From 7c65b94442c74d67c3075f2539486af1d1dc0492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mah=C3=A9?= Date: Fri, 26 May 2023 19:33:35 +0200 Subject: [PATCH] feat: add mount-docker-socket option (#749) Co-authored-by: Michael Kriese --- README.md | 8 ++++++++ action.yml | 6 ++++++ src/input.ts | 4 ++++ src/renovate.ts | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 52 insertions(+) diff --git a/README.md b/README.md index 5e095f78df4..4a024430e32 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ GitHub Action to run Renovate self-hosted. - [Options](#options) - [`configurationFile`](#configurationfile) - [`env-regex`](#env-regex) + - [`mount-docker-socket`](#mount-docker-socket) - [`token`](#token) - [`renovate-image`](#renovate-image) - [`renovate-version`](#renovate-version) @@ -59,6 +60,13 @@ If you want to use this with just the single configuration file, make sure to in Allows to configure the regex to define which environment variables are passed to the renovate container. See [Passing other environment variables](#passing-other-environment-variables) section for more details. +## `mount-docker-socket` + +Default to `false`. If set to `true` the action will mount the Docker socket +inside the renovate container so that the commands can use Docker. Can be useful +for `postUpgradeTasks`'s commands. Also add the user inside the renovate +container to the docker group for socket permissions. + ### `token` [Generate a personal access token](https://github.com/settings/tokens), with the `repo:public_repo` scope for only public repositories or the `repo` scope for public and private repositories, and add it to _Secrets_ (repository settings) as `RENOVATE_TOKEN`. You can also create a token without a specific scope, which gives read-only access to public repositories, for testing. This token is only used by Renovate, see the [token configuration](https://docs.renovatebot.com/self-hosted-configuration/#token), and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the `token` option. diff --git a/action.yml b/action.yml index 35de046d446..111e8b1ea5f 100644 --- a/action.yml +++ b/action.yml @@ -35,6 +35,12 @@ inputs: Renovate docker image name. Defaults to `ghcr.io/renovate/renovate`. required: false + mount-docker-socket: + description: | + Mount the Docker socket inside the renovate container so that the commands + can use Docker. Also add the user inside the renovate container to the + docker group for socket permissions. + required: false runs: using: node16 main: dist/index.js diff --git a/src/input.ts b/src/input.ts index 228bcb906f6..07b13dc33c1 100644 --- a/src/input.ts +++ b/src/input.ts @@ -73,6 +73,10 @@ class Input { return !!version && version !== '' ? version : null; } + mountDockerSocket(): boolean { + return core.getInput('mount-docker-socket') === 'true'; + } + /** * Convert to environment variables. * diff --git a/src/renovate.ts b/src/renovate.ts index 0e897015520..9677c85043a 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -5,6 +5,7 @@ import fs from 'fs'; import path from 'path'; class Renovate { + static dockerGroupRegex = /^docker:x:(?[1-9][0-9]*):/m; private configFileMountDir = '/github-action'; private docker: Docker; @@ -31,6 +32,13 @@ class Renovate { ); } + if (this.input.mountDockerSocket()) { + dockerArguments.push( + '--volume /var/run/docker.sock:/var/run/docker.sock', + `--group-add ${this.getDockerGroupId()}` + ); + } + dockerArguments.push('--volume /tmp:/tmp', '--rm', this.docker.image()); const command = `docker run ${dockerArguments.join(' ')}`; @@ -41,6 +49,32 @@ class Renovate { } } + /** + * Fetch the host docker group of the GitHub Action runner. + * + * The Renovate container needs access to this group in order to have the + * required permissions on the Docker socket. + */ + private getDockerGroupId(): string { + const groupFile = '/etc/group'; + const groups = fs.readFileSync(groupFile, { + encoding: 'utf-8', + }); + + /** + * The group file has `groupname:group-password:GID:username-list` as + * structure and we're interested in the `GID` (the group ID). + * + * Source: https://www.thegeekdiary.com/etcgroup-file-explained/ + */ + const match = Renovate.dockerGroupRegex.exec(groups); + if (match?.groups?.groupId === undefined) { + throw new Error(`Could not find group docker in ${groupFile}`); + } + + return match.groups.groupId; + } + private validateArguments(): void { if (/\s/.test(this.input.token.value)) { throw new Error('Token MUST NOT contain whitespace');