fix: thread UID/GID through Docker

When running Git commands inside this Docker container (i.e., commands
that the `version.py` script needs for determining version information),
the Docker build would run into issues like:

```
fatal: detected dubious ownership in repository at '/workspace'
To add an exception for this directory, call:
    git config --global --add safe.directory /workspace
```

This is due to an extra Git check that detects that the Docker user is
not the same one who owns the `.git` directory of this project. After
looking into this, the best solution the internet has to offer is to
thread the current user's UID and GID through the Docker image (i.e.,
the new `builder` user) and then `docker run --user ...`. This both
avoids the Git check but also seems to be considered a best practice in
some circles (?).

Author: abrown

Dockerfile

@@ -3,22 +3,32 @@
 # Here we choose Bionic 18.04.
 FROM ubuntu:bionic
 
+# We want to use the same UID/GID of the external user to avoid permission
+# issues. See the user setup at the end of the file.
+ARG UID=1000
+ARG GID=1000
+
 RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-        ccache \
-        curl \
-        ca-certificates \
-        build-essential \
-        clang \
-        python3 \
-        git \
-        ninja-build \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y --no-install-recommends \
+  ccache \
+  curl \
+  ca-certificates \
+  build-essential \
+  clang \
+  python3 \
+  git \
+  ninja-build \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
 
 RUN curl -sSLO https://github.com/Kitware/CMake/releases/download/v3.25.1/cmake-3.25.1-linux-x86_64.tar.gz \
   && tar xf cmake-3.25.1-linux-x86_64.tar.gz \
   && rm cmake-3.25.1-linux-x86_64.tar.gz \
   && mkdir -p /opt \
   && mv cmake-3.25.1-linux-x86_64 /opt/cmake
 ENV PATH /opt/cmake/bin:$PATH
+
+RUN groupadd -g ${GID} builder && \
+  useradd --create-home --uid ${UID} --gid ${GID} builder
+USER builder
+WORKDIR /workspace

docker_build.sh

@@ -2,8 +2,17 @@
 set -ex
 
 echo "Building the docker image"
-docker build -t wasi-sdk-builder:latest .
+docker build \
+    --build-arg UID=$(id -u) --build-arg GID=$(id -g) \
+    -t wasi-sdk-builder:latest .
 
 echo "Building the package in docker image"
 mkdir -p ~/.ccache
-docker run --rm --user $(id -u):$(id -g) -v "$PWD":/workspace:Z -v ~/.ccache:/root/.ccache:Z -e NINJA_FLAGS=-v --workdir /workspace --tmpfs /tmp:exec wasi-sdk-builder:latest make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON
+docker run --rm \
+    --user $(id -u):$(id -g) \
+    -v "$PWD":/workspace:Z \
+    -v ~/.ccache:/home/builder/.ccache:Z \
+    -e NINJA_FLAGS=-v \
+    --tmpfs /tmp:exec \
+    wasi-sdk-builder:latest \
+    make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON