devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security improvements #8
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
Details
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-09-05 18:59:51 -04:00
parent f11683256b
commit 2ce3195d35
3 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.forgejo/workflows/ci.yml
View file

@ -16,7 +16,6 @@ env:
NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:...
POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }} # e.g., quay.io/podman/stable@sha256:...
SELINUX_ZLABEL: "" # set to ":z" if SELinux is enforcing
jobs:
test-backend:
@ -28,7 +27,7 @@ jobs:
run: |
for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
done
- name: Setup ephemeral PiP container
@ -82,7 +81,7 @@ jobs:
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
-v "$WORKSPACE":/workspace${SELINUX_ZLABEL} \
-v "$WORKSPACE":/workspace \
-w /workspace \
"'"${RUST_IMG_DIGEST}"'" \
sh -c "cargo test --lib -- --test-threads=1"'
@ -95,7 +94,7 @@ jobs:
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
--network integ-'"$RUN_ID"' \
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
-v "$WORKSPACE":/workspace \
-w /workspace \
-e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
"'"${RUST_IMG_DIGEST}"'" \
@ -121,7 +120,7 @@ jobs:
run: |
for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
done
- name: Setup ephemeral PiP container
@ -144,7 +143,7 @@ jobs:
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
-v "$WORKSPACE":/workspace \
-w /workspace \
"'"${NODE_IMG_DIGEST}"'" \
sh -c "npm ci && npm run test"'

2
podman-host-socket.service
View file

@ -5,6 +5,8 @@ After=default.target
[Service]
Type=simple
Environment="XDG_RUNTIME_DIR=/run/user/%U"
UMask=007
NoNewPrivileges=yes
ExecStartPre=/usr/bin/mkdir -p ${XDG_RUNTIME_DIR}/podman-host
ExecStartPre=/usr/bin/chmod 770 ${XDG_RUNTIME_DIR}/podman-host
ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock

4
secure_pip_setup.sh
View file

@ -40,8 +40,8 @@ podman run -d \
--network=none \
--tmpfs /run:rw,size=64M \
--tmpfs /tmp:rw,size=256M \
-v "${SOCKET_PATH}:/var/run/podman.sock${SELINUX_ZLABEL:-}" \
-v "${WORKSPACE}:/workspace:rw${SELINUX_ZLABEL:-}" \
-v "${SOCKET_PATH}:/var/run/podman.sock" \
-v "${WORKSPACE}:/workspace:rw" \
-e CONTAINER_HOST="unix:///var/run/podman.sock" \
"${PODMAN_CLIENT_IMG_DIGEST}" \
sleep infinity