Merge pull request #1505 from JamieMagee/jamiemagee/update-ca-certificates-root

Run `update-ca-certificates` as `root`

Author: markhallen

__tests__/helpers.ts

@@ -21,6 +21,9 @@ export const removeDanglingUpdaterContainers = async (): Promise<void> => {
     }
   }
 
+  // Wait a bit for network endpoints to be properly disconnected
+  await new Promise(resolve => setTimeout(resolve, 1000))
+
   await docker.pruneNetworks()
   await docker.pruneContainers()
 }

__tests__/updater-builder-integration.test.ts

@@ -41,7 +41,7 @@ integration('UpdaterBuilder', () => {
     await ImageService.pull(PROXY_IMAGE_NAME)
     await ImageService.pull(updaterImageName('bundler'))
 
-    fs.mkdirSync(workingDirectory)
+    fs.mkdirSync(workingDirectory, {recursive: true})
   })
 
   afterEach(async () => {

dist/main/index.js

@@ -35,31 +35,101 @@ export const ContainerService = {
 
   async run(container: Container): Promise<boolean> {
     try {
-      const stream = await container.attach({
-        stream: true,
-        stdout: true,
-        stderr: true
-      })
+      // Start the container
+      await container.start()
+      core.info(`Started container ${container.id}`)
+
+      // Check if this is a dependabot container (has the expected structure)
+      const containerInfo = await container.inspect()
+      const isDependabotContainer = containerInfo.Config?.Env?.some(env =>
+        env.startsWith('DEPENDABOT_JOB_ID=')
+      )
+
+      if (isDependabotContainer) {
+        // For dependabot containers, run CA certificates update as root first
+        await this.execCommand(
+          container,
+          ['/usr/sbin/update-ca-certificates'],
+          'root'
+        )
+
+        // Then run the dependabot commands as dependabot user
+        const dependabotCommands = [
+          'mkdir -p /home/dependabot/dependabot-updater/output',
+          '$DEPENDABOT_HOME/dependabot-updater/bin/run fetch_files',
+          '$DEPENDABOT_HOME/dependabot-updater/bin/run update_files'
+        ]
+
+        for (const cmd of dependabotCommands) {
+          await this.execCommand(
+            container,
+            ['/bin/sh', '-c', cmd],
+            'dependabot'
+          )
+        }
+      } else {
+        // For test containers and other containers, just wait for completion
+        const outcome = await container.wait()
+        if (outcome.StatusCode !== 0) {
+          throw new Error(`Container exited with code ${outcome.StatusCode}`)
+        }
+      }
+
+      return true
+    } catch (error) {
+      core.info(`Failure running container ${container.id}: ${error}`)
+      throw new ContainerRuntimeError(
+        'The updater encountered one or more errors.'
+      )
+    } finally {
+      try {
+        await container.remove({v: true, force: true})
+        core.info(`Cleaned up container ${container.id}`)
+      } catch (error) {
+        core.info(`Failed to clean up container ${container.id}: ${error}`)
+      }
+    }
+  },
+
+  async execCommand(
+    container: Container,
+    cmd: string[],
+    user: string
+  ): Promise<void> {
+    const exec = await container.exec({
+      Cmd: cmd,
+      User: user,
+      AttachStdout: true,
+      AttachStderr: true
+    })
+
+    const stream = await exec.start({})
+
+    // Wait for the stream to end
+    await new Promise<void>((resolve, reject) => {
       container.modem.demuxStream(
         stream,
         outStream('updater'),
         errStream('updater')
       )
 
-      await container.start()
-      const outcome = await container.wait()
+      stream.on('end', () => {
+        resolve()
+      })
 
-      if (outcome.StatusCode === 0) {
-        return true
-      } else {
-        core.info(`Failure running container ${container.id}`)
-        throw new ContainerRuntimeError(
-          'The updater encountered one or more errors.'
-        )
-      }
-    } finally {
-      await container.remove({v: true})
-      core.info(`Cleaned up container ${container.id}`)
+      stream.on('error', error => {
+        reject(error)
+      })
+    })
+
+    // Wait a bit for the exec to complete properly
+    await new Promise(resolve => setTimeout(resolve, 100))
+
+    const inspection = await exec.inspect()
+    if (inspection.ExitCode !== 0) {
+      throw new Error(
+        `Command failed with exit code ${inspection.ExitCode}: ${cmd.join(' ')}`
+      )
     }
   }
 }

dist/main/index.js.map

@@ -26,17 +26,13 @@ export class UpdaterBuilder {
   ) {}
 
   async run(containerName: string): Promise<Container> {
-    const cmd = `/usr/sbin/update-ca-certificates &&\
-       mkdir -p ${JOB_OUTPUT_PATH} &&\
-       $DEPENDABOT_HOME/dependabot-updater/bin/run fetch_files &&\
-       $DEPENDABOT_HOME/dependabot-updater/bin/run update_files`
-
     const proxyUrl = await this.proxy.url()
     const container = await this.docker.createContainer({
       Image: this.updaterImage,
       name: containerName,
       AttachStdout: true,
       AttachStderr: true,
+      User: 'dependabot',
       Env: [
         `GITHUB_ACTIONS=${process.env.GITHUB_ACTIONS}`,
         `DEPENDABOT_JOB_ID=${this.jobParams.jobId}`,
@@ -56,7 +52,8 @@ export class UpdaterBuilder {
           process.env.DEPENDABOT_ENABLE_CONNECTIVITY_CHECK || '1'
         }`
       ],
-      Cmd: ['sh', '-c', cmd],
+      Cmd: ['/bin/sh'],
+      Tty: true,
       HostConfig: {
         Memory: UPDATER_MAX_MEMORY,
         NetworkMode: this.proxy.networkName