Add 'woodpecker-agent-sudo/' from commit '022837448e8e6877c3717160612ca8642db4e0ca'

git-subtree-dir: woodpecker-agent-sudo
git-subtree-mainline: 996cb8e076
git-subtree-split: 022837448e

woodpecker-agent-sudo/.SRCINFO

@@ -0,0 +1,33 @@
+pkgbase = woodpecker-agent-sudo
+	pkgdesc = A simple CI engine with great extensibility (agent), patched to use sudo to run local pipelines
+	pkgver = 1.0.2
+	pkgrel = 2
+	url = https://woodpecker-ci.org
+	arch = x86_64
+	license = Apache
+	makedepends = git
+	makedepends = go
+	depends = glibc
+	depends = sudo
+	optdepends = docker: Docker backend
+	optdepends = podman: Podman backend
+	conflicts = woodpecker-agent
+	replaces = woodpecker-agent
+	options = !lto
+	backup = etc/woodpecker/agent.env
+	source = woodpecker::git+https://github.com/woodpecker-ci/woodpecker#commit=d9e06696bf85f260a0550d58301ac396874b32e3
+	source = agent-systemd.service
+	source = agent-sysusers.conf
+	source = agent-tmpfiles.conf
+	source = agent.env
+	source = sudo.patch
+	source = sudoers
+	b2sums = SKIP
+	b2sums = 6f5833c1d4db8f287f5a9877687fb0d8d66c91e80e9bbb0a78910f315e6dd4cba01131dfca20bcceaeb828833187ee6161b33272050967e3e1cea4cb2665cf57
+	b2sums = 373a5889c899445c4b583a48e6d0ff67d4572e30e0dfd0842b389e9338712771ec053ee3771202fe2874ee8bbfb7cb5965a04cf10d4071100c4f7c89cf2a14f3
+	b2sums = b6479a7f3b3cf1ecaf0fc4e0653de10176af29b780ff716bf038077d70b0440e45a649ccd5ad9a12d5f52c9eecf9b5d8b5a01510a53eec7b664162c8bb9153ab
+	b2sums = 9d64fa22d5fcfb8634926220aeb89b0fa914d8e04ee39fe14abf3f170292ab2dc875fe3fe14b054ca8173c167cec4d93518d15d5f08698bd70d86dec7728dee8
+	b2sums = 3f7cb5620859d171b0fc9c177c09388a830bdc2343f8182bb794c18544070a78f6fd692c699c5c9fda262bf4919bb53a696ea7396c4e9c7e987788f052e9f19f
+	b2sums = 85b75986c0df0853126eb20ce80861337654646bb3df02666b6c77962090df12be35eac11dab724d96c4c4b1e6c373ce0a8d6b99843232be0311273bddb1141a
+
+pkgname = woodpecker-agent-sudo

woodpecker-agent-sudo/PKGBUILD

@@ -0,0 +1,95 @@
+# Maintainer: Anthony Wang <a at exozy dot me>
+# Contributor: George Rawlinson <grawlinson@archlinux.org>
+# Contributor: Ersei <samb at disroot dot org>
+
+_pkgname='woodpecker-agent'
+pkgname=$_pkgname-sudo
+pkgver=1.0.2
+pkgrel=2
+pkgdesc='A simple CI engine with great extensibility (agent), patched to use sudo to run local pipelines'
+arch=('x86_64')
+url='https://woodpecker-ci.org'
+license=('Apache')
+depends=('glibc' 'sudo')
+optdepends=(
+  'docker: Docker backend'
+  'podman: Podman backend'
+)
+makedepends=('git' 'go')
+options=('!lto')
+_commit='d9e06696bf85f260a0550d58301ac396874b32e3'
+replaces=($_pkgname)
+conflicts=($_pkgname)
+backup=('etc/woodpecker/agent.env')
+source=(
+  "woodpecker::git+https://github.com/woodpecker-ci/woodpecker#commit=$_commit"
+  'agent-systemd.service'
+  'agent-sysusers.conf'
+  'agent-tmpfiles.conf'
+  'agent.env'
+  'sudo.patch'
+  'sudoers'
+)
+b2sums=('SKIP'
+        '6f5833c1d4db8f287f5a9877687fb0d8d66c91e80e9bbb0a78910f315e6dd4cba01131dfca20bcceaeb828833187ee6161b33272050967e3e1cea4cb2665cf57'
+        '373a5889c899445c4b583a48e6d0ff67d4572e30e0dfd0842b389e9338712771ec053ee3771202fe2874ee8bbfb7cb5965a04cf10d4071100c4f7c89cf2a14f3'
+        'b6479a7f3b3cf1ecaf0fc4e0653de10176af29b780ff716bf038077d70b0440e45a649ccd5ad9a12d5f52c9eecf9b5d8b5a01510a53eec7b664162c8bb9153ab'
+        '9d64fa22d5fcfb8634926220aeb89b0fa914d8e04ee39fe14abf3f170292ab2dc875fe3fe14b054ca8173c167cec4d93518d15d5f08698bd70d86dec7728dee8'
+        '3f7cb5620859d171b0fc9c177c09388a830bdc2343f8182bb794c18544070a78f6fd692c699c5c9fda262bf4919bb53a696ea7396c4e9c7e987788f052e9f19f'
+        '85b75986c0df0853126eb20ce80861337654646bb3df02666b6c77962090df12be35eac11dab724d96c4c4b1e6c373ce0a8d6b99843232be0311273bddb1141a')
+
+pkgver() {
+  cd woodpecker
+
+  git describe --tags | sed 's/^v//'
+}
+
+prepare() {
+  cd woodpecker
+
+  patch -p1 < ../sudo.patch
+
+  # create directory for build output
+  mkdir -p build
+
+  # download dependencies
+  export GOPATH="${srcdir}"
+  go mod download
+}
+
+build() {
+  cd woodpecker
+
+  # set Go flags
+  export CGO_CPPFLAGS="${CPPFLAGS}"
+  export CGO_CFLAGS="${CFLAGS}"
+  export CGO_CXXFLAGS="${CXXFLAGS}"
+  export GOPATH="${srcdir}"
+
+  # build agent
+  go build -v \
+    -buildmode=pie \
+    -mod=readonly \
+    -modcacherw \
+    -ldflags "-compressdwarf=false \
+    -linkmode external \
+    -extldflags ${LDFLAGS}" \
+    -o build \
+    ./cmd/agent
+
+    go clean -modcache
+}
+
+package() {
+  # systemd integration
+  install -vDm644 agent-systemd.service "$pkgdir/usr/lib/systemd/system/$_pkgname.service"
+  install -vDm644 agent-sysusers.conf "$pkgdir/usr/lib/sysusers.d/$_pkgname.conf"
+  install -vDm644 agent-tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/$_pkgname.conf"
+  install -vDm644 agent.env -t "$pkgdir/etc/woodpecker"
+  install -vDm644 sudoers "$pkgdir/etc/sudoers.d/99_woodpecker"
+
+  cd woodpecker
+
+  # binary
+  install -vDm755 build/agent "$pkgdir/usr/bin/$_pkgname"
+}

woodpecker-agent-sudo/agent-systemd.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Woodpecker agent
+Documentation=https://woodpecker-ci.org/docs/intro
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User=woodpecker-agent
+Group=woodpecker-agent
+EnvironmentFile=/etc/woodpecker/agent.env
+ExecStart=/usr/bin/woodpecker-agent
+RestartSec=5
+Restart=on-failure
+SyslogIdentifier=woodpecker-agent
+WorkingDirectory=/var/lib/woodpecker-agent
+ReadWritePaths=/var/lib/woodpecker-agent
+
+[Install]
+WantedBy=multi-user.target

woodpecker-agent-sudo/agent-sysusers.conf

@@ -0,0 +1 @@
+u woodpecker-agent - "Woodpecker agent daemon user" /var/lib/woodpecker-agent

woodpecker-agent-sudo/agent-tmpfiles.conf

@@ -0,0 +1 @@
+d /var/lib/woodpecker-agent 0750 woodpecker-agent woodpecker-agent

woodpecker-agent-sudo/agent.env

@@ -0,0 +1,59 @@
+# Configures gRPC address of the server.
+# Default: localhost:9000
+#WOODPECKER_SERVER=
+
+# The gRPC username.
+# Default: x-oauth-basic
+#WOODPECKER_USERNAME=
+
+# A shared secret used by server and agents to authenticate communication. A secret can be generated by openssl rand -hex 32.
+# Default: empty
+#WOODPECKER_AGENT_SECRET=
+
+# Configures the logging level. Possible values are trace, debug, info, warn, error, fatal, panic, disabled and empty.
+# Default: empty
+#WOODPECKER_LOG_LEVEL=
+
+# Enable pretty-printed debug output.
+# Default: false
+#WOODPECKER_DEBUG_PRETTY=
+
+# Disable colored debug output.
+# Default: true
+#WOODPECKER_DEBUG_NOCOLOR=
+
+# Configures the agent hostname.
+# Default: empty
+#WOODPECKER_HOSTNAME=
+
+# Configures the number of parallel builds.
+# Default: 1
+#WOODPECKER_MAX_PROCS=
+
+# Enable healthcheck endpoint.
+# Default: true
+#WOODPECKER_HEALTHCHECK=
+
+# After a duration of this time of no activity, the agent pings the server to check if the transport is still alive.
+# Default: empty
+#WOODPECKER_KEEPALIVE_TIME=
+
+# After pinging for a keepalive check, the agent waits for a duration of this time before closing the connection if no activity.
+# Default: 20s
+#WOODPECKER_KEEPALIVE_TIMEOUT=
+
+# Configures if the connection to WOODPECKER_SERVER should be made using a secure transport.
+# Default: false
+#WOODPECKER_GRPC_SECURE=
+
+# Configures if the gRPC server certificate should be verified, only valid when WOODPECKER_GRPC_SECURE is true.
+# Default: true
+#WOODPECKER_GRPC_VERIFY=
+
+# Configures the backend engine to run pipelines on. Possible values are auto-detect or docker.
+# Default: auto-detect
+#WOODPECKER_BACKEND=
+
+# Path to Docker or Podman socket. Can be an SSH address.
+# Default: unix:///var/run/docker.sock
+#DOCKER_HOST=

woodpecker-agent-sudo/sudo.patch

@@ -0,0 +1,70 @@
+diff --git a/pipeline/backend/local/local.go b/pipeline/backend/local/local.go
+index 2405c19bb..50321b8e7 100644
+--- a/pipeline/backend/local/local.go
++++ b/pipeline/backend/local/local.go
+@@ -44,7 +44,7 @@ var notAllowedEnvVarOverwrites = []string{
+ 
+ type workflowState struct {
+ 	stepCMDs     map[string]*exec.Cmd
+-	baseDir      string
++	user         string
+ 	homeDir      string
+ 	workspaceDir string
+ }
+@@ -79,23 +79,17 @@ func (e *local) Load(context.Context) error {
+ func (e *local) SetupWorkflow(_ context.Context, conf *types.Config, taskUUID string) error {
+ 	log.Trace().Str("taskUUID", taskUUID).Msg("create workflow environment")
+ 
+-	baseDir, err := os.MkdirTemp("", "woodpecker-local-*")
+-	if err != nil {
+-		return err
+-	}
++	user := conf.Stages[0].Steps[0].Environment["CI_COMMIT_AUTHOR"]
+ 
+ 	state := &workflowState{
+ 		stepCMDs:     make(map[string]*exec.Cmd),
+-		baseDir:      baseDir,
+-		workspaceDir: filepath.Join(baseDir, "workspace"),
+-		homeDir:      filepath.Join(baseDir, "home"),
+-	}
+-
+-	if err := os.Mkdir(state.homeDir, 0o700); err != nil {
+-		return err
++		user:         user,
++		workspaceDir: filepath.Join("/tmp", user, conf.Stages[0].Steps[0].Environment["CI_REPO_NAME"]),
++		homeDir:      filepath.Join("/home", user),
+ 	}
+ 
+-	if err := os.Mkdir(state.workspaceDir, 0o700); err != nil {
++	err := exec.Command("sudo", "-u", state.user, "mkdir", "-p", state.workspaceDir).Run()
++	if err != nil {
+ 		return err
+ 	}
+ 
+@@ -132,7 +126,8 @@ func (e *local) StartStep(ctx context.Context, step *types.Step, taskUUID string
+ 	// Set HOME
+ 	env = append(env, "HOME="+state.homeDir)
+ 
+-	var command []string
++	// Run command as commit author user
++	command := []string{"sudo", "-E", "-u", state.user}
+ 	if step.Image == constant.DefaultCloneImage {
+ 		// Default clone step
+ 		// TODO: use tmp HOME and insert netrc and delete it after clone
+@@ -209,16 +204,6 @@ func (e *local) TailStep(_ context.Context, step *types.Step, taskUUID string) (
+ func (e *local) DestroyWorkflow(_ context.Context, conf *types.Config, taskUUID string) error {
+ 	log.Trace().Str("taskUUID", taskUUID).Msgf("delete workflow environment")
+ 
+-	state, err := e.getWorkflowStateFromConfig(conf)
+-	if err != nil {
+-		return err
+-	}
+-
+-	err = os.RemoveAll(state.baseDir)
+-	if err != nil {
+-		return err
+-	}
+-
+ 	workflowID, err := e.getWorkflowIDFromConfig(conf)
+ 	if err != nil {
+ 		return err