From 2a7612173897ff8f3f64ab5e91f24bc90fac0acb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Fri, 21 Jul 2023 16:40:01 +0200 Subject: [PATCH 1/9] feat: allow to override docker command and user Add an option to specify a docker command and a docker user. It is useful if you need to customize your image before running `renovate`. It maybe a partial option for https://github.com/renovatebot/renovate/issues/8804 The idea start from this discussion https://github.com/renovatebot/renovate/discussions/23500 --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ action.yml | 9 +++++++++ src/input.ts | 9 +++++++++ src/renovate.ts | 19 +++++++++++++++++++ 4 files changed, 84 insertions(+) diff --git a/README.md b/README.md index d8231b0f225..f984f4ff14d 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,8 @@ GitHub Action to run Renovate self-hosted. - [`token`](#token) - [`renovate-image`](#renovate-image) - [`renovate-version`](#renovate-version) + - [`docker-cmd-file`](#docker-cmd-file) + - [`docker-user`](#docker-user) - [Example](#example) - [Environment Variables](#environment-variables) - [Passing other environment variables](#passing-other-environment-variables) @@ -172,6 +174,51 @@ jobs: We recommend you pin the version of Renovate to a full version or a full checksum, and use Renovate's regex manager to create PRs to update the pinned version. See `.github/workflows/build.yml` for an example of how to do this. +### `docker-cmd-file` + +Specify a command to run when the image start. By default the image run +`renovate` + +This option is useful to customize the image before running `renovate` + +For example you can create a simple script like this one (let's call it +`renovate-entrypoint.sh`) + +```sh +#!/bin/bash + +apt update + +apt install -y build-essential libpq-dev + +runuser -u ubuntu renovate +``` + +Now use this action + +```yml +.... +jobs: + renovate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3.5.3 + - name: Self-hosted Renovate + uses: renovatebot/github-action@v39.0.0 + with: + docker-cmd-file: .github/renovate-entrypoint.sh + docker-user: root + token: ${{ secrets.RENOVATE_TOKEN }} +``` + +### `docker-user` + +Specify a user (or user-id) to run docker command. + +You can use it with [`docker-cmd-file`](#docker-cmd-file) in order to start the +image as root, do some customization and switch back to a unprivileged user. + ## Example This example uses a Personal Access Token and will run every 15 minutes. diff --git a/action.yml b/action.yml index 325990a578b..4306b0b566a 100644 --- a/action.yml +++ b/action.yml @@ -36,6 +36,15 @@ inputs: can use Docker. Also add the user inside the renovate container to the docker group for socket permissions. required: false + docker-cmd-file: + description: | + Override docker command. Default command is `renovate` + required: false + docker-user: + description: | + Docker user. Default to an unprivileged user + required: false + runs: using: node16 main: dist/index.js diff --git a/src/input.ts b/src/input.ts index f24a6301da5..c3e7ce4f099 100644 --- a/src/input.ts +++ b/src/input.ts @@ -73,6 +73,15 @@ class Input { return core.getInput('mount-docker-socket') === 'true'; } + getDockerCmdFile(): string | null { + const cmdFile = core.getInput('docker-cmd-file'); + return !!cmdFile && cmdFile !== '' ? path.resolve(cmdFile) : null; + } + + getDockerUser(): string | null { + return core.getInput('docker-user') || null; + } + /** * Convert to environment variables. * diff --git a/src/renovate.ts b/src/renovate.ts index 9677c85043a..33f06ca7feb 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -7,6 +7,7 @@ import path from 'path'; class Renovate { static dockerGroupRegex = /^docker:x:(?[1-9][0-9]*):/m; private configFileMountDir = '/github-action'; + private entrypointMountDir = '/'; private docker: Docker; @@ -39,8 +40,26 @@ class Renovate { ); } + const docker_cmd_file = this.input.getDockerCmdFile(); + let docker_cmd = null; + if (docker_cmd_file !== null) { + const baseName = path.basename(docker_cmd_file); + const mountPath = path.join(this.entrypointMountDir, baseName); + dockerArguments.push(`--volume ${docker_cmd_file}:${mountPath}`); + docker_cmd = mountPath; + } + + const docker_user = this.input.getDockerUser(); + if (docker_user !== null) { + dockerArguments.push(`--user ${docker_user}`); + } + dockerArguments.push('--volume /tmp:/tmp', '--rm', this.docker.image()); + if (docker_cmd !== null) { + dockerArguments.push(docker_cmd); + } + const command = `docker run ${dockerArguments.join(' ')}`; const code = await exec(command); From 2f762aabaab6d1bba627ee31a7942c7dd3345bd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Mon, 24 Jul 2023 08:20:42 +0200 Subject: [PATCH 2/9] fix: add e2e test --- .github/workflows/build.yml | 2 ++ example/entrypoint.sh | 7 +++++++ 2 files changed, 9 insertions(+) create mode 100755 example/entrypoint.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 817d17dcb99..e14e719037a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -93,6 +93,8 @@ jobs: with: configurationFile: ${{ matrix.configurationFile }} renovate-version: ${{ env.RENOVATE_VERSION }} + docker-cmd-file: example/entrypoint.sh + docker-user: root release: needs: [lint, commitlint, e2e] diff --git a/example/entrypoint.sh b/example/entrypoint.sh new file mode 100755 index 00000000000..33d592ded30 --- /dev/null +++ b/example/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +apt update && apt install -y sl + +exec runuser -u ubuntu renovate From 901a396a0a356ad343152e580a7601d6b454e95b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Mon, 7 Aug 2023 09:06:10 +0200 Subject: [PATCH 3/9] Update example/entrypoint.sh Co-authored-by: Michael Kriese --- example/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example/entrypoint.sh b/example/entrypoint.sh index 33d592ded30..d7ab0985137 100755 --- a/example/entrypoint.sh +++ b/example/entrypoint.sh @@ -2,6 +2,6 @@ set -e -apt update && apt install -y sl +install-apt sl exec runuser -u ubuntu renovate From 854807cf1dfc05f1ea19e6d2bd7aba600f672b73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Mon, 7 Aug 2023 09:10:49 +0200 Subject: [PATCH 4/9] fix: inline variable --- src/renovate.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/renovate.ts b/src/renovate.ts index 33f06ca7feb..741b2bc01be 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -7,7 +7,6 @@ import path from 'path'; class Renovate { static dockerGroupRegex = /^docker:x:(?[1-9][0-9]*):/m; private configFileMountDir = '/github-action'; - private entrypointMountDir = '/'; private docker: Docker; @@ -44,7 +43,7 @@ class Renovate { let docker_cmd = null; if (docker_cmd_file !== null) { const baseName = path.basename(docker_cmd_file); - const mountPath = path.join(this.entrypointMountDir, baseName); + const mountPath = path.join('/', baseName); dockerArguments.push(`--volume ${docker_cmd_file}:${mountPath}`); docker_cmd = mountPath; } From 497ab17c08ea47c7e886e8ebe73d05fdc5ccd035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Fri, 25 Aug 2023 11:01:04 +0200 Subject: [PATCH 5/9] Update README.md Co-authored-by: Michael Kriese --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f984f4ff14d..5bb330dc88a 100644 --- a/README.md +++ b/README.md @@ -176,13 +176,16 @@ See `.github/workflows/build.yml` for an example of how to do this. ### `docker-cmd-file` -Specify a command to run when the image start. By default the image run -`renovate` - -This option is useful to customize the image before running `renovate` +Specify a command to run when the image start. +By default the image run +`renovate`. +This option is useful to customize the image before running `renovate`. +It must be an existing executable file on the local system. +It will be mounted to the docker container. For example you can create a simple script like this one (let's call it -`renovate-entrypoint.sh`) +`renovate-entrypoint.sh`). + ```sh #!/bin/bash From 8f4f0e5a2e45099c9a9a5d1b48dcd7f93f215348 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Fri, 25 Aug 2023 11:05:12 +0200 Subject: [PATCH 6/9] fix: split e2e test + update README --- .github/workflows/build.yml | 8 +++ README.md | 99 ++++++++++++++++++------------------- 2 files changed, 57 insertions(+), 50 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e14e719037a..df275bedabd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,6 +87,14 @@ jobs: RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} - name: Renovate test + uses: ./ + env: + LOG_LEVEL: debug + with: + configurationFile: ${{ matrix.configurationFile }} + renovate-version: ${{ env.RENOVATE_VERSION }} + + - name: Renovate test with entrypoint uses: ./ env: LOG_LEVEL: debug diff --git a/README.md b/README.md index 5bb330dc88a..8999333fc94 100644 --- a/README.md +++ b/README.md @@ -11,13 +11,13 @@ GitHub Action to run Renovate self-hosted. - [Badges](#badges) - [Options](#options) - [`configurationFile`](#configurationfile) + - [`docker-cmd-file`](#docker-cmd-file) + - [`docker-user`](#docker-user) - [`env-regex`](#env-regex) - [`mount-docker-socket`](#mount-docker-socket) - [`token`](#token) - [`renovate-image`](#renovate-image) - [`renovate-version`](#renovate-version) - - [`docker-cmd-file`](#docker-cmd-file) - - [`docker-user`](#docker-user) - [Example](#example) - [Environment Variables](#environment-variables) - [Passing other environment variables](#passing-other-environment-variables) @@ -66,6 +66,53 @@ This disables the requirement of a configuration file for the repository and dis requireConfig: false, ``` +### `docker-cmd-file` + +Specify a command to run when the image start. +By default the image run +`renovate`. +This option is useful to customize the image before running `renovate`. +It must be an existing executable file on the local system. +It will be mounted to the docker container. + +For example you can create a simple script like this one (let's call it +`renovate-entrypoint.sh`). + +```sh +#!/bin/bash + +apt update + +apt install -y build-essential libpq-dev + +runuser -u ubuntu renovate +``` + +Now use this action + +```yml +.... +jobs: + renovate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3.5.3 + - name: Self-hosted Renovate + uses: renovatebot/github-action@v39.0.0 + with: + docker-cmd-file: .github/renovate-entrypoint.sh + docker-user: root + token: ${{ secrets.RENOVATE_TOKEN }} +``` + +### `docker-user` + +Specify a user (or user-id) to run docker command. + +You can use it with [`docker-cmd-file`](#docker-cmd-file) in order to start the +image as root, do some customization and switch back to a unprivileged user. + ### `env-regex` Allows to configure the regex to define which environment variables are passed to the renovate container. @@ -174,54 +221,6 @@ jobs: We recommend you pin the version of Renovate to a full version or a full checksum, and use Renovate's regex manager to create PRs to update the pinned version. See `.github/workflows/build.yml` for an example of how to do this. -### `docker-cmd-file` - -Specify a command to run when the image start. -By default the image run -`renovate`. -This option is useful to customize the image before running `renovate`. -It must be an existing executable file on the local system. -It will be mounted to the docker container. - -For example you can create a simple script like this one (let's call it -`renovate-entrypoint.sh`). - - -```sh -#!/bin/bash - -apt update - -apt install -y build-essential libpq-dev - -runuser -u ubuntu renovate -``` - -Now use this action - -```yml -.... -jobs: - renovate: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3.5.3 - - name: Self-hosted Renovate - uses: renovatebot/github-action@v39.0.0 - with: - docker-cmd-file: .github/renovate-entrypoint.sh - docker-user: root - token: ${{ secrets.RENOVATE_TOKEN }} -``` - -### `docker-user` - -Specify a user (or user-id) to run docker command. - -You can use it with [`docker-cmd-file`](#docker-cmd-file) in order to start the -image as root, do some customization and switch back to a unprivileged user. - ## Example This example uses a Personal Access Token and will run every 15 minutes. From 69cac2fd06770e758b2be17569b72ad0a3bc0ce4 Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Mon, 9 Oct 2023 11:43:31 +0200 Subject: [PATCH 7/9] Update src/renovate.ts --- src/renovate.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/renovate.ts b/src/renovate.ts index 741b2bc01be..62255899226 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -40,7 +40,7 @@ class Renovate { } const docker_cmd_file = this.input.getDockerCmdFile(); - let docker_cmd = null; + let docker_cmd: string | null = null; if (docker_cmd_file !== null) { const baseName = path.basename(docker_cmd_file); const mountPath = path.join('/', baseName); From 4368fa7fd2c034c3229dbb552d9d30f448fd002b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Mon, 16 Oct 2023 10:49:55 +0200 Subject: [PATCH 8/9] Update src/renovate.ts Co-authored-by: Michael Kriese --- src/renovate.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/renovate.ts b/src/renovate.ts index 62255899226..2c08f958440 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -43,7 +43,7 @@ class Renovate { let docker_cmd: string | null = null; if (docker_cmd_file !== null) { const baseName = path.basename(docker_cmd_file); - const mountPath = path.join('/', baseName); + const mountPath = `/${baseName}`; dockerArguments.push(`--volume ${docker_cmd_file}:${mountPath}`); docker_cmd = mountPath; } From 60a47eedf93ec26ae33ded025a4a0111373fed2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Cabessa?= Date: Mon, 16 Oct 2023 10:56:11 +0200 Subject: [PATCH 9/9] fix: use camelCase --- src/renovate.ts | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/renovate.ts b/src/renovate.ts index 2c08f958440..1ab0d0af3fc 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -39,24 +39,24 @@ class Renovate { ); } - const docker_cmd_file = this.input.getDockerCmdFile(); - let docker_cmd: string | null = null; - if (docker_cmd_file !== null) { - const baseName = path.basename(docker_cmd_file); + const dockerCmdFile = this.input.getDockerCmdFile(); + let dockerCmd: string | null = null; + if (dockerCmdFile !== null) { + const baseName = path.basename(dockerCmdFile); const mountPath = `/${baseName}`; - dockerArguments.push(`--volume ${docker_cmd_file}:${mountPath}`); - docker_cmd = mountPath; + dockerArguments.push(`--volume ${dockerCmdFile}:${mountPath}`); + dockerCmd = mountPath; } - const docker_user = this.input.getDockerUser(); - if (docker_user !== null) { - dockerArguments.push(`--user ${docker_user}`); + const dockerUser = this.input.getDockerUser(); + if (dockerUser !== null) { + dockerArguments.push(`--user ${dockerUser}`); } dockerArguments.push('--volume /tmp:/tmp', '--rm', this.docker.image()); - if (docker_cmd !== null) { - dockerArguments.push(docker_cmd); + if (dockerCmd !== null) { + dockerArguments.push(dockerCmd); } const command = `docker run ${dockerArguments.join(' ')}`;