From d794e2fe4ce5d489340838ccdca8e503c2cecbc4 Mon Sep 17 00:00:00 2001
From: "Ryan (hackercat)" <me@hackerc.at>
Date: Mon, 24 May 2021 17:09:03 +0000
Subject: [PATCH] Move actions path outside of workdir (#701)

* feat: add option to specify user for exec

* fix: move actions to static path outside workdir

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
---
 pkg/container/docker_run.go    | 14 +++++++-------
 pkg/runner/run_context.go      | 14 ++++++++------
 pkg/runner/run_context_test.go |  2 +-
 pkg/runner/step_context.go     |  6 +++---
 4 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/pkg/container/docker_run.go b/pkg/container/docker_run.go
index 827b66f..2670469 100644
--- a/pkg/container/docker_run.go
+++ b/pkg/container/docker_run.go
@@ -68,7 +68,7 @@ type Container interface {
 	CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor
 	Pull(forcePull bool) common.Executor
 	Start(attach bool) common.Executor
-	Exec(command []string, env map[string]string) common.Executor
+	Exec(command []string, env map[string]string, user string) common.Executor
 	UpdateFromEnv(srcPath string, env *map[string]string) common.Executor
 	UpdateFromPath(env *map[string]string) common.Executor
 	Remove() common.Executor
@@ -145,9 +145,7 @@ func (cr *containerReference) Copy(destPath string, files ...*FileEntry) common.
 func (cr *containerReference) CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor {
 	return common.NewPipelineExecutor(
 		common.NewInfoExecutor("%sdocker cp src=%s dst=%s", logPrefix, srcPath, destPath),
-		cr.connect(),
-		cr.find(),
-		cr.exec([]string{"mkdir", "-p", destPath}, nil),
+		cr.Exec([]string{"mkdir", "-p", destPath}, nil, ""),
 		cr.copyDir(destPath, srcPath, useGitIgnore),
 	).IfNot(common.Dryrun)
 }
@@ -160,11 +158,12 @@ func (cr *containerReference) UpdateFromPath(env *map[string]string) common.Exec
 	return cr.extractPath(env).IfNot(common.Dryrun)
 }
 
-func (cr *containerReference) Exec(command []string, env map[string]string) common.Executor {
+func (cr *containerReference) Exec(command []string, env map[string]string, user string) common.Executor {
 	return common.NewPipelineExecutor(
+		common.NewInfoExecutor("%sdocker exec cmd=[%s] user=%s", logPrefix, strings.Join(command, " "), user),
 		cr.connect(),
 		cr.find(),
-		cr.exec(command, env),
+		cr.exec(command, env, user),
 	).IfNot(common.Dryrun)
 }
 
@@ -407,7 +406,7 @@ func (cr *containerReference) extractPath(env *map[string]string) common.Executo
 	}
 }
 
-func (cr *containerReference) exec(cmd []string, env map[string]string) common.Executor {
+func (cr *containerReference) exec(cmd []string, env map[string]string, user string) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		// Fix slashes when running on Windows
@@ -427,6 +426,7 @@ func (cr *containerReference) exec(cmd []string, env map[string]string) common.E
 		}
 
 		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
+			User:         user,
 			Cmd:          cmd,
 			WorkingDir:   cr.input.WorkingDir,
 			Env:          envList,
diff --git a/pkg/runner/run_context.go b/pkg/runner/run_context.go
index fb0d441..26500c8 100755
--- a/pkg/runner/run_context.go
+++ b/pkg/runner/run_context.go
@@ -19,6 +19,8 @@ import (
 	"github.com/nektos/act/pkg/model"
 )
 
+const ActPath string = "/var/run/act"
+
 // RunContext contains info about current job
 type RunContext struct {
 	Name           string
@@ -77,7 +79,6 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 
 	mounts := map[string]string{
 		"act-toolcache": "/toolcache",
-		"act-actions":   "/actions",
 	}
 
 	if rc.Config.BindWorkdir {
@@ -150,8 +151,9 @@ func (rc *RunContext) startJobContainer() common.Executor {
 			rc.JobContainer.Create(),
 			rc.JobContainer.Start(false),
 			rc.JobContainer.UpdateFromEnv("/etc/environment", &rc.Env),
+			rc.JobContainer.Exec([]string{"mkdir", "-m", "0777", "-p", ActPath}, rc.Env, "root"),
 			rc.JobContainer.CopyDir(copyToPath, rc.Config.Workdir+string(filepath.Separator)+".", rc.Config.UseGitIgnore).IfBool(copyWorkspace),
-			rc.JobContainer.Copy("/tmp/", &container.FileEntry{
+			rc.JobContainer.Copy(ActPath+"/", &container.FileEntry{
 				Name: "workflow/event.json",
 				Mode: 0644,
 				Body: rc.EventJSON,
@@ -169,7 +171,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
 }
 func (rc *RunContext) execJobContainer(cmd []string, env map[string]string) common.Executor {
 	return func(ctx context.Context) error {
-		return rc.JobContainer.Exec(cmd, env)(ctx)
+		return rc.JobContainer.Exec(cmd, env, "")(ctx)
 	}
 }
 
@@ -488,7 +490,7 @@ type githubContext struct {
 func (rc *RunContext) getGithubContext() *githubContext {
 	ghc := &githubContext{
 		Event:            make(map[string]interface{}),
-		EventPath:        "/tmp/workflow/event.json",
+		EventPath:        ActPath + "/workflow/event.json",
 		Workflow:         rc.Run.Workflow.Name,
 		RunID:            rc.Config.Env["GITHUB_RUN_ID"],
 		RunNumber:        rc.Config.Env["GITHUB_RUN_NUMBER"],
@@ -660,8 +662,8 @@ func withDefaultBranch(b string, event map[string]interface{}) map[string]interf
 func (rc *RunContext) withGithubEnv(env map[string]string) map[string]string {
 	github := rc.getGithubContext()
 	env["CI"] = "true"
-	env["GITHUB_ENV"] = "/tmp/workflow/envs.txt"
-	env["GITHUB_PATH"] = "/tmp/workflow/paths.txt"
+	env["GITHUB_ENV"] = ActPath + "/workflow/envs.txt"
+	env["GITHUB_PATH"] = ActPath + "/workflow/paths.txt"
 	env["GITHUB_WORKFLOW"] = github.Workflow
 	env["GITHUB_RUN_ID"] = github.RunID
 	env["GITHUB_RUN_NUMBER"] = github.RunNumber
diff --git a/pkg/runner/run_context_test.go b/pkg/runner/run_context_test.go
index bd0b79e..7cf4e48 100644
--- a/pkg/runner/run_context_test.go
+++ b/pkg/runner/run_context_test.go
@@ -316,6 +316,6 @@ func TestGetGitHubContext(t *testing.T) {
 	assert.Equal(t, ghc.Repository, "nektos/act")
 	assert.Equal(t, ghc.RepositoryOwner, "nektos")
 	assert.Equal(t, ghc.RunnerPerflog, "/dev/null")
-	assert.Equal(t, ghc.EventPath, "/tmp/workflow/event.json")
+	assert.Equal(t, ghc.EventPath, ActPath+"/workflow/event.json")
 	assert.Equal(t, ghc.Token, rc.Config.Secrets["GITHUB_TOKEN"])
 }
diff --git a/pkg/runner/step_context.go b/pkg/runner/step_context.go
index 8241c1d..eeb822b 100644
--- a/pkg/runner/step_context.go
+++ b/pkg/runner/step_context.go
@@ -383,13 +383,13 @@ func (sc *StepContext) getContainerActionPaths(step *model.Step, actionDir strin
 	containerActionDir := "."
 	if !rc.Config.BindWorkdir && step.Type() != model.StepTypeUsesActionRemote {
 		actionName = getOsSafeRelativePath(actionDir, rc.Config.Workdir)
-		containerActionDir = rc.Config.ContainerWorkdir() + "/_actions/" + actionName
+		containerActionDir = ActPath + "/actions/" + actionName
 	} else if step.Type() == model.StepTypeUsesActionRemote {
 		actionName = getOsSafeRelativePath(actionDir, rc.ActionCacheDir())
-		containerActionDir = rc.Config.ContainerWorkdir() + "/_actions/" + actionName
+		containerActionDir = ActPath + "/actions/" + actionName
 	} else if step.Type() == model.StepTypeUsesActionLocal {
 		actionName = getOsSafeRelativePath(actionDir, rc.Config.Workdir)
-		containerActionDir = rc.Config.ContainerWorkdir() + "/_actions/" + actionName
+		containerActionDir = ActPath + "/actions/" + actionName
 	}
 
 	if actionName == "" {