feat: add mount-docker-socket option (#749)

Co-authored-by: Michael Kriese <[email protected]>

README.md

@@ -12,6 +12,7 @@ GitHub Action to run Renovate self-hosted.
 - [Options](#options)
   - [`configurationFile`](#configurationfile)
   - [`env-regex`](#env-regex)
+  - [`mount-docker-socket`](#mount-docker-socket)
   - [`token`](#token)
   - [`renovate-image`](#renovate-image)
   - [`renovate-version`](#renovate-version)
@@ -59,6 +60,13 @@ If you want to use this with just the single configuration file, make sure to in
 Allows to configure the regex to define which environment variables are passed to the renovate container.
 See [Passing other environment variables](#passing-other-environment-variables) section for more details.
 
+## `mount-docker-socket`
+
+Default to `false`. If set to `true` the action will mount the Docker socket
+inside the renovate container so that the commands can use Docker. Can be useful
+for `postUpgradeTasks`'s commands. Also add the user inside the renovate
+container to the docker group for socket permissions.
+
 ### `token`
 
 [Generate a personal access token](https://github.com/settings/tokens), with the `repo:public_repo` scope for only public repositories or the `repo` scope for public and private repositories, and add it to _Secrets_ (repository settings) as `RENOVATE_TOKEN`. You can also create a token without a specific scope, which gives read-only access to public repositories, for testing. This token is only used by Renovate, see the [token configuration](https://docs.renovatebot.com/self-hosted-configuration/#token), and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the `token` option.

action.yml

@@ -35,6 +35,12 @@ inputs:
       Renovate docker image name.
       Defaults to `ghcr.io/renovate/renovate`.
     required: false
+  mount-docker-socket:
+    description: |
+      Mount the Docker socket inside the renovate container so that the commands
+      can use Docker. Also add the user inside the renovate container to the
+      docker group for socket permissions.
+    required: false
 runs:
   using: node16
   main: dist/index.js

src/input.ts

@@ -73,6 +73,10 @@ class Input {
     return !!version && version !== '' ? version : null;
   }
 
+  mountDockerSocket(): boolean {
+    return core.getInput('mount-docker-socket') === 'true';
+  }
+
   /**
    * Convert to environment variables.
    *

src/renovate.ts

@@ -5,6 +5,7 @@ import fs from 'fs';
 import path from 'path';
 
 class Renovate {
+  static dockerGroupRegex = /^docker:x:(?<groupId>[1-9][0-9]*):/m;
   private configFileMountDir = '/github-action';
 
   private docker: Docker;
@@ -31,6 +32,13 @@ class Renovate {
       );
     }
 
+    if (this.input.mountDockerSocket()) {
+      dockerArguments.push(
+        '--volume /var/run/docker.sock:/var/run/docker.sock',
+        `--group-add ${this.getDockerGroupId()}`
+      );
+    }
+
     dockerArguments.push('--volume /tmp:/tmp', '--rm', this.docker.image());
 
     const command = `docker run ${dockerArguments.join(' ')}`;
@@ -41,6 +49,32 @@ class Renovate {
     }
   }
 
+  /**
+   * Fetch the host docker group of the GitHub Action runner.
+   *
+   * The Renovate container needs access to this group in order to have the
+   * required permissions on the Docker socket.
+   */
+  private getDockerGroupId(): string {
+    const groupFile = '/etc/group';
+    const groups = fs.readFileSync(groupFile, {
+      encoding: 'utf-8',
+    });
+
+    /**
+     * The group file has `groupname:group-password:GID:username-list` as
+     * structure and we're interested in the `GID` (the group ID).
+     *
+     * Source: https://www.thegeekdiary.com/etcgroup-file-explained/
+     */
+    const match = Renovate.dockerGroupRegex.exec(groups);
+    if (match?.groups?.groupId === undefined) {
+      throw new Error(`Could not find group docker in ${groupFile}`);
+    }
+
+    return match.groups.groupId;
+  }
+
   private validateArguments(): void {
     if (/\s/.test(this.input.token.value)) {
       throw new Error('Token MUST NOT contain whitespace');