Fix permission issue

.gitignore

@@ -159,4 +159,4 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/

Dockerfile

@@ -1,13 +1,26 @@
 FROM python:3.11-alpine3.17
 
-# Copies your code file from your action repository to the filesystem path `/` of the container
-COPY src/* /
+ENV USER=kustomize-everything
+ENV WORKING_DIR=/action-promote
+
+RUN mkdir -p ${WORKING_DIR}
+
+# Copies your code file from your action repository to the filesystem path `/action-promote` of the container
+COPY src/* ${WORKING_DIR}
 
 RUN apk add --no-cache git bash curl jq github-cli
 
-RUN pip install --no-cache-dir -r /requirements.txt && \
-    poetry config virtualenvs.create false --local && \
-    poetry install
+RUN pip install --no-cache-dir -r ${WORKING_DIR}/requirements.txt && \
+    poetry config virtualenvs.create false --local --directory=${WORKING_DIR} && \
+    poetry install --directory=${WORKING_DIR}
+
+RUN set -eux; \
+  addgroup -g 1000 ${USER}; \
+  adduser -u 1000 -G ${USER} -s /bin/sh -h /home/${USER} -D ${USER}
+
+RUN chown -R ${USER}:${USER} ${WORKING_DIR}
+
+USER ${USER}
 
 # Executes `entrypoint.sh` when the Docker container starts up
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/action-promote/entrypoint.sh"]

action.yml

@@ -147,7 +147,8 @@ runs:
     TARGET_BRANCH: ${{ inputs.target-branch }}
     DEPLOYMENT_DIR: ${{ inputs.working-directory }}
     DRY_RUN: ${{ inputs.dry-run }}
-    KUSTOMIZE_BIN_DIR: /opt/bin
+    KUSTOMIZE_BIN_DIR: /home/kustomize-everything/.bin
+    WORKING_DIR: /action-promote
     KUSTOMIZE_FILENAME: kustomize_v${{ inputs.version }}_linux_amd64.tar.gz
     KUSTOMIZE_SHA256_CHECKSUM: ${{ inputs.sha256-checksum }}
     KUSTOMIZE_VERSION: ${{ inputs.version }}

src/commit-and-pull-request.sh

@@ -174,4 +174,8 @@ echo "deployment-repo-sha=$(git rev-parse HEAD)" >> "${GITHUB_OUTPUT}"
 echo "images=${IMAGES_NAMES}" >> "${GITHUB_OUTPUT}"
 echo "charts=${CHARTS_NAMES}" >> "${GITHUB_OUTPUT}"
 echo "manifest-json=${MANIFEST_JSON}" >> "${GITHUB_OUTPUT}"
-echo "pull-request-url=${PULL_REQUEST_URL}" >> "${GITHUB_OUTPUT}"
+
+if [[ -n "${PULL_REQUEST_URL}" ]]; then
+  echo "pull-request-url=${PULL_REQUEST_URL}" >> "${GITHUB_OUTPUT}"
+fi
+

src/entrypoint.sh

@@ -37,7 +37,7 @@ echo "GITHUB_WORKFLOW_RUN_URL=${GITHUB_WORKFLOW_RUN_URL}" >> "${GITHUB_ENV}"
 #   - KUSTOMIZE_CHECKSUM
 #   - KUSTOMIZE_BIN_DIR
 #   - KUSTOMIZE_FILENAME
-/download-and-checksum.sh
+"${WORKING_DIR}"/download-and-checksum.sh
 PATH="${KUSTOMIZE_BIN_DIR}:${PATH}"
 
 git config --global user.name "${GIT_COMMIT_USER}"
@@ -52,13 +52,15 @@ export DEPLOYMENT_DIR
 
 # If IMAGES is not an empty string or empty array, then we need to promote the images
 if [[ "${IMAGES}" != "[]" || "${CHARTS}" != "[]" ]]; then
-  IMAGES_TO_UPDATE="${IMAGES}" CHARTS_TO_UPDATE="${CHARTS}" poetry run python /promote.py > manifest.json
+  pushd "${WORKING_DIR}" || exit 1
+  IMAGES_TO_UPDATE="${IMAGES}" CHARTS_TO_UPDATE="${CHARTS}" poetry run python promote.py > manifest.json
+  popd
 else
   echo "No images or charts to promote"
-  echo "{}" > manifest.json
+  echo "{}" > "${WORKING_DIR}"/manifest.json
 fi
 
-MANIFEST_JSON="$(jq -c -r '.' manifest.json)"
+MANIFEST_JSON="$(jq -c -r '.' "${WORKING_DIR}"/manifest.json)"
 export MANIFEST_JSON
 
 # Save images json output to GITHUB_OUTPUT
@@ -68,25 +70,25 @@ echo "manifest-json<<$EOF" >> "${GITHUB_OUTPUT}"
 echo "${MANIFEST_JSON}" >> "${GITHUB_OUTPUT}"
 echo "$EOF" >> "${GITHUB_OUTPUT}"
 
-jq -c -r 'keys | join(", ")' < manifest.json | xargs > overlays.txt
-echo "overlays=$(cat overlays.txt)" >> "${GITHUB_OUTPUT}"
-OVERLAY_NAMES="$(cat overlays.txt)"
+jq -c -r 'keys | join(", ")' < "${WORKING_DIR}"/manifest.json | xargs > "${WORKING_DIR}"/overlays.txt
+echo "overlays=$(cat "${WORKING_DIR}"/overlays.txt)" >> "${GITHUB_OUTPUT}"
+OVERLAY_NAMES="$(cat "${WORKING_DIR}"/overlays.txt)"
 export OVERLAY_NAMES
 
-jq -c -r 'keys | join("-") | gsub("/"; "-")' < manifest.json | xargs > overlays-joined.txt
-echo "overlays-joined=$(cat overlays-joined.txt)" >> "${GITHUB_OUTPUT}"
-OVERLAY_NAMES_NO_SLASH="$(cat overlays-joined.txt)"
+jq -c -r 'keys | join("-") | gsub("/"; "-")' < "${WORKING_DIR}"/manifest.json | xargs > "${WORKING_DIR}"/overlays-joined.txt
+echo "overlays-joined=$(cat "${WORKING_DIR}"/overlays-joined.txt)" >> "${GITHUB_OUTPUT}"
+OVERLAY_NAMES_NO_SLASH="$(cat "${WORKING_DIR}"/overlays-joined.txt)"
 export OVERLAY_NAMES_NO_SLASH
 
-jq -c -r '[.[] | .images | map(.name)] | unique | sort | flatten | join(", ")' < manifest.json | xargs > images.txt
-echo "images=$(cat images.txt)" >> "${GITHUB_OUTPUT}"
-IMAGES_NAMES="$(cat images.txt)"
+jq -c -r '[.[] | .images | map(.name)] | unique | sort | flatten | join(", ")' < "${WORKING_DIR}"/manifest.json | xargs > "${WORKING_DIR}"/images.txt
+echo "images=$(cat "${WORKING_DIR}"/images.txt)" >> "${GITHUB_OUTPUT}"
+IMAGES_NAMES="$(cat "${WORKING_DIR}"/images.txt)"
 export IMAGES_NAMES
 
 # shellcheck disable=SC2129
-jq -c -r '[.[] | .charts | map(.name)] | unique | sort | flatten | join(", ")' < manifest.json | xargs > charts.txt
-echo "charts=$(cat charts.txt)" >> "${GITHUB_OUTPUT}"
-CHARTS_NAMES="$(cat charts.txt)"
+jq -c -r '[.[] | .charts | map(.name)] | unique | sort | flatten | join(", ")' < "${WORKING_DIR}"/manifest.json | xargs > "${WORKING_DIR}"/charts.txt
+echo "charts=$(cat "${WORKING_DIR}"/charts.txt)" >> "${GITHUB_OUTPUT}"
+CHARTS_NAMES="$(cat "${WORKING_DIR}"/charts.txt)"
 export CHARTS_NAMES
 
 # Because the parent workflow is the one who has run the `checkout` action,
@@ -102,7 +104,7 @@ if [[ -z "$(git status --porcelain)" ]]; then
 # in the commit message.
 else
   echo "Changes to commit"
-  /commit-and-pull-request.sh
+  "${WORKING_DIR}"/commit-and-pull-request.sh
 fi
 popd