refactor permission fixing

image/fix_permissions.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
+# SPDX-FileContributor: Sebastian Thomschke
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
+#
+source /opt/bash-init.sh
+
+act_user=act
+
+#################################################################
+# Adjust UID/GID and file permissions based on env var config
+#################################################################
+if [ -n "${GITEA_RUNNER_UID:-}" ]; then
+  effective_uid=$(id -u $act_user)
+  if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
+    log INFO "Changing UID of user [$act_user] from $effective_uid to $GITEA_RUNNER_UID..."
+    usermod -o -u "$GITEA_RUNNER_UID" $act_user
+  fi
+fi
+
+if [ -n "${GITEA_RUNNER_GID:-}" ]; then
+  effective_gid=$(id -g $act_user)
+  if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
+    log INFO "Changing GID of user [$act_user] from $effective_gid to $GITEA_RUNNER_GID..."
+    groupmod -o -g "$GITEA_RUNNER_GID" $act_user
+  fi
+fi
+
+
+#################################################################
+# ensure act user has read/write access to /var/run/docker.sock
+#################################################################
+if [[ $DOCKER_MODE != "dind-rootless" ]]; then
+  docker_sock=/var/run/docker.sock
+  if runuser -u $act_user -- [ ! -r $docker_sock ] || runuser -u $act_user -- [ ! -w $docker_sock ]; then
+    docker_group=$(stat -c '%G' $docker_sock)
+    if [[ $docker_group == "UNKNOWN" ]]; then
+      docker_gid=$(stat -c '%g' $docker_sock)
+      docker_group="docker$docker_gid"
+      log INFO "Creating group [$docker_group]..."
+      addgroup --gid $docker_gid $docker_group
+    fi
+
+    if ! id -nG $act_user | grep -qw "$docker_group"; then
+      log INFO "Adding user [$act_user] to docker group [$(getent group $docker_group)]..."
+      usermod -aG $docker_group $act_user
+    fi
+  fi
+fi
+
+
+#################################################################
+# Launch the runner via act user with adjusted UID/GID/group membership
+#################################################################
+exec sudo -u $act_user -g $act_user -E bash /opt/run_runner.sh

image/run.sh

@@ -80,18 +80,36 @@ fi
 #################################################################
 # check if act user UID/GID needs adjustment
 #################################################################
-fixids=false
+fix_permissions=false
 if [ -n "${GITEA_RUNNER_UID:-}" ]; then
   effective_uid=$(id -u act)
   if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
-    fixids=true
+    fix_permissions=true
   fi
 fi
 
 if [ -n "${GITEA_RUNNER_GID:-}" ]; then
   effective_gid=$(id -g act)
   if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
-    fixids=true
+    fix_permissions=true
+  fi
+fi
+
+#################################################################
+# check if act user has read/write access to /var/run/docker.sock
+#################################################################
+if [[ $DOCKER_MODE != "dind-rootless" ]]; then
+  if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
+    docker_group=$(stat -c '%G' /var/run/docker.sock)
+    if [[ $docker_group == "UNKNOWN" ]]; then
+      docker_gid=$(stat -c '%g' /var/run/docker.sock)
+      docker_group="docker$docker_gid"
+      fix_permissions=true
+    fi
+
+    if ! id -nG act | grep -qw "$docker_group"; then
+      fix_permissions=true
+    fi
   fi
 fi
 
@@ -99,8 +117,9 @@ fi
 #################################################################
 # adjust act user UID/GID if required
 #################################################################
-if [[ $fixids == "true" ]]; then
-  exec sudo -E bash /opt/run_fixids.sh
+if [[ $fix_permissions == "true" ]]; then
+  log INFO "Fixing permissions..."
+  exec sudo -E bash /opt/fix_permissions.sh
 else
   exec bash /opt/run_runner.sh
 fi

image/run_fixids.sh

@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-#
-# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
-# SPDX-FileContributor: Sebastian Thomschke
-# SPDX-License-Identifier: Apache-2.0
-# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
-#
-source /opt/bash-init.sh
-
-#################################################################
-# Adjust UID/GID and file permissions based on env var config
-#################################################################
-if [ -n "${GITEA_RUNNER_UID:-}" ]; then
-  effective_uid=$(id -u act)
-  if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then
-    [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
-    log INFO "Changing UID of user [act] from $effective_uid to $GITEA_RUNNER_UID..."
-    usermod -o -u "$GITEA_RUNNER_UID" act
-  fi
-fi
-
-if [ -n "${GITEA_RUNNER_GID:-}" ]; then
-  effective_gid=$(id -g act)
-  if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then
-    [[ $EUID -eq 0 ]] || sudo -E bash ${BASH_SOURCE[0]}
-    log INFO "Changing GID of user [act] from $effective_gid to $GITEA_RUNNER_GID..."
-    groupmod -o -g "$GITEA_RUNNER_GID" act
-  fi
-fi
-chown -R act:act /data
-
-
-#################################################################
-# Launch the runner with adjusted UID/GID
-#################################################################
-exec sudo -u act -g act -E bash /opt/run_runner.sh

image/run_runner.sh

@@ -12,27 +12,6 @@ log INFO "Effective user: $(id)"
 cd /data
 
 
-#################################################################
-# ensure act user has read/write access to /var/run/docker.sock
-#################################################################
-if [[ $DOCKER_MODE != "dind-rootless" ]]; then
-  if [[ ! -w /var/run/docker.sock || ! -r /var/run/docker.sock ]]; then
-    docker_group=$(stat -c '%G' /var/run/docker.sock)
-    if [[ $docker_group == "UNKNOWN" ]]; then
-      docker_gid=$(stat -c '%g' /var/run/docker.sock)
-      docker_group="docker$docker_gid"
-      log INFO "Creating group [$docker_group]..."
-      sudo addgroup --gid $docker_gid $docker_group
-    fi
-
-    if ! id -nG act | grep -qw "$docker_group"; then
-      log INFO "Adding user [act] to docker group [$(getent group $docker_group)]..."
-      sudo usermod -aG $docker_group act
-    fi
-  fi
-fi
-
-
 #################################################
 # load custom init script if specified
 #################################################