[Github][CI] Add default gha user for tooling containers

[vbvictor]

This should probably solve

llvm-project/.github/workflows/pr-code-format.yml

Lines 28 to 34 in c0073a9

	# We need to set the repo checkout as safe, otherwise tj-actions/changed-files
	# will fail due to the changed ownership inside the container.
	# TODO(boomanaiden154): We should probably fix this by having the default user
	# in the container have the same ID as the GHA user on the host.
	- name: Set Safe Directory
	run: |
	chown -R root $(pwd)

[llvmbot]

@llvm/pr-subscribers-clang-tidy
@llvm/pr-subscribers-clang-tools-extra

@llvm/pr-subscribers-github-workflow

Author: Baranov Victor (vbvictor)

Changes

This should probably solve

llvm-project/.github/workflows/pr-code-format.yml

Lines 28 to 34 in c0073a9

	# We need to set the repo checkout as safe, otherwise tj-actions/changed-files
	# will fail due to the changed ownership inside the container.
	# TODO(boomanaiden154): We should probably fix this by having the default user
	# in the container have the same ID as the GHA user on the host.
	- name: Set Safe Directory
	run: |
	chown -R root $(pwd)

---

Full diff: https://github.com/llvm/llvm-project/pull/164294.diff

1 Files Affected:

• (modified) .github/workflows/containers/github-action-ci-tooling/Dockerfile (+9)

diff --git a/.github/workflows/containers/github-action-ci-tooling/Dockerfile b/.github/workflows/containers/github-action-ci-tooling/Dockerfile
index 9d2aaf6bbd48a..4135ae839cd47 100644
--- a/.github/workflows/containers/github-action-ci-tooling/Dockerfile
+++ b/.github/workflows/containers/github-action-ci-tooling/Dockerfile
@@ -37,6 +37,11 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Create a new user with id 1001 as that is the user id that
+# Github Actions uses to perform the checkout action.
+RUN useradd gha -u 1001 -m -s /bin/bash
+RUN adduser gha sudo
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
 FROM base AS ci-container-code-format
 ARG LLVM_VERSION
@@ -51,6 +56,8 @@ ENV PATH=${LLVM_SYSROOT}/bin:${PATH}
 COPY llvm/utils/git/requirements_formatting.txt requirements_formatting.txt
 RUN pip install -r requirements_formatting.txt --break-system-packages && \
     rm requirements_formatting.txt
+USER gha
+WORKDIR /home/gha
 
 
 FROM base AS ci-container-code-lint
@@ -80,3 +87,5 @@ RUN apt-get update && \
 COPY llvm/utils/git/requirements_linting.txt requirements_linting.txt
 RUN pip install -r requirements_linting.txt --break-system-packages && \
     rm requirements_linting.txt
+USER gha
+WORKDIR /home/gha

[boomanaiden154]

Instead of "probably", can we actually test this? Shouldn't be difficult to push this to GHCR and run a test job with workflow modifications.

[vbvictor]

Shouldn't be difficult to push this to GHCR and run a test job with workflow modifications

Hmm, I didn't know I can push locally build images to GitHub. I'll check

[github-actions]

✅ With the latest revision this PR passed the Python code formatter.

[github-actions]

✅ With the latest revision this PR passed the C/C++ code formatter.

[vbvictor]

Thank you for suggestion, I build container from this branch locally and tested - it worked. Will delete it from Github once merged

[boomanaiden154]

Will delete it from Github once merged

Not sure you need to do that. It's just another tag among all the others in there.

[boomanaiden154]

LGTM. Thanks for fixing this up.