actions/runner-container-hooks
1
0
Fork 0
mirror of https://github.com/actions/runner-container-hooks.git synced 2025-12-14 16:46:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from actions/nikola-jokic/user-volume-mounts-path

Browse Source 
User volume mount restriction to the work directory mounts if path is absolute
This commit is contained in:
Thomas Boop
2022-06-08 11:15:31 -04:00
committed by GitHub
parent 55761eab39 f764d18c4c
commit 5daaae120b
4 changed files with 60 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
examples/prepare-job.json
View File

@@ -24,37 +24,37 @@
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
"targetVolumePath": "/__w", "targetVolumePath": "/__w",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/externals", "sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
"targetVolumePath": "/__e", "targetVolumePath": "/__e",
"readOnly": true "readOnly": true
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
"targetVolumePath": "/__w/_temp", "targetVolumePath": "/__w/_temp",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
"targetVolumePath": "/__w/_actions", "targetVolumePath": "/__w/_actions",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
"targetVolumePath": "/__w/_tool", "targetVolumePath": "/__w/_tool",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_home", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_home",
"targetVolumePath": "/github/home", "targetVolumePath": "/github/home",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"targetVolumePath": "/github/workflow", "targetVolumePath": "/github/workflow",
"readOnly": false "readOnly": false
} }

12
examples/run-container-step.json
View File

@@ -34,27 +34,27 @@
], ],
"systemMountVolumes": [ "systemMountVolumes": [
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
"targetVolumePath": "/__w", "targetVolumePath": "/__w",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/externals", "sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
"targetVolumePath": "/__e", "targetVolumePath": "/__e",
"readOnly": true "readOnly": true
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
"targetVolumePath": "/__w/_temp", "targetVolumePath": "/__w/_temp",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
"targetVolumePath": "/__w/_actions", "targetVolumePath": "/__w/_actions",
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
"targetVolumePath": "/__w/_tool", "targetVolumePath": "/__w/_tool",
"readOnly": false "readOnly": false
}, },
@@ -64,7 +64,7 @@
"readOnly": false "readOnly": false
}, },
{ {
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow", "sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"targetVolumePath": "/github/workflow", "targetVolumePath": "/github/workflow",
"readOnly": false "readOnly": false
} }

29
packages/k8s/src/k8s/utils.ts
View File

@@ -1,5 +1,6 @@
import * as k8s from '@kubernetes/client-node' import * as k8s from '@kubernetes/client-node'
import { Mount } from 'hooklib' import { Mount } from 'hooklib'
import * as path from 'path'
import { POD_VOLUME_NAME } from './index' import { POD_VOLUME_NAME } from './index'
export const DEFAULT_CONTAINER_ENTRY_POINT_ARGS = [`-f`, `/dev/null`] export const DEFAULT_CONTAINER_ENTRY_POINT_ARGS = [`-f`, `/dev/null`]
@@ -42,18 +43,23 @@ export function containerVolumes(
return mounts return mounts
} }
// TODO: we need to ensure this is a local path under the github workspace or fail/skip const workspacePath = process.env.GITHUB_WORKSPACE as string
// subpath only accepts a local path under the runner workspace
/*
for (const userVolume of userMountVolumes) { for (const userVolume of userMountVolumes) {
const sourceVolumePath = `${ let sourceVolumePath = ''
path.isAbsolute(userVolume.sourceVolumePath) if (path.isAbsolute(userVolume.sourceVolumePath)) {
? userVolume.sourceVolumePath if (!userVolume.sourceVolumePath.startsWith(workspacePath)) {
: path.join( throw new Error(
process.env.GITHUB_WORKSPACE as string, 'Volume mounts outside of the work folder are not supported'
userVolume.sourceVolumePath )
) }
}` // source volume path should be relative path
sourceVolumePath = userVolume.sourceVolumePath.slice(
workspacePath.length + 1
)
} else {
sourceVolumePath = userVolume.sourceVolumePath
}
mounts.push({ mounts.push({
name: POD_VOLUME_NAME, name: POD_VOLUME_NAME,
mountPath: userVolume.targetVolumePath, mountPath: userVolume.targetVolumePath,
@@ -61,7 +67,6 @@ export function containerVolumes(
readOnly: userVolume.readOnly readOnly: userVolume.readOnly
}) })
} }
*/
return mounts return mounts
} }

33
packages/k8s/tests/prepare-job-test.ts
View File

@@ -34,11 +34,38 @@ describe('Prepare job', () => {
prepareJob(prepareJobData.args, prepareJobOutputFilePath) prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).resolves.not.toThrow() ).resolves.not.toThrow()
}) })
/*
it('should generate output file in JSON format', async () => { it('should generate output file in JSON format', async () => {
await prepareJob(prepareJobData.args, prepareJobOutputFilePath) await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
const content = fs.readFileSync(prepareJobOutputFilePath) const content = fs.readFileSync(prepareJobOutputFilePath)
expect(() => JSON.parse(content.toString())).not.toThrow() expect(() => JSON.parse(content.toString())).not.toThrow()
}) */ })
it('should prepare job with absolute path for userVolumeMount', async () => {
prepareJobData.args.container.userMountVolumes.forEach(v => {
if (!path.isAbsolute(v.sourceVolumePath)) {
v.sourceVolumePath = path.join(
process.env.GITHUB_WORKSPACE as string,
v.sourceVolumePath
)
}
})
await expect(
prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).resolves.not.toThrow()
})
it('should throw an exception if the user volume mount is absolute path outside of GITHUB_WORKSPACE', async () => {
prepareJobData.args.container.userMountVolumes.forEach(v => {
if (!path.isAbsolute(v.sourceVolumePath)) {
v.sourceVolumePath = path.join(
'/path/outside/of/github-workspace',
v.sourceVolumePath
)
}
})
await expect(
prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).rejects.toThrow()
})
}) })