Fix the permissions ... twice. Thanks, COPY.

2024-12-18 20:47:54 +00:00 · 2019-04-06 10:00:19 -04:00 · 2019-04-06 10:00:19 -04:00 · 2f8e22f81e
commit 2f8e22f81e
parent a36e70e133
3 changed files with 38 additions and 15 deletions
--- a/.circleci/Dockerfile.debian
+++ b/.circleci/Dockerfile.debian
@ -22,6 +22,8 @@ RUN apt-get --quiet update && \
 # *update* this checkout on each job run, saving us more time per-job.
 COPY . ${BUILD_SRC_ROOT}

+RUN "${BUILD_SRC_ROOT}"/.circleci/fix-permissions.sh "${WHEELHOUSE_PATH}" "${VIRTUALENV_PATH}" "${BUILD_SRC_ROOT}"
+
 RUN "${BUILD_SRC_ROOT}"/.circleci/prepare-image.sh "${WHEELHOUSE_PATH}" "${VIRTUALENV_PATH}" "${BUILD_SRC_ROOT}"

 FROM debian:${TAG}
@ -44,6 +46,8 @@ COPY --from=builder ${VIRTUALENV_PATH} ${VIRTUALENV_PATH}
 COPY --from=builder ${BUILD_SRC_ROOT} ${BUILD_SRC_ROOT}
 COPY --from=builder ${WHEELHOUSE_PATH} ${WHEELHOUSE_PATH}

+RUN "${BUILD_SRC_ROOT}"/.circleci/fix-permissions.sh "${WHEELHOUSE_PATH}" "${VIRTUALENV_PATH}" "${BUILD_SRC_ROOT}"
+
 # Only the integration tests currently need this but it doesn't hurt to always
 # have it present and it's simpler than building a whole extra image just for
 # the integration tests.
--- a/.circleci/fix-permissions.sh
+++ b/.circleci/fix-permissions.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+
+# https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
+set -euxo pipefail
+
+# The filesystem location of the wheelhouse which we'll populate with wheels
+# for all of our dependencies.
+WHEELHOUSE_PATH="$1"
+shift
+
+# The filesystem location of the root of a virtualenv we can use to get/build
+# wheels.
+BOOTSTRAP_VENV="$1"
+shift
+
+# The filesystem location of the root of the project source.  We need this to
+# know what wheels to get/build, of course.
+PROJECT_ROOT="$1"
+shift
+
+# Most stuff is going to run as nobody.  Here's a helper to make sure nobody
+# can access necessary files.
+CHOWN_NOBODY="chown --recursive nobody:$(id --group nobody)"
+
+# Avoid the /nonexistent home directory in nobody's /etc/passwd entry.
+usermod --home /tmp/nobody nobody
+
+# Grant read access to nobody, the user which will eventually try to test this
+# checkout.
+${CHOWN_NOBODY} "${PROJECT_ROOT}"
+
+# Create a place for some wheels to live.
+mkdir -p "${WHEELHOUSE_PATH}"
+${CHOWN_NOBODY} "${WHEELHOUSE_PATH}"
--- a/.circleci/prepare-image.sh
+++ b/.circleci/prepare-image.sh
@ -18,20 +18,5 @@ shift
 PROJECT_ROOT="$1"
 shift

-# Most stuff is going to run as nobody.  Here's a helper to make sure nobody
-# can access necessary files.
-CHOWN_NOBODY="chown --recursive nobody:$(id --group nobody)"
-
-# Avoid the /nonexistent home directory in nobody's /etc/passwd entry.
-usermod --home /tmp/nobody nobody
-
-# Grant read access to nobody, the user which will eventually try to test this
-# checkout.
-${CHOWN_NOBODY} "${PROJECT_ROOT}"
-
-# Create a place for some wheels to live.
-mkdir "${WHEELHOUSE_PATH}"
-${CHOWN_NOBODY} "${WHEELHOUSE_PATH}"
-
 sudo --set-home -u nobody "${PROJECT_ROOT}"/.circleci/create-virtualenv.sh "${WHEELHOUSE_PATH}" "${BOOTSTRAP_VENV}"
 sudo --set-home -u nobody "${PROJECT_ROOT}"/.circleci/populate-wheelhouse.sh "${WHEELHOUSE_PATH}" "${BOOTSTRAP_VENV}" "${PROJECT_ROOT}"