sharenet/secure_pip_setup.sh

#!/usr/bin/env bash
set -Eeuo pipefail

RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}"
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
SOCKET_PATH="${SOCKET_PATH:-${RUNTIME_DIR}/podman-host/podman.sock}"
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
PIP_UID="${PIP_UID:-1000}"
PIP_GID="${PIP_GID:-1000}"

# Require pinned client image digest
PODMAN_CLIENT_IMG_DIGEST="${PODMAN_CLIENT_IMG_DIGEST:-}"
if [[ -z "${PODMAN_CLIENT_IMG_DIGEST}" ]]; then
  echo "ERROR: PODMAN_CLIENT_IMG_DIGEST (e.g., quay.io/podman/stable@sha256:...) is required and must be a digest." >&2
  exit 1
fi

# Clean any previous container for this run
podman rm -f "${PIP_CONTAINER_NAME}" >/dev/null 2>&1 || true

# Verify systemd-managed UNIX socket exists
if [[ ! -S "${SOCKET_PATH}" ]]; then
  echo "ERROR: Podman UNIX socket not found at ${SOCKET_PATH}." >&2
  echo "Start it with: systemctl --user enable --now podman-host-socket.service" >&2
  exit 1
fi

# Tighten socket perms (best-effort)
chmod 660 "${SOCKET_PATH}" >/dev/null 2>&1 || true

# Create ephemeral PiP client (no network, least privilege)
podman run -d \
  --name "${PIP_CONTAINER_NAME}" \
  --user ${PIP_UID}:${PIP_GID} \
  -e HOME=/tmp \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --network=none \
  --tmpfs /run:rw,size=64M \
  --tmpfs /tmp:rw,size=256M \
  -v "${SOCKET_PATH}:/var/run/podman.sock${SELINUX_ZLABEL:-}" \
  -v "${WORKSPACE}:/workspace:rw${SELINUX_ZLABEL:-}" \
  -e CONTAINER_HOST="unix:///var/run/podman.sock" \
  "${PODMAN_CLIENT_IMG_DIGEST}" \
  sleep infinity

# Brief wait and health check
sleep 3
if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then
  echo "ERROR: PiP container failed to start" >&2
  podman logs "${PIP_CONTAINER_NAME}" >&2 || true
  exit 1
fi

echo "PiP container ready: ${PIP_CONTAINER_NAME}"