From aa94acc61e0d9ba55ace787740aa24f42ed72bc6 Mon Sep 17 00:00:00 2001 From: Thomas Leplus Date: Thu, 18 Apr 2024 21:10:28 -0300 Subject: [PATCH] Switching to non-root user --- .github/workflows/dockerimage.yml | 3 --- .github/workflows/dockerrelease.yml | 2 ++ .github/workflows/linter.yml | 1 + aws-cli/Dockerfile | 19 +++++++++++++++++-- aws-cli/docker-compose.test.yml | 2 +- 5 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 4ad815b..79d3c11 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -31,9 +31,6 @@ jobs: type=schedule type=ref,event=branch type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} type=sha - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 if: github.ref == 'refs/heads/main' diff --git a/.github/workflows/dockerrelease.yml b/.github/workflows/dockerrelease.yml index 9871678..386c266 100644 --- a/.github/workflows/dockerrelease.yml +++ b/.github/workflows/dockerrelease.yml @@ -6,6 +6,8 @@ on: types: [published] workflow_dispatch: +permissions: {} + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 43dc4c0..e4434de 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -62,5 +62,6 @@ jobs: uses: super-linter/super-linter@92e2606383320f72e6129f8a50d8537cf9c84ed6 # v6.3.1 env: VALIDATE_ALL_CODEBASE: true + LINTER_RULES_PATH: . DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/aws-cli/Dockerfile b/aws-cli/Dockerfile index 9a6a1ff..94e53d2 100644 --- a/aws-cli/Dockerfile +++ b/aws-cli/Dockerfile @@ -1,5 +1,13 @@ FROM amazon/aws-cli:2.15.37@sha256:0ad4fcf33c409b843d7cd67c7b944936b1ad4ab96ad8d84baf44c8009f6cccb1 +HEALTHCHECK NONE + +ENTRYPOINT [] + +ARG USER_NAME=default +ARG USER_HOME=/home/default +ARG USER_ID=1000 + # hadolint ignore=DL3033 RUN yum update -y \ && yum install -y bash curl git jq make python3-pip tar unzip xmlstarlet zip \ @@ -9,8 +17,15 @@ RUN yum update -y \ # hadolint ignore=DL3013 RUN pip3 install --no-cache-dir cfn-policy-validator -WORKDIR /opt +RUN adduser \ + --home-dir "${USER_HOME}" \ + --uid "${USER_ID}" \ + "${USER_NAME}" -ENTRYPOINT [] +ENV HOME "${USER_HOME}" + +USER "${USER_NAME}" + +WORKDIR /opt CMD ["/bin/bash"] diff --git a/aws-cli/docker-compose.test.yml b/aws-cli/docker-compose.test.yml index 4d2bb30..44269cb 100644 --- a/aws-cli/docker-compose.test.yml +++ b/aws-cli/docker-compose.test.yml @@ -6,4 +6,4 @@ services: build: context: . dockerfile: Dockerfile - command: aws --version + command: "sh -c '[ $(id -u) -ne 0 ] && aws --version'"