From 9fafe288c78072bf688f4b5f430a91e088b8b504 Mon Sep 17 00:00:00 2001 From: continuist Date: Thu, 4 Sep 2025 23:43:29 -0400 Subject: [PATCH] Security improvements #5 --- .forgejo/workflows/ci.yml | 1 + secure_pip_setup.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 5a08654..927b687 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -71,6 +71,7 @@ jobs: run: | podman exec -e WORKSPACE="${GITHUB_WORKSPACE}" ci-pip-$RUN_ID sh -lc \ 'podman run --rm \ + --network integ-$RUN_ID \ -v "$WORKSPACE":/workspace \ -w /workspace \ -e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \ diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh index 8513260..6e84765 100644 --- a/secure_pip_setup.sh +++ b/secure_pip_setup.sh @@ -57,8 +57,8 @@ podman run -d \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ - -v "${SOCKET_PATH}:/var/run/podman.sock:z" \ - -v "${WORKSPACE}:/workspace:rw,z" \ + -v "${SOCKET_PATH}:/var/run/podman.sock" \ + -v "${WORKSPACE}:/workspace:rw" \ -e CONTAINER_HOST="unix:///var/run/podman.sock" \ "${PODMAN_IMAGE}" \ sleep infinity