diff --git a/src/docker.ts b/src/docker.ts index ea7a19bc..53354942 100644 --- a/src/docker.ts +++ b/src/docker.ts @@ -1,7 +1,7 @@ class Docker { readonly repository = 'renovate/renovate'; // renovate: datasource=docker depName=renovate/renovate versioning=docker - readonly tag = '19.231.12'; + readonly tag = '19.231.12-slim'; image(): string { return `${this.repository}:${this.tag}`; diff --git a/src/renovate.ts b/src/renovate.ts index c0048cb2..c17712e5 100644 --- a/src/renovate.ts +++ b/src/renovate.ts @@ -20,11 +20,16 @@ class Renovate { } async runDockerContainer(): Promise { + const renovateDockerUser = 'ubuntu'; + const githubActionsDockerGroupId = this.getDockerGroupId(); const commandArguments = [ '--rm', `--env ${this.configFileEnv}=${this.configFileMountPath()}`, `--env ${this.tokenEnv}=${this.token}`, `--volume ${this.configFile}:${this.configFileMountPath()}`, + `--volume /var/run/docker.sock:/var/run/docker.sock`, + `--volume /tmp:/tmp`, + `--user ${renovateDockerUser}:${githubActionsDockerGroupId}`, this.docker.image(), ]; const command = `docker run ${commandArguments.join(' ')}`; @@ -35,6 +40,27 @@ class Renovate { } } + /** + * Fetch the host docker group of the GitHub Action runner. + * + * The Renovate container needs access to this group in order to have the + * required permissions on the Docker socket. + */ + private getDockerGroupId(): string { + const groups = fs.readFileSync('/etc/group', { + encoding: 'utf-8', + }); + + /** + * The group file has `groupname:group-password:GID:username-list` as + * structure and we're interested in the `GID` (the group ID). + * + * Source: https://www.thegeekdiary.com/etcgroup-file-explained/ + */ + const [, group] = /^docker:x:([1-9][0-9]*):$/m.exec(groups); + return group; + } + private validateArguments(): void { if (!fs.existsSync(this.configFile)) { throw new Error(