From d986bc3b3d65355918021d8d491a848e8ff9d13a Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Sat, 8 Jul 2023 15:18:26 +0200 Subject: [PATCH] verify volume restrictions are enforced --- .forgejo/workflows/integration.yml | 8 ++++ testdata/README.txt | 6 +++ .../workflows/{test.yml => postgresql.yml} | 0 .../.forgejo/workflows/volume.yml | 38 +++++++++++++++++++ testdata/example-service/runner-config.yaml | 2 +- 5 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 testdata/README.txt rename testdata/example-service/.forgejo/workflows/{test.yml => postgresql.yml} (100%) create mode 100644 testdata/example-service/.forgejo/workflows/volume.yml diff --git a/.forgejo/workflows/integration.yml b/.forgejo/workflows/integration.yml index 13e5d2c..d10c0ba 100644 --- a/.forgejo/workflows/integration.yml +++ b/.forgejo/workflows/integration.yml @@ -21,13 +21,21 @@ jobs: ./forgejo-runner.sh setup export FORGEJO_RUNNER_LOGS=forgejo-runner.log for example in $TESTS ; do + + if test $example = service ; then + > /srv/example-service-volume-valid + > /srv/example-service-volume-invalid + fi + config=$(pwd)/testdata/example-$example/runner-config.yaml if test -f $config ; then FORGEJO_RUNNER_CONFIG=$config ./forgejo-runner.sh reload fi + echo "============================ BEGIN example-$example ===================" ./forgejo-test-helper.sh run_workflow testdata/example-$example http://root:admin1234@$(cat forgejo-ip):3000 root example-$example setup-forgejo $(cat forgejo-token) echo "============================ END example-$example ===================" + if test -f $config ; then ./forgejo-runner.sh reload fi diff --git a/testdata/README.txt b/testdata/README.txt new file mode 100644 index 0000000..fc7d257 --- /dev/null +++ b/testdata/README.txt @@ -0,0 +1,6 @@ +Run the tests from source for debugging purposes with: + +# +# runner-config.yaml will be ignored if it does not exist and the default configuration will be used +# +forgejo-runner exec --config testdata/example-$service/runner-config.yaml --workflows testdata/example-$service/.forgejo/workflows diff --git a/testdata/example-service/.forgejo/workflows/test.yml b/testdata/example-service/.forgejo/workflows/postgresql.yml similarity index 100% rename from testdata/example-service/.forgejo/workflows/test.yml rename to testdata/example-service/.forgejo/workflows/postgresql.yml diff --git a/testdata/example-service/.forgejo/workflows/volume.yml b/testdata/example-service/.forgejo/workflows/volume.yml new file mode 100644 index 0000000..e3c240e --- /dev/null +++ b/testdata/example-service/.forgejo/workflows/volume.yml @@ -0,0 +1,38 @@ +on: [push] + +jobs: + # + # A --volume option will expose the volume from the docker host to the job + # + volume-on-step: + runs-on: docker + container: + image: debian:bookworm + options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid --volume /srv/example-service-volume-invalid:/srv/example-service-volume-invalid" + + steps: + - run: | + test -f /srv/example-service-volume-valid + ! test -f /srv/example-service-volume-invalid + + # + # A --volume option will expose the volume from the docker host to the service + # + volume-on-service: + runs-on: docker + container: + image: debian:bookworm + options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid" + + services: + myservice: + image: debian:bookworm + options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid" + cmd: ["bash", "-c", "echo -n SUCCESS > /srv/example-service-volume-valid ; sleep infinity"] + + steps: + - run: | + set -x + f=/srv/example-service-volume-valid + test -f $f + test $(cat $f) = SUCCESS diff --git a/testdata/example-service/runner-config.yaml b/testdata/example-service/runner-config.yaml index 770165a..95ea4cb 100644 --- a/testdata/example-service/runner-config.yaml +++ b/testdata/example-service/runner-config.yaml @@ -23,7 +23,7 @@ container: privileged: false options: workdir_parent: - valid_volumes: [] + valid_volumes: ["/srv/example-service-volume-valid"] docker_host: "" host: