actions/runner-container-hooks
1
0
Fork 0
mirror of https://github.com/actions/runner-container-hooks.git synced 2025-12-14 00:26:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from actions/nikola-jokic/user-volume-mounts-path

Browse Source 
User volume mount restriction to the work directory mounts if path is absolute
This commit is contained in:
Thomas Boop
2022-06-08 11:15:31 -04:00
committed by GitHub
parent 55761eab39 f764d18c4c
commit 5daaae120b
4 changed files with 60 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
examples/prepare-job.json
View File

@@ -24,37 +24,37 @@
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
"targetVolumePath": "/__w",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/externals",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
"targetVolumePath": "/__e",
"readOnly": true
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
"targetVolumePath": "/__w/_temp",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
"targetVolumePath": "/__w/_actions",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
"targetVolumePath": "/__w/_tool",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_home",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_home",
"targetVolumePath": "/github/home",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"targetVolumePath": "/github/workflow",
"readOnly": false
}

12
examples/run-container-step.json
View File

@@ -34,27 +34,27 @@
],
"systemMountVolumes": [
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work",
"targetVolumePath": "/__w",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/externals",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/externals",
"targetVolumePath": "/__e",
"readOnly": true
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp",
"targetVolumePath": "/__w/_temp",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_actions",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_actions",
"targetVolumePath": "/__w/_actions",
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_tool",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_tool",
"targetVolumePath": "/__w/_tool",
"readOnly": false
},
@@ -64,7 +64,7 @@
"readOnly": false
},
{
"sourceVolumePath": "//Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"sourceVolumePath": "/Users/thomas/git/runner/_layout/_work/_temp/_github_workflow",
"targetVolumePath": "/github/workflow",
"readOnly": false
}

27
packages/k8s/src/k8s/utils.ts
View File

@@ -1,5 +1,6 @@
import * as k8s from '@kubernetes/client-node'
import { Mount } from 'hooklib'
import * as path from 'path'
import { POD_VOLUME_NAME } from './index'
export const DEFAULT_CONTAINER_ENTRY_POINT_ARGS = [`-f`, `/dev/null`]
@@ -42,18 +43,23 @@ export function containerVolumes(
return mounts
}
// TODO: we need to ensure this is a local path under the github workspace or fail/skip
// subpath only accepts a local path under the runner workspace
/*
const workspacePath = process.env.GITHUB_WORKSPACE as string
for (const userVolume of userMountVolumes) {
const sourceVolumePath = `${
path.isAbsolute(userVolume.sourceVolumePath)
? userVolume.sourceVolumePath
: path.join(
process.env.GITHUB_WORKSPACE as string,
userVolume.sourceVolumePath
let sourceVolumePath = ''
if (path.isAbsolute(userVolume.sourceVolumePath)) {
if (!userVolume.sourceVolumePath.startsWith(workspacePath)) {
throw new Error(
'Volume mounts outside of the work folder are not supported'
)
}`
}
// source volume path should be relative path
sourceVolumePath = userVolume.sourceVolumePath.slice(
workspacePath.length + 1
)
} else {
sourceVolumePath = userVolume.sourceVolumePath
}
mounts.push({
name: POD_VOLUME_NAME,
mountPath: userVolume.targetVolumePath,
@@ -61,7 +67,6 @@ export function containerVolumes(
readOnly: userVolume.readOnly
})
}
*/
return mounts
}

33
packages/k8s/tests/prepare-job-test.ts
View File

@@ -34,11 +34,38 @@ describe('Prepare job', () => {
prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).resolves.not.toThrow()
})
/*
it('should generate output file in JSON format', async () => {
it('should generate output file in JSON format', async () => {
await prepareJob(prepareJobData.args, prepareJobOutputFilePath)
const content = fs.readFileSync(prepareJobOutputFilePath)
expect(() => JSON.parse(content.toString())).not.toThrow()
}) */
})
it('should prepare job with absolute path for userVolumeMount', async () => {
prepareJobData.args.container.userMountVolumes.forEach(v => {
if (!path.isAbsolute(v.sourceVolumePath)) {
v.sourceVolumePath = path.join(
process.env.GITHUB_WORKSPACE as string,
v.sourceVolumePath
)
}
})
await expect(
prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).resolves.not.toThrow()
})
it('should throw an exception if the user volume mount is absolute path outside of GITHUB_WORKSPACE', async () => {
prepareJobData.args.container.userMountVolumes.forEach(v => {
if (!path.isAbsolute(v.sourceVolumePath)) {
v.sourceVolumePath = path.join(
'/path/outside/of/github-workspace',
v.sourceVolumePath
)
}
})
await expect(
prepareJob(prepareJobData.args, prepareJobOutputFilePath)
).rejects.toThrow()
})
})