Merge pull request #20533 from cevich/fix_secret_scanner

[CI:DOCS] Fix secrets scanning GHA Workflow
2023-10-31 14:27:06 +00:00 · 2023-10-31 14:27:06 +00:00 · f5b2cf1b5f
parent 2972f5941f 4c67a6aed2
commit f5b2cf1b5f
2 changed files with 26 additions and 2 deletions
--- a/.github/workflows/scan-secrets.yml
+++ b/.github/workflows/scan-secrets.yml
@ -162,10 +162,21 @@ jobs:
        # gitleaks entrypoint runs as gitleaks user (UID/GID 1000)
        run: |
          set -exuo pipefail
+          # TODO: Workaround podman < v4.3.0 support for `--userns=keep-id:uid=1000,gid=1000`.
+          declare -a workaround_args
+          workaround_args=(\
+            --user 1000:1000
+            --uidmap 0:1:1000
+            --uidmap 1000:0:1
+            --uidmap 1001:1001:64536
+            --gidmap 0:1:1000
+            --gidmap 1000:0:1
+            --gidmap 1001:1001:64536
+          )
          # Careful: Changes need coordination with contrib/cirrus/prebuild.sh
          podman run --rm \
            --security-opt=label=disable \
-            --userns=keep-id:uid=1000,gid=1000 \
+            "${workaround_args[@]}" \
            -v ${{ github.workspace }}/_default:/default:ro \
            -v ${{ github.workspace }}/_subject:/subject:ro \
            -v ${{ github.workspace }}/_report:/report:rw \
--- a/contrib/cirrus/prebuild.sh
+++ b/contrib/cirrus/prebuild.sh
@ -77,12 +77,25 @@ if [[ "${DISTRO_NV}" == "$PRIOR_FEDORA_NAME" ]]; then
    # simply here to...
    msg "Checking GitLeaks functions with current CLI args, configuration, and baseline JSON"

+    # TODO: Workaround for GHA Environment, duplicate here for consistency.
+    # Replace with `--userns=keep-id:uid=1000,gid=1000` w/ newer podman in GHA environment.
+    declare -a workaround_args
+    workaround_args=(\
+      --user 1000:1000
+      --uidmap 0:1:1000
+      --uidmap 1000:0:1
+      --uidmap 1001:1001:64536
+      --gidmap 0:1:1000
+      --gidmap 1000:0:1
+      --gidmap 1001:1001:64536
+    )
+
    brdepth=$(get_env_key 'brdepth')
    glfqin=$(get_env_key 'glfqin')
    glargs=$(get_env_key 'glargs')
    showrun podman run --rm \
        --security-opt=label=disable \
-        --userns=keep-id:uid=1000,gid=1000 \
+        "${workaround_args[@]}" \
        -v $CIRRUS_WORKING_DIR:/subject:ro \
        -v $CIRRUS_WORKING_DIR:/default:ro \
        --tmpfs /report:rw,size=256k,mode=1777 \