From d7fb78dd2f0a495a8b9ac43b7790f26e998fe7c8 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 15 Mar 2024 11:48:01 -0400
Subject: [PATCH] Run tests as not-root

Better mimics the Qubes VM environment. I didn't set up
passwordless-sudo (like Qubes) since it isn't needed right now.
---
 .github/workflows/test.yml | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d29e7c61f..2388a9cc4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -32,8 +32,12 @@ jobs:
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make gnupg
+          apt-get update && apt-get install --yes git make gnupg sudo
       - uses: actions/checkout@v4
+      - name: Setup user
+        run: |
+          # We want to run tests as a regular user, similar to Qubes VMs
+          useradd --create-home --shell /bin/bash user
       - name: Install dependencies
         run: |
           source /etc/os-release
@@ -48,10 +52,11 @@ jobs:
               echo "Unsupported Debian version: $VERSION_CODENAME"
               exit 1
           fi
-          poetry -C ${{ matrix.component }} install
+          sudo -u user poetry -C ${{ matrix.component }} install
       - name: Run test
         run: |
-          make -C ${{ matrix.component }} test
+          sudo chown -R user:user .
+          sudo -u user make -C ${{ matrix.component }} test
 
   # Run the various `make test-...` commands for the client.
   # TODO: these should be consolidated into one when feasible
@@ -70,8 +75,12 @@ jobs:
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make gnupg
+          apt-get update && apt-get install --yes git make gnupg sudo
       - uses: actions/checkout@v4
+      - name: Setup user
+        run: |
+          # We want to run tests as a regular user, similar to Qubes VMs
+          useradd --create-home --shell /bin/bash user
       - name: Install dependencies
         run: |
           source /etc/os-release
@@ -86,11 +95,12 @@ jobs:
               echo "Unsupported Debian version: $VERSION_CODENAME"
               exit 1
           fi
-          poetry -C client install
           make -C client ci-install-deps
+          sudo -u user poetry -C client install
       - name: Run test
         run: |
-          make -C client ${{ matrix.command }}
+          sudo chown -R user:user .
+          sudo -u user make -C client ${{ matrix.command }}
 
   # Run the client i18n/l10n checks.
   internationalization: