sharenet/secure_pip_setup.sh

#!/usr/bin/env bash
set -Eeuo pipefail

RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}"
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
SOCKET_PATH="${RUNTIME_DIR}/podman/podman.sock"   # <- only standard rootless socket
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"

# Required: pinned client image digest
PODMAN_CLIENT_IMG_DIGEST="${PODMAN_CLIENT_IMG_DIGEST:-}"
[[ -n "$PODMAN_CLIENT_IMG_DIGEST" ]] || { echo "ERROR: PODMAN_CLIENT_IMG_DIGEST is required"; exit 1; }

# Check the socket
[[ -S "$SOCKET_PATH" ]] || {
  echo "ERROR: Podman UNIX socket not found at $SOCKET_PATH"
  echo "Fix: sudo -iu ci-service systemctl --user enable --now podman.socket"
  exit 1
}

# Match the socket owner uid:gid (don’t use 0:0)
read -r SOCK_UID SOCK_GID < <(stat -c '%u %g' "$SOCKET_PATH")
PUID="${PIP_UID:-$SOCK_UID}"
PGID="${PIP_GID:-$SOCK_GID}"

# Clean previous container
podman rm -f "${PIP_CONTAINER_NAME}" >/dev/null 2>&1 || true

# Start the PiP client: no net, no caps, read-only FS; mount socket dir at same path
podman run -d \
  --name "${PIP_CONTAINER_NAME}" \
  --user "${PUID}:${PGID}" \
  -e HOME=/tmp \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --network=none \
  --tmpfs /run:rw,size=64M \
  --tmpfs /tmp:rw,size=256M \
  -v "${RUNTIME_DIR}/podman:${RUNTIME_DIR}/podman:rw" \
  -v "${WORKSPACE}:/workspace:rw" \
  -e CONTAINER_HOST="unix://${SOCKET_PATH}" \
  "${PODMAN_CLIENT_IMG_DIGEST}" \
  sleep infinity

# Health check
sleep 3
podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running \
  || { echo "ERROR: PiP container failed to start"; podman logs "${PIP_CONTAINER_NAME}" || true; exit 1; }

echo "PiP container ready: ${PIP_CONTAINER_NAME}"
echo "Using socket: ${SOCKET_PATH}"