github.com/orhun/git-cliff/git-cliff:latest +docker run -t -v "$(pwd)":/app/ docker.pkg.github.com/orhun/git-cliff/git-cliff:latest ``` Also, you can build the image yourself using `DOCKER_BUILDKIT=1 docker build -t git-cliff .` command.