Avoid using sudo if on happy path

image/DinD.Dockerfile

@@ -83,6 +83,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
   echo "#################################################"
   addgroup --gid 1000 act
   adduser --uid 1000 --ingroup act --home /data --shell /bin/bash --disabled-password --gecos "" act
+  adduser act users
   adduser act sudo
   echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 

image/Dockerfile

@@ -83,6 +83,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
   echo "#################################################"
   addgroup --gid 1000 act
   adduser --uid 1000 --ingroup act --home /data --shell /bin/bash --disabled-password --gecos "" act
+  adduser act users
   adduser act sudo
   echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 

image/run.sh

@@ -7,9 +7,10 @@
 #
 source /opt/bash-init.sh
 
-#################################################
+#################################################################
 # print header
-#################################################
+#################################################################
+if [[ ${1:-} == "" ]]; then
   cat <<'EOF'
    _____ _ _                            _     _____
   / ____(_) |                 /\       | |   |  __ \
@@ -26,5 +27,44 @@ log INFO "Timezone is $(date +"%Z %z")"
   log INFO "Hostname: $(hostname -f)"
   log INFO "IP Addresses: "
   awk '/32 host/ { if(uniq[ip]++ && ip != "127.0.0.1") print " - " ip } {ip=$2}' /proc/net/fib_trie
+fi
 
+
+#################################################################
+# start docker deamon (if installed = DinD)
+#################################################################
+if [[ -f /usr/bin/dockerd ]]; then
+  [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
+  log INFO "Starting docker engine..."
+  sudo service docker start
+  while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done
+fi
+
+
+#################################################################
+# check if act user UID/GID needs adjustment
+#################################################################
+fixids=false
+if [ -n "${GITEA_RUNNER_UID:-}" ]; then
+  effective_uid=$(id -u act)
+  if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
+    fixids=true
+  fi
+fi
+
+if [ -n "${GITEA_RUNNER_GID:-}" ]; then
+  effective_gid=$(id -g act)
+  if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
+    fixids=true
+  fi
+fi
+
+
+#################################################################
+# adjust act user UID/GID if required
+#################################################################
+if [[ $fixids == "true" ]]; then
   exec sudo -E bash /opt/run_fixids.sh
+else
+  bash /opt/run_runner.sh
+fi

image/run_fixids.sh

@@ -13,6 +13,7 @@ source /opt/bash-init.sh
 if [ -n "${GITEA_RUNNER_UID:-}" ]; then
   effective_uid=$(id -u act)
   if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
+    [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
     log INFO "Changing UID of user [act] from $effective_uid to $GITEA_RUNNER_UID..."
     usermod -o -u "$GITEA_RUNNER_UID" act
   fi
@@ -21,31 +22,13 @@ fi
 if [ -n "${GITEA_RUNNER_GID:-}" ]; then
   effective_gid=$(id -g act)
   if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
+    [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
     log INFO "Changing GID of user [act] from $effective_gid to $GITEA_RUNNER_GID..."
     groupmod -o -g "$GITEA_RUNNER_GID" act
   fi
 fi
 chown -R act:act /data
 
-if [[ -f /usr/bin/dockerd ]]; then
-  log INFO "Starting docker engine..."
-  service docker start
-  while [[ ! -e /var/run/docker.sock ]]; do sleep 2; done
-fi
-
-docker_group=$(stat -c '%G' /var/run/docker.sock)
-if [[ $docker_group == "UNKNOWN" ]]; then
-  docker_gid=$(stat -c '%g' /var/run/docker.sock)
-  docker_group="docker$docker_gid"
-  log INFO "Creating group [$docker_group]..."
-  addgroup --gid $docker_gid $docker_group
-fi
-
-if ! id -nG act | grep -qw "$docker_group"; then
-  log INFO "Adding user [act] to group [$docker_group]..."
-  usermod -aG $docker_group act
-fi
-
 
 #################################################################
 # Launch the runner with adjusted UID/GID

image/run_runner.sh

@@ -11,6 +11,26 @@ log INFO "Effective user: $(id)"
 
 cd /data
 
+
+#################################################################
+# ensure act user has read/write access to /var/run/docker.sock
+#################################################################
+if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
+  docker_group=$(stat -c '%G' /var/run/docker.sock)
+  if [[ $docker_group == "UNKNOWN" ]]; then
+    docker_gid=$(stat -c '%g' /var/run/docker.sock)
+    docker_group="docker$docker_gid"
+    log INFO "Creating group [$docker_group]..."
+    sudo addgroup --gid $docker_gid $docker_group
+  fi
+
+  if ! id -nG act | grep -qw "$docker_group"; then
+    log INFO "Adding user [act] to docker group [$(getent group $docker_group)]..."
+    sudo usermod -aG $docker_group act
+  fi
+fi
+
+
 #################################################
 # load custom init script if specified
 #################################################