Modify uid/gid at run-time

Author: kateinoigakukun

.github/workflows/build.yml

@@ -163,7 +163,7 @@ jobs:
         run: rake ${{ matrix.entry.prerelease }}[${{ inputs.prerel_name }}]
         if: ${{ inputs.prerel_name != '' && matrix.entry.prerelease != '' }}
       - name: rake ${{ matrix.entry.task }}
-        run: docker run -v "$GITHUB_WORKSPACE:/home/me/build" -w /home/me/build -e "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" sha256:$BUILDER_IMAGE_ID rake ${{ matrix.entry.task }}
+        run: docker run -v "$GITHUB_WORKSPACE:/home/me/build" -w /home/me/build -e "RUBYWASM_UID=$(id -u)" -e "RUBYWASM_GID=$(id -g)" -e "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" sha256:$BUILDER_IMAGE_ID rake ${{ matrix.entry.task }}
       - name: rake ${{ matrix.entry.test }}
         run: rake ${{ matrix.entry.test }}
         if: ${{ matrix.entry.test != '' }}

builders/wasm32-unknown-emscripten/Dockerfile

@@ -2,14 +2,16 @@ FROM emscripten/emsdk:2.0.13
 
 RUN set -eux; \
   apt-get update; \
-  apt-get install ruby bison make autoconf git curl build-essential libyaml-dev zlib1g-dev -y; \
+  apt-get install ruby bison make autoconf git curl build-essential libyaml-dev zlib1g-dev gosu -y; \
   curl -fsSL https://deb.nodesource.com/setup_16.x | bash -; \
   apt-get install nodejs -y; \
   apt-get clean; \
   rm -r /var/lib/apt/lists/*
 
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 # Build with non-root user because `@npmcli/promise-spawn` sets `uid` and `gid` to cwd owner when the current user is root.
 # This permission demotion results in EACCES error at reading `$HOME/.node_modules` in `resolve` package, which is used by `@rollup/plugin-node-resolve`.
 # * https://github.com/npm/cli/blob/32336f6efe06bd52de1dc67c0f812d4705533ef2/node_modules/%40npmcli/promise-spawn/lib/index.js#L13
-RUN groupadd -r me && useradd -g me me && mkdir -p /home/me && chown me:me /home/me
-USER me
+RUN adduser --disabled-password --gecos '' me

builders/wasm32-unknown-emscripten/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+[ ! -z "${RUBYWASM_UID+x}" ] && usermod --uid "$RUBYWASM_UID" --non-unique me
+[ ! -z "${RUBYWASM_GID+x}" ] && groupmod --gid "$RUBYWASM_GID" me
+exec gosu me "$@"

builders/wasm32-unknown-wasi/Dockerfile

@@ -10,7 +10,7 @@ ENV WASI_SDK_PATH="/opt/wasi-sdk"
 
 RUN set -eux; \
   apt-get update; \
-  apt-get install ruby bison make autoconf git curl build-essential libyaml-dev zlib1g-dev -y; \
+  apt-get install ruby bison make autoconf git curl build-essential libyaml-dev zlib1g-dev gosu -y; \
   curl -fsSL https://deb.nodesource.com/setup_16.x | bash -; \
   apt-get install nodejs -y; \
   apt-get clean; \
@@ -47,8 +47,10 @@ RUN set -eux pipefail; \
   unzip wasi-preset-args-x86_64-unknown-linux-gnu.zip; \
   mv wasi-preset-args /usr/local/bin/wasi-preset-args
 
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 # Build with non-root user because `@npmcli/promise-spawn` sets `uid` and `gid` to cwd owner when the current user is root.
 # This permission demotion results in EACCES error at reading `$HOME/.node_modules` in `resolve` package, which is used by `@rollup/plugin-node-resolve`.
 # * https://github.com/npm/cli/blob/32336f6efe06bd52de1dc67c0f812d4705533ef2/node_modules/%40npmcli/promise-spawn/lib/index.js#L13
-RUN groupadd -r me && useradd -g me me && mkdir -p /home/me && chown me:me /home/me
-USER me
+RUN adduser --disabled-password --gecos '' me

builders/wasm32-unknown-wasi/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+[ ! -z "${RUBYWASM_UID+x}" ] && usermod --uid "$RUBYWASM_UID" --non-unique me
+[ ! -z "${RUBYWASM_GID+x}" ] && groupmod --gid "$RUBYWASM_GID" me
+exec gosu me "$@"