mount gpg keys only for build, run tools as user

deadsnakes · Jan 22, 2024 · 49e17ab · 49e17ab
1 parent 0948380
commit 49e17ab
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 26 deletions.
diff --git a/build b/build
@@ -11,6 +11,24 @@ TOOLS = os.path.join(HERE, 'tools')
 DOCKER_RUN = os.path.join(HERE, 'docker-run')
 
 
+def _gpg_volumes() -> list[str]:
+    def _gpg(f: str, *, home: str = os.path.expanduser('~')) -> str:
+        return os.path.join(home, '.gnupg', f)
+
+    for paths in (
+        ('pubring.kbx', 'private-keys-v1.d'),  # new format
+        # TODO: deadsnakes GHA still uses this
+        ('pubring.gpg', 'secring.gpg'),  # old format
+    ):
+        if all(os.path.exists(_gpg(p)) for p in paths):
+            return [
+                f'--volume={_gpg(p)}:{_gpg(p, home="/root")}:ro'
+                for p in paths
+            ]
+    else:
+        raise AssertionError('no gpg keys found?')
+
+
 def main() -> NoReturn:
     parser = argparse.ArgumentParser()
     parser.add_argument('--source', action='store_true')
@@ -48,6 +66,7 @@ def main() -> NoReturn:
     )
     cmd = (
         DOCKER_RUN,
+        *_gpg_volumes(),
         '-v', f'{pwd}:/code:ro',
         '-v', f'{pwd}/../dist:/dist:rw',
         f'ghcr.io/deadsnakes/{dist}', 'bash', '-euxc', prog,

diff --git a/docker-run b/docker-run
@@ -7,32 +7,10 @@ import sys
 from typing import NoReturn
 
 
-def _git_cfg(s: str) -> str:
-    cmd = ('git', 'config', s)
-    return subprocess.check_output(cmd).decode().strip()
-
-
-def _gpg_volumes() -> list[str]:
-    def _gpg(f: str, *, home: str = os.path.expanduser('~')) -> str:
-        return os.path.join(home, '.gnupg', f)
-
-    for paths in (
-        ('pubring.kbx', 'private-keys-v1.d'),  # new format
-        # TODO: deadsnakes GHA still uses this
-        ('pubring.gpg', 'secring.gpg'),  # old format
-    ):
-        if all(os.path.exists(_gpg(p)) for p in paths):
-            return [
-                f'--volume={_gpg(p)}:{_gpg(p, home="/root")}:ro'
-                for p in paths
-            ]
-    else:
-        raise AssertionError('no gpg keys found?')
-
-
 def main() -> NoReturn:
-    name = _git_cfg('user.name')
-    email = _git_cfg('user.email')
+    cfg = ('git', 'config')
+    name = subprocess.check_output((*cfg, 'user.name')).decode().strip()
+    email = subprocess.check_output((*cfg, 'user.email')).decode().strip()
     interactive = '-ti' if sys.stdin.isatty() else '-i'
 
     cmd = (
@@ -43,7 +21,6 @@ def main() -> NoReturn:
         '--env', f'GIT_COMMITTER_EMAIL={email}',
         '--env', f'DEBFULLNAME={name}',
         '--env', f'DEBEMAIL={email}',
-        *_gpg_volumes(),
         *sys.argv[1:],
     )
     os.execvp(cmd[0], cmd)

diff --git a/tools b/tools
@@ -3,12 +3,20 @@ from __future__ import annotations
 
 import argparse
 import os.path
+import subprocess
 from typing import NoReturn
 
 HERE = os.path.abspath(os.path.dirname(__file__))
 DOCKER_RUN = os.path.join(HERE, 'docker-run')
 
 
+def _user() -> list[str]:
+    ret = ['--user', f'{os.getuid()}:{os.getgid()}']
+    if b'podman' in subprocess.check_output(('docker', 'version')).lower():
+        ret.append('--userns=keep-id')
+    return ret
+
+
 def main() -> NoReturn:
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -21,6 +29,7 @@ def main() -> NoReturn:
 
     cmd = (
         DOCKER_RUN,
+        *_user(),
         '--volume', f'{os.getcwd()}:/tmp/src:rw',
         *(f'--volume={volume}' for volume in args.volumes),
         'ghcr.io/deadsnakes/tools', *rest,