Use alpine container to chown MongoDB keyfile to 999:999

microbiomedata · Mar 5, 2025 · 0b9a495 · 0b9a495
1 parent 70a089b
commit 0b9a495
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -52,16 +52,23 @@ jobs:
     #       You can verify this by looking at the Dockerfile layers on Docker Hub.
     #       Reference: https://hub.docker.com/layers/library/mongo/8.0.5/images/sha256-90bf5066fed8a3cd59345d963922bc5cb557d4b4b2a0e38dfd9ee299c405741b
     #
-    # Note: Since, by default, the GHA Runner does not have a user whose UID is 999,
-    #       we created one there first (otherwise, we couldn't `chown` to that UID).
-    #       Note that the GHA Runner _does_, by default, have a group whose GID is 999.
+    # Note: Since the GHA Runner will not allow me to `chown` the file to `999:999`,
+    #       I use a Docker container to (effectively) to it.
     #       Reference: https://man7.org/linux/man-pages/man8/useradd.8.html
     #
     - name: Restrict access to MongoDB keyfile
       run: |
-        useradd -g 999 -u 999 temp_mongodb_user
-        chown 999:999 ./mongoKeyFile
-        chmod 600     ./mongoKeyFile
+        stat ./mongoKeyFile
+        mkdir -p _tmp
+        docker run --rm \
+          -v $(pwd)/mongoKeyFile:/originalFile \
+          -v $(pwd)/_tmp:/results \
+          alpine \
+          sh -c 'cp /originalFile /results/mongoKeyFile && chown 999:999 /results/mongoKeyFile'
+        mv _tmp/mongoKeyFile ./mongoKeyFile
+        rmdir _tmp
+        chmod 600 ./mongoKeyFile
+        stat ./mongoKeyFile
     - name: Set up Python 3.10
       uses: actions/setup-python@v4
       with: