Skip to content

Commit a6893f0

Browse files
committed
fix(ibmcloud): run GitHub Actions runner as non-root user
1 parent 7829062 commit a6893f0

2 files changed

Lines changed: 38 additions & 28 deletions

File tree

pkg/integrations/github/snippet-linux-ppc64le.sh

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,22 @@ if [ ! -f /opt/runner-cache/config.sh ]; then
1414
exit 1
1515
fi
1616

17-
cd /opt/runner-cache
18-
export DOTNET_ROOT=/opt/dotnet
19-
export PATH=$PATH:$DOTNET_ROOT
20-
21-
./config.sh \
22-
--unattended \
23-
--disableupdate \
24-
--ephemeral \
25-
--name "{{ .Name }}" \
26-
--labels "{{ .Labels }}" \
27-
--url "{{ .RepoURL }}" \
28-
--token "{{ .Token }}"
29-
30-
nohup ./run.sh > /var/log/gh-runner.log 2>&1 &
17+
id -u runner &>/dev/null || useradd -m -s /bin/bash runner
18+
chown -R runner:runner /opt/runner-cache /opt/dotnet
19+
20+
sudo -u runner bash -c '
21+
cd /opt/runner-cache
22+
export DOTNET_ROOT=/opt/dotnet
23+
export PATH=$PATH:$DOTNET_ROOT
24+
25+
./config.sh \
26+
--unattended \
27+
--disableupdate \
28+
--ephemeral \
29+
--name "{{ .Name }}" \
30+
--labels "{{ .Labels }}" \
31+
--url "{{ .RepoURL }}" \
32+
--token "{{ .Token }}"
33+
34+
nohup ./run.sh > /tmp/gh-runner.log 2>&1 &
35+
'

pkg/integrations/github/snippet-linux-s390x.sh

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,22 @@ if [ ! -f /opt/runner-cache/config.sh ]; then
1414
exit 1
1515
fi
1616

17-
cd /opt/runner-cache
18-
export DOTNET_ROOT=/opt/dotnet
19-
export PATH=$PATH:$DOTNET_ROOT
20-
21-
./config.sh \
22-
--unattended \
23-
--disableupdate \
24-
--ephemeral \
25-
--name "{{ .Name }}" \
26-
--labels "{{ .Labels }}" \
27-
--url "{{ .RepoURL }}" \
28-
--token "{{ .Token }}"
29-
30-
nohup ./run.sh > /var/log/gh-runner.log 2>&1 &
17+
id -u runner &>/dev/null || useradd -m -s /bin/bash runner
18+
chown -R runner:runner /opt/runner-cache /opt/dotnet
19+
20+
sudo -u runner bash -c '
21+
cd /opt/runner-cache
22+
export DOTNET_ROOT=/opt/dotnet
23+
export PATH=$PATH:$DOTNET_ROOT
24+
25+
./config.sh \
26+
--unattended \
27+
--disableupdate \
28+
--ephemeral \
29+
--name "{{ .Name }}" \
30+
--labels "{{ .Labels }}" \
31+
--url "{{ .RepoURL }}" \
32+
--token "{{ .Token }}"
33+
34+
nohup ./run.sh > /tmp/gh-runner.log 2>&1 &
35+
'

0 commit comments

Comments
 (0)